IMPORTANT: Support for User ingestion for your Azure AD and Office 365 is in Limited Availability. To enable this feature, contact Skyhigh Security Support.
You can create user groups for your Azure AD and Office 365 accounts. You can apply DLP policies to specific groups of users within your organization.
For Office 365 groups, these are the supported CSPs: SharePoint, OneDrive.
Before you begin, make sure you've done the following:
- Enable API access for Microsoft Office 365. Integrate Skyhigh CASB either with SharePoint or OneDrive or both via API to get connected with Azure AD using these links:
- Define custom sanctioned attributes. Contact Skyhigh CASB Support to configure custom sanctioned attributes for your tenant mapping to the following attribute keys:
- For Office 365 Group: attributes.ad_office365_group
- For Azure AD Security Group: attributes.ad_security_group
- For Azure AD Mail Enabled Security Group: attributes.ad_mail_enabled_security_group
NOTE: Enable this feature only with Azure AD. If you have EC configured to fetch AD attributes then do not enable this feature.
Create User Groups
Follow the steps in Create a DLP User Group to create user groups that represent organizational units in your Azure AD and Office 365 account by defining user criteria with the custom attributes created by Skyhigh CASB Support.
For example, if the custom attribute Office365Org is defined and maps to the key attributes.ad_office365_group, and if you have an Office 365 group named "hr" in your Office 365 account, you can create a user group that represents all users under "hr".
Add User Groups to DLP Policies
To add the user groups defined previously to the DLP policies, see Include or Exclude a User Group from a DLP Policy.
This will enforce policies based on the Azure AD and Office 365 organization unit a user belongs to.
Azure AD, Office 365, and Skyhigh Security Sync
Skyhigh CASB runs periodic sync jobs with Azure AD and Office 365 to populate Organization Unit (OU) and Office 365 and Azure AD Groups information for all users in the Office 365 and Azure AD account. This information is used to define user groups, which can be attached to DLP policies.
It is not possible to run a periodic job to sync Group information every few hours, due to the number of API calls required to expand groups (and any nested groups), due to the potentially high number of groups present in the Azure AD and Office 365 environment of a large organization. So, the Group information is populated during the first full sync job for all users. From that time onward, various events related to Groups are monitored to remove, update, or add information to user group's data stored in Skyhigh CASB.
When does the sync happen?
- During the first full sync job that is run to go through all users and populate group information for every user.
- Every time a change related to groups is performed (see list of events below).
What changes/events in Azure AD and Office 365 groups are monitored?
- Add a user to a group
- Remove a user from a group
- Rename a group
NOTE: When a new group is created, this group is synced to Skyhigh CASB's local repository only when at least one user is added to the group. In other words, empty groups are not synced.
The Delete Group event does not result in user group data being updated in Skyhigh CASB. This is due to an API limitation from Office 365 and Azure AD.
Apart from the events listed above for Groups, other generic events related to users such as Delete user from Office 365 and Azure AD and Rename user are also monitored to regularly update the user groups data in Skyhigh CASB.