This list of Frequently Asked Questions deals with the Skyhigh CASB Microsoft Teams app and the change to Microsoft Graph APIs, the required licenses, and the migration to the Custom OAuth deployment model.
What is Skyhigh CASB for Microsoft Teams?
Skyhigh CASB supports Teams DLP use cases by leveraging the Microsoft Graph APIs for Teams DLP Near-Real Time (NRT) and Teams Export On-Demand Scans (ODS).
This includes User Activity Monitoring, DLP controls for Teams Channels, 1:1 or 1:Group chats in near real-time, and support for DLP for historical data in Teams via ODS.
Is Microsoft Graph APIs for Teams free to use?
Skyhigh Security uses Microsoft Graph APIs to apply DLP policies to Microsoft Teams. Access to these Graph APIs requires selected Microsoft 365 licenses. If these licenses are not purchased, the APIs do not send any messages on which DLP controls can be enforced.
What licenses are required for Teams DLP?
Any one of the following licenses is required:
- Microsoft 365 E5/A5/G5
- Microsoft 365 E5/A5/F5/G5 Compliance [add-on]
- Microsoft 365 E5/A5/F5/G5 Information Protection and Governance [add-on]
- Microsoft 365 F5 Security & Compliance [add-on]
These licensing changes were announced by Microsoft last year where only customers with specific licenses would have access to Microsoft Graph APIs for DLP. Plus, metering charges will be applied to customers based on API usage.
My Organization has Microsoft 365 E3 licenses. Is this valid for Teams DLP?
No, E3 is not a valid license. See the list above for valid licenses.
Support for Graph APIs via E3 licenses is temporary. Per Microsoft, this access will be revoked in the future. The date has not been provided.
How does Teams metering work?
For usage of Microsoft Graph APIs, Microsoft calculates a metering cost. Using a seeded capacity of 800 messages per licensed user, the total seeded capacity is 800 times the number of licensed users. If the number of messages exceeds this number in one month, the metering cost is calculated at $0.00075 per message.
For more information, see Microsoft documentation at https://docs.microsoft.com/en-us/graph/teams-licenses.
What licensing changes is Skyhigh introducing for Teams?
Skyhigh Security is requiring that customers ensure the following with respect to their Skyhigh CASB for Teams deployment:
- Skyhigh CASB integration is via a Custom OAuth model deployment.
- Ensure Microsoft Teams licensing is supported for Graph APIs.
How do I know which deployment model I am using for Microsoft Teams?
- If the API for Teams is enabled for your tenant using the Admin consent model, then the Teams app is registered with a Skyhigh CASB Azure subscription.
- If the API is enabled for Teams using the Custom OAuth model, then the app is registered with a customer-owned Azure subscription.
What is a Custom OAuth deployment model and how do I change to this?
The Custom OAuth deployment makes the Teams app installed in the Azure environment owned by the customer. If your current deployment is the Admin consent model, then all you need to do is deploy the Custom OAuth App, disable the existing API, and re-enable it.
For a step-by-step guide to this migration, see User Account Requirements for Office 365.
Will I see any additional costs if I change to the Custom OAuth model?
If your message consumption exceeds the seeded capacity, then Microsoft will charge you $0.00075 per message. Otherwise, there will not be any additional charges.
Are there any Guard Rails for Microsoft Graph API for Teams?
Yes, Microsoft added seeded capacity per licensed user, calculated per month, and aggregated at the tenant level.
For more information, refer to the Microsoft documentation at https://docs.microsoft.com/en-us/graph/teams-licenses.
Will there be any cost for the excess usage of APIs?
Yes, once the cumulative Seeded Capacity is consumed, every message will be charged.
Who is responsible for the excess usage cost?
The app owner will be responsible for the excess usage cost.
Who is the owner of the Teams App?
Today, Skyhigh Security is the owner of the Teams app, unless the customer has registered the app in their Azure portal using the Custom OAuth model. If you use the Custom OAuth deployment, you the customer are the owner of the App.
Will Skyhigh continue to be the owner of the App for Teams?
- No, Skyhigh Security strongly recommends that every tenant migrate to the Custom OAuth deployment for Teams. We have already made this the default for all new onboarding customers for Teams API integration.
- If your tenant has valid licenses (E5 or other recommended licenses per Microsoft), then there will be a grace period to migrate to the Custom OAuth app. This grace period will end by January 2023. After this date, the service will be disabled for Teams for your tenant.
- If you have no valid licenses, then the migration to the Custom OAuth deployment will be immediate, and there will be no grace period granted.
How can I control the Teams API costs?
You must upgrade your licenses to E5, or other valid license options as recommended by Microsoft, to get the benefit of seeded capacity. In most cases, the API consumption is under the seeded capacity and there should not be any charges from Microsoft.
If the API consumption is beyond the seeded capacity, Microsoft will apply charges.
Where can I get help with Custom OAuth deployment for Teams?