Changes Made Under Inline Protection

Provisioning

• Adds the Trend Micro Cloud App Security app in Azure AD.

• Creates Microsoft 365 virtual groups.

• Creates mail flow connectors and transport rules.

• Uses OAuth 2.0 to obtain Exchange Online's access token.

• Adds a domain pair for Cloud App Security to the allow entries for spoofed senders in the Tenant Allow/Block List.

• Adds the IP addresses of Cloud App Security to the IP Allow List in connection filtering.

None

Service running

• Updates the Microsoft 365 virtual groups when the policy target changes.

• Synchronizes with Office 365 daily to obtain information about new users, groups, verified domains, and MX records.

  Note:

  Cloud App Security synchronizes with Office 365 at 00:15 a.m. UTC for both the EU and UK sites, 05:15 a.m. UTC for the Canada site, 08:15 a.m. UTC for the US site, 04:15 p.m. UTC for both the Japan and the Australia and New Zealand sites, 05:15 p.m. UTC for the Singapore site, and 00:15 p.m. UTC for the India site.

Updates mail flow transport rules.

Refreshes the access token every hour.

Deprovisioning

• Stops daily synchronization with Office 365.

• Stops generating scheduled reports.

• Removes the Microsoft 365 virtual groups.

Removes the mail flow connectors for outbound protection and the transport rules for rerouting messages.

None.

Manual cleanup

• Removes the Trend Micro Cloud App Security from Azure AD.

• Removes the domain pair for Cloud App Security from the allow entries for spoofed senders in the Tenant Allow/Block List.

• Removes the IP addresses of Cloud App Security from the IP Allow List in connection filtering.

None.

Deletes the following transport rules and connectors:

• TMCAS Inline Incoming Skip Spam Filter Transport Rule

• TMCAS Inline Incoming Move to Junk Folder Transport Rule

• TMCAS Inline Inbound Connector for Incoming Message

• TMCAS Inline Inbound Connector for Outgoing Message

Provisioning

Uses OAuth 2.0 to obtain Gmail's access token.

Adds the user group TMCAS Inline Incoming Gmail Virtual Group.

Saves user and group information to the Cloud App Security database.

Service running

• Synchronizes with Gmail daily to obtain information about new users and groups.

  Note:

  Cloud App Security synchronizes with Gmail at 00:15 a.m. UTC for both the EU and UK sites, 05:15 a.m. UTC for the Canada site, 08:15 a.m. UTC for the US site, 04:15 p.m. UTC for both the Japan and the Australia and New Zealand sites, 05:15 p.m. UTC for the Singapore site, and 00:15 p.m. UTC for the India site.

• If an email message violates a policy that specifies the "Label email" action: Creates a label called "Risky (by Trend Micro)" and labels the message.

• Updates the access or operation logs for the service account during scanning.

• Refreshes the access token every hour.

• Cloud App Security refreshes the subscription to all mailboxes' event notifications during scheduled synchronization every day.

Deprovisioning

• Stops daily synchronization with Gmail.

• Stops generating scheduled reports.

• Removes administrator-set policies.

• Removes user and group information.

• Removes the access token obtained.

Manual cleanup

• Removes the Cloud App Security application from the Google Workspace admin console and from the admin's Google Account.

  Note:

  You can ignore this if you need to use the Google Drive or Gmail service account for protection.

• Removes the content compliance rule TMCAS Content Compliance Rule for Incoming Messages.

• Removes the mail route for routing emails to Cloud App Security.

• Removes the inbound gateway for receiving emails delivered from Cloud App Security.

  Important:

  To ensure that all emails scanned by Cloud App Security are successfully delivered to Gmail, remove the inbound gateway 24 hours after deprovisioning.

None.