Configure Microsoft 365 Teams for the Next Generation API Data Protection
Configure Microsoft 365 Teams for the Next Generation API Data Protection
To configure Microsoft 365 Teams Commercial & GCC High for the Next Generation API Data Protection, follow the instructions below.
Prerequisites
Before configuring Microsoft 365 Teams for the Next Generation API Data Protection, review the prerequisite.
-
A global administrator account is required to grant access to Netskope. Post-grant, you can either delete or downgrade this account.
The way permissions work in Azure/Office 365 is that Netskope requires an administrator to grant enough privileges for Netskope to perform specific actions. Note that the Netskope app does not receive global admin permissions. It only receives permissions for the scope Netskope requests. -
You must turn on audit logging in Microsoft 365 admin center. To enable audit logging, follow the steps below:
-
Log in to https://compliance.microsoft.com/.On the left navigation, click Audit.
If auditing is not turned on for your organization, a banner is displayed prompting you to start recording user and admin activity.
-
Click the Start recording user and admin activity banner.
It may take up to 60 minutes for the change to take effect. After enabling, the first application event contents can take up to 12 hours to show up in Skope IT.
-
-
If you have guest or external users in your SaaS environment belonging to domains considered internal, you must set the appropriate internal domains for Netskope to classify exposure accurately. To set up internal domains, follow this article.
-
You must have a required license for metered APIs (model=A). To know the licenses, follow this article.
Configure Netskope to Access your Microsoft 365 Teams Account
To authorize Netskope to access your Microsoft 365 Teams account, follow the steps below:
-
Log in to the Netskope tenant UI and go to Settings > Configure App Access > Next Gen > CASB API.
-
Under Apps, select Microsoft Teams and click Setup CASB API Instance.
The Setup Instance window opens.
-
Under Office 365 Environment, select Commercial or GCC High.
GCC High is designed for U.S. federal, state, and local government customers. -
Under Administrator Email, enter the email address of the user who will receive an email notification when a policy violation or event triggers. This step is optional.
-
Under Instance Name, enter a name of the SaaS app instance. This step is optional and if left blank, Netskope will determine the name of the app instance post grant.
-
Click Grant Access.
The Microsoft Login window opens.
-
Enter the global administrator username and password.
-
Keep Consent on behalf of your organization unchecked (if present) and Accept the permissions.
Justification for Permissions Requested
Permissions required by Netskope Claim Value Description Purpose Trade-off if not allowed Sign in and read user profile User.Read Allows
– users to sign-in to the application,
– the application to read the profile of signed-in users,
– the application to read basic company information of signed-in users.Allows sign-in and to obtain information about signed-in users. Required for sign-in workflows. Read directory data Directory.Read.All Allows the application to read data in your organization’s directory such as users, groups, and applications. Allows Netskope to read users, groups and apps data in the configured Microsoft Teams instance. Cannot obtain user/group-related information and affects subsequent inventory and exposure computations. Read activity data for your organization ActivityFeed.Read Allows the application to retrieve information about user, administrator, system, and policy actions and events from Office 365 and Microsoft Entra ID activity logs via the Office 365 Management Activity API. Allows Netskope to retrieve audit logs and events from Office 365 and Entra ID activity logs. Cannot provide visibility via Skope IT application events and other UEBA capabilities. Microsoft 365 Teams GCC High Permissions required by Netskope Claim Value Description Purpose Trade-off if not alllowed Sign in and read user profile User.Read Allows
– users to sign-in to the application,
– the application to read the profile of signed-in users,
– the application to read basic company information of signed-in users.Allows sign-in and to obtain information about signed-in users. Required for sign-in workflows. Read the names and descriptions of all channels Channel.ReadBasic.All Read all channel names and channel descriptions, without a signed-in user. Allows Netskope to access basic metadata about channels, such as their names and descriptions. Cannot display the basic information of channels and affects inventory or dashboard functionalities. Read the members of all channels ChannelMember.Read.All Read the members of all channels, without a signed-in user. Allows Netskope to read the members of all channels. Limits the ability to calculate channel exposures and enforce data protection policies. Read all channel messages ChannelMessage.Read.All Allows the app to read all channel messages in Microsoft Teams Allows Netskope to read all messages in all channels. Cannot offer comprehensive search capabilities, message auditing, or any features dependent on accessing message content. Flag channel messages for violating policy ChannelMessage.UpdatePolicyViolation.All Allows the app to update Microsoft Teams channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. Allows