Create a Microsoft Office 365 Teams Policy
To discover existing data residing within your sanctioned cloud services, create an API Data Protection policy with the desired options and actions. The Netskope UI guides you through the process of configuring policies for each of your cloud apps on a single web page.
To configure a Microsoft Office 365 Teams policy, follow the steps below:
Once you log in to the Netskope UI, navigate to Policies > API Data Protection.
Under the SaaS tab, click New Policy, and select the following options:
Under APPLICATION, select Microsoft Office 365 Teams and select the Teams instance you created during the instance setup.
Click NEXT.
The USERS section specifies the users and groups that can trigger a policy violation. Select from the following options:
All Users: With this option, you can select all users from Teams.
Subset of Users: With this option, you can select specific users in Teams.
User Profiles: With this option, you can select a user profile. A user profile is a set of users you can create from Policies > PROFILES > User.
User Groups: With this option, you can select a user group. This option requires an integration with your organization's Active Directory and other directory servers to collect user and user activity information.
Note
To use the user groups option, you first need to install the Netskope Adapters Utility Tool. For more information, refer to Netskope Adapters.
The Exclude Users and Exclude User Profiles options are available for All Users, User Profiles, and User Groups. The Exclude options excludes users or user profiles from triggering a policy.
Click NEXT.
The TEAMS section specifies the content to scan. Select either of the following options:
Channels: Channels are the collaboration spaces within a team in which the actual work is done. Select this option to scan messages shared in a channel. On selecting this option, you can select the following options:
All Teams: You can select all teams viz., private, and public teams.
Teams by Type: You can either select a private team or public.
Teams by Team Name: You can select specific team names.
Or,
Direct Messaging: Select this option to scan messages shared across 1:1 or 1:N users.
Note
If you select the Direct Messaging option, API Data Protection can scan in-meeting chat messages and attachments too.
Click NEXT.
The CONTENT section specifies the file sharing options and types of content to scan. Select the following options:
FILE SHARING OPTIONS TO SCAN
All Sharing Options: You can select this option to scan private, internally, and externally shared messages and attachments.
Specific Sharing Options: You can select this option to scan all or specific sharing types like Shared Internally and Shared Externally (with Guests).
Important points to note:
An administrator can now trigger a policy if a DLP-sensitive chat message or attachment is shared with an internal or external user.
An external user is a user who is not part of the Office 365 organization using API Data Protection for Microsoft Office 365 Teams. This includes an anonymous user too.
The policy applies to chat messages and attachments originated or received by internal, external, or a combination of both user types.
Exposure for such violating chat messages and attachments are marked as either "Internally Shared" (shared with internal users) or “Externally Shared” (shared with external users) in Microsoft Office 365 Teams API-enabled Protection Dashboard and DLP incidents.
CONTENT TYPE
Text: You can select this option to scan text messages within a channel or direct messaging.
Note
Special note on inline image sharing i.e., copy-paste on MS Teams chat window instead of an attachment:
Netskope treats an inline image as a text message and not an attachment.
If an inline image gets detected for a DLP violation, you cannot download it from the Incidents > DLP dashboard page because Netskope treats it as a text message.
Attachment: You can select this option to scan attachments shared in a channel or direct messaging. You can select select All File Types or Specific File Types.
Note
API Data Protection policy for Microsoft Office 365 Teams scans all supported file types that are shared in Microsoft Office 365 Teams. Any modifications to the files outside the context of Microsoft Office 365 Teams are not processed as part of this policy.
Click NEXT.
The DLP section specifies the type of DLP profile that triggers a policy violation. Select DLP and click Select Profile. Search for a DLP profile or choose one from the list, which includes both predefined or custom profiles. After selecting a DLP profile, click Save.
Note
Microsoft does not provide any webhook notification for files uploaded through the files and wiki tab of Microsoft Teams. Due to this limitation, Netskope does not support DLP scanning for such file uploads. However, Netskope detects files sent as an attachment from a channel's chat window. For full DLP coverage, you should set up respective API Data Protection instances for Microsoft Office 365 OneDrive and SharePoint.
Click NEXT.
The ACTION section specifies the action to be taken when a policy violation occurs. Select from the following options:
Alert: Netskope sends a notification when a policy violation occurs.
Block Access: Netskope blocks channel messages, direct messages, and attachments that violate a DLP policy.
When a message is sent and received as a direct message or in a channel, and if the message is DLP sensitive, the policy applies the block access action. The policy blocks the message for the sender as well as the recipient(s). On the MS Teams chat app, the sender and recipient(s) receive this block message - This message was blocked. What can I do? The sender can click the What can I do? link to report the issue to the administrator.
Though the policy blocks the message for the sender and recipient(s), the sender can still view and edit the message. Once edited, the message becomes unblocked if it does not violate the DLP policy. However if the edited message is DLP sensitive, the policy applies the block access action again.
The Netskope tenant administrator can see the message details that has been blocked under Incidents > DLP, but cannot download the message content.
Click NEXT.
The NOTIFICATION section specifies who and when to notify users about a policy violation. Select from the following options:
None: This option does not send any notification about a policy violation.
Notify once every <interval>: You can select this option to specify how often to notify recipients and who to notify. Click on the adjacent toggle to specify the time interval.
Notify after each event: You can select this option to send a notification to recipients after each event.
Click NEXT.
The SET POLICY section specifies the name of the policy and allows you to add a description if desired.
Click SAVE.
On the Policies > API Data Protection page, click APPLY CHANGES, then APPLY.