Views:

When your Office 365 services leverage Microsoft Information Protection (MIP) or Azure Rights Management (Azure RMS) to protect sensitive information, the files or email messages in the services may become encrypted and not accessible to Cloud App Security.

To extend protection to MIP or RMS encrypted content, grant Cloud App Security required permissions by using either of the following service accounts.

Account

Available Protection

MIP account

  • For Exchange Online email messages: decrypt messages for scanning and apply actions based on the sensitivity labels on messages

  • For files in SharePoint Online, OneDrive, Microsoft Teams (Teams), and Microsoft Teams (Chat): decrypt files for scanning, apply or remove sensitivity labels, and apply actions based on the sensitivity labels on files

    Note:

    For Microsoft Teams (Chat), Cloud App Security currently does not support applying or removing sensitivity labels.

    The protection is available for the following file types:

    • Microsoft Word: docm, docx, dotm, and dotx

    • Microsoft Excel: xlam, xlsm, xlsx, and xltx

    • Microsoft PowerPoint: potm, potx, ppsx, ppsm, pptm, and pptx

    • PDF: pdf

    • Text: txt

RMS account

Decrypt files in SharePoint Online, OneDrive, and Microsoft Teams (Teams) for scanning

Cloud App Security recommends you create a MIP account for enhanced protection. Provisioning an RMS account is no longer available.

  • If you have already provisioned an RMS account, Trend Micro recommends you migrate to a MIP account.

  • If you have provisioned both the RMS and MIP accounts, Cloud App Security uses only the MIP account and you can remove the RMS account.

Parent topic: Provisioning Office 365 Services