Skip to main content
McAfee MVISION Cloud

User Groups for Azure AD Security and Office 365 Groups

IMPORTANT: Support for User ingestion for your Azure AD and Office 365 is in Limited Availability. To enable this feature, contact MVISION Cloud Support

You can create user groups for your Azure AD and Office 365 accounts. You can apply DLP policies to specific groups of users within your organization.

For Office 365 groups, these are the supported CSPs: SharePoint, OneDrive.

Prerequisites

Before you begin, make sure you've done the following:

  • Enable API access for Azure AD and Office 365. Configure McAfee MVISION Cloud to access Azure AD and Office 365 using APIs by following the steps in Configure Azure AD and Office 365 API Integration.
  • Define custom sanctioned attributes. Contact MVISION Cloud Support to configure custom sanctioned attributes for your tenant mapping to the following attribute keys:
    • For Office 365 Group: attributes.ad_office365_group
    • For Azure AD Security Group: attributes.ad_security_group
    • For Azure AD Mail Enabled Security Group: attributes.ad_mail_enabled_security_group

NOTE:

  • These attribute keys are automatically populated when you enable API access for Azure AD and Office 365. 
  • Enable this feature only with Azure AD. If you have EC configured to fetch AD attributes then do not enable this feature.

Create User Groups

Follow the steps in Create a DLP User Group to create user groups that represent organizational units in your Azure AD and Office 365  account by defining user criteria with the custom attributes created by MVISION Cloud Support.

For example, if the custom attribute Office365Org is defined and maps to the key attributes.ad_office365_group, and if you have an Office 365 group named "hr" in your Office 365 account, you can create a user group that represents all users under "hr".

Add User Groups to DLP Policies

To add the user groups defined previously to the DLP policies, see Add User Groups to a DLP Policy

This will enforce policies based on the Azure AD and Office 365 organization unit a user belongs to.

Azure AD, Office 365, and McAfee Sync

MVISION Cloud runs periodic sync jobs with Azure AD and Office 365 to populate Organization Unit (OU) and Office 365 and Azure AD Groups information for all users in the Office 365 and Azure AD account. This information is used to define user groups, which can be attached to DLP policies.

Groups

It is not possible to run a periodic job to sync Group information every few hours, due to the number of API calls required to expand groups (and any nested groups), due to the potentially high number of groups present in the Azure AD and Office 365 environment of a large organization. So, the Group information is populated during the first full sync job for all users. From that time onward, various events related to Groups are monitored to remove, update, or add information to user group's data stored in MVISION Cloud.

When does the sync happen?

  • During the first full sync job that is run to go through all users and populate group information for every user.
  • Every time a change related to groups is performed (see list of events below).

What changes/events in Azure AD and Office 365 groups are monitored?

  • Add a user to a group
  • Remove a user from a group
  • Rename a group

NOTE: When a new group is created, this group is synced to MVISION Cloud's local repository only when at least one user is added to the group. In other words, empty groups are not synced.

Known Issues

The Delete Group event does not result in user group data being updated in MVISION Cloud. This is due to an API limitation from Office 365 and Azure AD. 

Other Events

Apart from the events listed above for Groups, other generic events related to users such as Delete user from Office 365 and Azure AD and Rename user are also monitored to regularly update the user groups data in MVISION Cloud. 

  • Was this article helpful?