Netskope to update channel messages by patching a set of Data Loss Prevention (DLP) policy violation properties. Limits the ability to enforce DLP policies and ensure compliance in channel communications. Read the names, descriptions, and settings of all channels ChannelSettings.Read.All Read all channel names, channel descriptions, and channel settings, without a signed-in user. Allows Netskope to read the settings of all channels. Cannot display or access channel details and affects exposure calculations. Read all chat messages Chat.Read.All Allows the app to read all 1-to-1 or group chat messages in Microsoft Teams. Allows Netskope to read all chat messages. Cannot offer comprehensive search capabilities, message auditing, or any features dependent on accessing message content. Flag chat messages for violating policy Chat.UpdatePolicyViolation.All Allows the app to update Microsoft Teams 1-to-1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties to handle the output of DLP processing. Allows Netskope to update 1-to-1 or group chat messages by patching a set of Data Loss Prevention (DLP) policy violation properties. Limits the ability to enforce DLP policies and ensure compliance in chat communications. Read the members of all chats ChatMember.Read.All Read the members of all chats, without a signed-in user. Allows Netskope to read the members of all chats. Limits the ability to calculate chat exposures and enforce data protection policies. Read domains Domain.Read.All Allows the app to read all domain properties without a signed-in user. Allows Netskope to read the domain properties. Required for sign-in workflows. Read all groups Group.Read.All Allows the app to read group properties and memberships, and read conversations for all groups, without a signed-in user. Allows Netskope to read all group memberships and properties. Cannot display or access group details and affects exposure calculations. Have full control of all site collections Site.FullControl.All Allows the application to have full control of all site collections. Allows Netskope to receive and process permission changes required for core capabilities such as sharing detection, exposure computation and subsequent policy-processing. Without this permission, the Microsoft Graph API would return errors whenever a folder permission changes. These errors cause significant delays in detecting changes and impact next generation platform efficacy in tracking exposure changes for folders/files in out-of-band. Read the members of all teams TeamMember.Read.All Read the members of all teams, without a signed-in user. Allows Netskope to read the members of all teams. Limits the ability to calculate team exposures and enforce data protection policies. Read installed Teams apps for all chats TeamsAppInstallation.ReadForChat.All Allows the app to read the Teams apps that are installed in any chat, without a signed-in user. Does not give the ability to read application-specific settings. Allows Netskope to read the Teams apps that are installed in any chat. Cannot provide the details of 3rd-party apps installed in the Microsoft Teams apps catalog. Read installed Teams apps for all teams TeamsAppInstallation.ReadForTeam.All Allows the app to read the Teams apps that are installed in any team, without a signed-in user. Does not give the ability to read application-specific settings. Allows Netskope to read the Teams apps that are installed in any team. Cannot provide the details of 3rd-party apps installed in the Microsoft Teams apps catalog. Read installed Teams apps for all users TeamsAppInstallation.ReadForUser.All Allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings. Allows Netskope to read the Teams apps that are installed for any user. Cannot provide the details of 3rd-party apps installed in the Microsoft Teams apps catalog. Read all users’ full profiles User.Read.All Allows the application to read user profiles in your organization’s directory. Allows Netskope to read user profile data in the configured Teams instance. Cannot obtain user profile information and affects subsequent user exposure computations. Read activity data for your organization ActivityFeed.Read Allows the application to retrieve information about user, administrator, system, and policy actions and events from Office 365 and Microsoft Entra ID activity logs via the Office 365 Management Activity API. Allows Netskope to retrieve audit logs and events from Office 365 and Entra ID activity logs. Cannot provide visibility via Skope IT application events and other UEBA capabilities. Microsoft 365 Teams Commercial The Netskope CASB API app is installed in Microsoft Entra ID with additional permissions once you grant access to the Microsoft 365 Teams app.
-
After accepting the permissions, you will be redirected to the successful result page. Click Close.
Refresh your browser, and you should see a green check icon next to the instance name.
Post grant, you can either delete or downgrade the global administrator account. To know more: Delete or Downgrade the Global Administrator Account.
Next, you can view the Next Generation API Data Protection Inventory page to get deep insights on various entities on your Microsoft 365 MS Teams account. For more information on the Inventory page, see Next Generation API Data Protection Inventory.
You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.
Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.