Provisioning a Microsoft Teams Service Account

Provision a service account for Microsoft Teams (Teams) to allow Cloud App Security to run advanced threat protection and data loss prevention scanning on files in protected teams.

Important:

Cloud App Security protects the Teams and Chat services in Microsoft Teams separately.

Cloud App Security scans files that employees share in team channels, which are stored in SharePoint.

If you have also provisioned a SharePoint Online service account, when the SharePoint site and the team corresponding to a file are selected as a policy target respectively, Cloud App Security applies policies for Microsoft Teams (Teams) to this site unless the site does not hit any policy for Microsoft Teams.

The steps outlined below detail how to provision a service account for Microsoft Teams (Teams) from Dashboard.

Log on to the Cloud App Security management console.
Hover over Microsoft Teams and click Provision.
The Provision Service Account for Microsoft Teams screen appears.
Click Click here at the end of Step 1.
The Microsoft logon screen appears.
Specify your Office 365 Global Administrator credentials and click Sign in.
The Microsoft authorization screen appears.
Click Accept to grant Cloud App Security permissions on teams in your organization.
Go back to the Cloud App Security management console as instructed.
Cloud App Security assigned an App Id for Microsoft Teams that will be used for permission request on the SharePoint admin center in the next step. Copy the App Id from the screen and paste it in step 7.d as instructed.

If you decide to perform step 7 later, you can find the App Id under the corresponding Authorized Account from Administration > Service Account.
Perform the following steps to grant Cloud App Security permissions to receive notifications from Microsoft upon any change to the files in your teams.
1. Log on to the Microsoft 365 admin center with your Global Administrator account.
2. Go to Admin centers > SharePoint from the left navigation.
  The SharePoint admin center page appears.
3. Change the SharePoint admin center URL to {sharepoint_admin_site}/_layouts/15/AppInv.aspx in the address bar, for example, change https://example-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/home to https://example-admin.sharepoint.com/_layouts/15/AppInv.aspx, and then open the URL.
4. On the screen that appears, copy and paste the App Id assigned in step 6 in the App Id field and then click Lookup.
  The Title field is automatically filled.
5. Copy and paste tmcas.trendmicro.com in the App Domain field.
6. Enter {Cloud App Security_admin_site}/provision.html in the Redirect URL field based on your serving site.
  For example, if the URL of your Cloud App Security management console in the address bar is "https://admin-eu.tmcas.trendmicro.com" after logon, enter https://admin-eu.tmcas.trendmicro.com/provision.html in the Redirect URL field.
7. Copy and paste the following information in the Permission Request XML field:
```
<AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Manage" />
</AppPermissionRequests>
```
8. Click Create, and on the screen that appears, click Trust It.
  The SharePoint admin center page appears.
9. Change the SharePoint admin center URL to {sharepoint_admin_site}/_layouts/15/TA_AllAppPrincipals.aspx and then open the URL to verify the permission.
  If an item for Trend Micro Cloud App Security appears, the permission is successfully granted.
Go back to the Cloud App Security management console and click Done.
Cloud App Security then updates data of the teams in your organization. The time required depends on how much data you have in teams.
Hover over the notification icon in the upper-right corner of the management console.
If the message "Microsoft Teams protected." appears on the Notifications screen, the provisioning is successful.