Netskope Help

Microsoft Office 365 Multi-Geo Support

With more data residency measures being legislated around the world for cloud data, global businesses are challenged with meeting their data residency requirements and digitally transforming with the cloud.

Multi-Geo addresses these challenges by enabling a single Office 365 tenant to span multiple regions and/or countries and giving customers the flexibility to choose the country or region where each employee’s Office 365 data is stored at-rest. This helps businesses meet their global data residency needs and digitally transform with Office 365.

With Office 365 Multi-Geo, you can provision and store data at rest in the geo locations that you've chosen to meet data residency requirements, and at the same time unlock your global roll out of modern productivity experiences to your workforce.

Terminology

Here are the key terms used in describing Office 365 Multi-Geo:

  • Central location - The geo location where your tenant was originally provisioned.

  • Satellite location – The geo locations where the geo-aware Office 365 workloads (SharePoint and OneDrive) are enabled in a multi-geo tenant.

  • Geo administrator - An administrator who can administer one or more specified satellite locations.

  • Geo code - a three-letter code for a given geo location.

  • Geo location – A geographic location that can be used in a multi-geo tenant to host data, including OneDrive and SharePoint sites.

  • Preferred Data Location (PDL) – A user property set by the administrator that indicates the geo location where the users Exchange mailbox and OneDrive should be provisioned. The PDL also determines where SharePoint sites that are created by the user are provisioned.

  • Tenant – An organization's representation in Office 365 which typically has one or more domains associated with it (for example, my-domain-name.com).

For additional reading, refer the Microsoft documentation located here.

Check if your Microsoft 365 Account Supports Multi-Geo

To check if your Microsoft 365 tenant supports multi-geo, follow the instructions below:

  1. Navigate to https://developer.microsoft.com/en-us/graph/graph-explorer.

  2. On the left, click Sign in to Graph Explorer and log in using the global administrator credential.

  3. Ensure that GET and v1.0 is selected and on the query edit box, enter https://graph.microsoft.com/beta/sites?filter=siteCollection/root%20ne%20null&select=webUrl,siteCollection and click Run query.

    Multi-Geo_Location_GraphAPI_Query.jpg
  4. Under the Response preview tab, you should see the graph API query result. An example response from a multi-geo tenant is as follows:

    A multi-geo tenant has more than one dataLocationCode.

    {
        "@odata.context": "https://graph.microsoft.com/beta/$metadata#sites",
        "value": [
            {
                "webUrl": "https://contoso.sharepoint.com/",            
                        "siteCollection": {                
                            "dataLocationCode":"NAM",                
                            "hostname": "contoso.sharepoint.com"
                }
            },
            {
                "webUrl": "https://contoso.sharepoint.com/",            
                        "siteCollection": {                
                            "dataLocationCode":"EUR",                
                            "hostname": "contoso.sharepoint.com"
                }
            },
            {
                "webUrl": "https://contoso.sharepoint.com/",            
                        "siteCollection": {                
                            "dataLocationCode":"APC",                
                            "hostname": "contoso.sharepoint.com"
                }
            }
        ]
    }

    You can use Microsoft Graph to discover whether a tenant is multi-geo because requests via Microsoft Graph to Multi-Geo tenants return more than one item in the collection as displayed above. Once confirmed, you must enable the Enable Multi Geo checkbox in the setup instance page of the Netskope UI.

    An example response from a single-geo tenant is as follows:

    A single-geo tenant would not have any dataLocationCode.

    {
        "@odata.context": "https://graph.microsoft.com/beta/$metadata#sites",
        "value": [
            {
                "webUrl": "https://singlegeotest.sharepoint.com/",
                "siteCollection": {
                    "hostname": "singlegeotest.sharepoint.com"
                    "root": {}
                }
            }
        ]
    }

    If you Microsoft Office 365 tenant is single-geo, do not enable the Enable Multi Geo checkbox in the setup instance page of the Netskope UI.

Prerequisite for Microsoft Office 365 Multi-Geo Instance

The following instructions apply to both existing and new tenants.

  1. The Netskope Introspection v2 app should be installed in all geo locations i.e., central and satellite locations. For more information on the installation instructions, refer Add the Netskope Introspection v2 App in your Office 365 SharePoint Admin Account.

    Note

    • If you intend to monitor a central and all satellite locations, you should install the Netskope Introspection v2 app in the central and all satellite locations.

    • If you intend to monitor a single location, you should install the Netskope Introspection v2 app in that location.

  2. PDL should be set for all users in their corresponding satellite locations. For more information, see Setting users' preferred data location.

Important

For existing customers:

After installing the Netskope Introspection v2 app and setting the PDL, re-grant the Office 365 app instance on the Netskope UI.

For new customers, follow the regular procedure to create a new Office 365 app instance on the Netskope UI.

Additional Notes
  • Microsoft 365 Multi-Geo is an add-on that requires additional subscription from Microsoft. Refer the Microsoft documentation located here.

  • Currently, mixed mode is not supported. Netskope supports either central location (all geo sites including central and satellite) or individual satellite location instances.

After you have set up the SharePoint app instance in the Settings > API-enabled Protection > SaaS page, you can create an API Data Protection policy. To create one, see Create an API Data Protection Policy.