Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here

Skyhigh Security

Multi-Geo Model for Office 365

Multi-Geo capability in Office 365 allows you to organize users and their data to spread across multi-geographic regions using a single Office 365 tenant. You have the flexibility to choose the country or region where each employee’s Office 365 data is stored at-rest. This promotes businesses to meet their global data residency goals and digitally transform with Office 365.

Create a single global tenant for the entire organization, so all users can access their data regardless of their locations. You can create tenant in your home data center region and add more satellite regions as they expand. For more details, see Microsoft 365 Multi-Geo.

Skyhigh CASB supports the Multi-geo capabilities for SharePoint, OneDrive, MS Teams Chat* and Exchange Online*

(* known issues see below)

NOTE: To support the multi-geo environment in Skyhigh CASB, enable Office 365 Multi-Geo feature in your Skyhigh CASB tenant. For details, contact Skyhigh CASB Support

Configure Multi-Geo feature for Office 365 in Skyhigh CASB

You can enable a multi-geo environment for Office 365 applications such as SharePoint, and OneDrive in Skyhigh CASB. For SharePoint and OneDrive specific configuration is needed with multiple instances.

Configure Multi-Geo for OneDrive 

Multi-Geo for OneDrive allows security admin to create and configure a OneDrive service instance in Skyhigh CASB to monitor activities of users in specific geo for DLP and Activity Monitoring. DLP is supported both in near real-time and on-demand scan modes.

For example, say "myorg" is a multinational corporation located in 3 different regions: Headquarters in Canada and branches in the European Union and Australia. A group of OneDrive users of the organization has selected the preferred location as Canada, so OneDrive Account data is stored in this region. To monitor the OneDrive Account location, you need to create and configure instances for that specific region.  

IMPORTANT:

  • Skyhigh CASB monitors the OneDrive account for multiple preferred regions only when a separate service instance of OneDrive is created for each region.
  • The activities of users who are assigned to the preferred data location are monitored for DLP and Activity Monitoring.

To configure OneDrive instance for the preferred data location:

  1. Login to Skyhigh CASB as admin.
  2. Go to Settings > Service Management.
  3. From the Service Management page, click Add Service Instance to add OneDrive instance, and enter an Instance Name
  4. Select the OneDrive instance from the Services list. (If no services are listed, contact Skyhigh CASB Support for help.)
  5. Under Setup, click Enable to enable API access. 
    clipboard_e18c84c4273f1061142792ff3839e34e5.png
  6. On the Enable API Review Prerequisites page, review the prerequisites, and then click the checkbox to confirm that you have completed the prerequisites. Click Next
    clipboard_e6e31830b186aa1d50b2b629ece8fd885.png
  7. On the Enable API page, click Provide API Credentials.
    clipboard_e2fb19b04fe1934a95e40a9b5f9485087.png
  8. Enter the preferred region's Geo Administrator Email and click Submit. 
    clipboard_efefe99c9aa37e746b916f8596f8bd0c1.png
    The multi geo location is configured successfully with OneDrive. 

NOTE: If the admin has more than one geo-location assigned for administrative purposes, Skyhigh Security considers the 'preferred data location' (PDL) of the administrator as the geo that needs to be monitored.

Configure Multi-Geo for SharePoint

Multi-Geo for SharePoint allows security admin to create and configure a SharePoint service instance in Skyhigh CASB to monitor SharePoint sites in specific geo for DLP and Activity Monitoring. DLP is supported both in near real-time and on-demand scan modes.

IMPORTANT:

  • Skyhigh CASB monitors the SharePoint sites for multiple regions only when a separate service instance of SharePoint is created for each region.
  • The SharePoint sites that are assigned to the preferred data location are monitored for DLP and Activity Monitoring.

To configure SharePoint instance for the preferred data location:

  1. Login to Skyhigh CASB as admin.
  2. Go to Settings > Service Management.
  3. From the Service Management page, click Add Service Instance to add SharePoint instance, and enter an Instance Name
  4. Select the SharePoint instance from the Services list. (If no services are listed, contact Skyhigh CASB Support for help.)
  5. Under Setup, click Enable to enable API access. 
    clipboard_e791dc72739da9c55eacc9cf5c11ea9f5.png
  6. On the Enable API Review Prerequisites page, review the prerequisites, and then click the checkbox to confirm that you have completed the prerequisites. Click Next
    clipboard_e6e31830b186aa1d50b2b629ece8fd885.png
  7. On the Enable API page, click Provide API Credentials.
    clipboard_e2fb19b04fe1934a95e40a9b5f9485087.png
  8. Enter the preferred region's Geo Administrator Email and SharePoint admin center URL and click Submit.
    clipboard_ed5e3e7d42070520e3acd3ed7ab970842.png
    The multi geo location is configured successfully with SharePoint. 

NOTE: If the admin has more than one geo-location assigned for administrative purposes, Skyhigh Security considers the 'preferred data location' (PDL) of the administrator as the geo that needs to be monitored.

Multi-Geo for Exchange Online

Skyhigh CASB supports the Multi-geo capabilities for Exchange Online for all deployment modes. Inline Email DLP, Passive (Out-of-band) email DLP and On Demand Scans for Email are all supported with the following known issues:

Known Issues

The "Quarantine" operation for emails is only successful when the sender's mailbox is in the same geo location as the quarantine user's mailbox. E.g. when a user alice has the primary data location (PDL) and mailbox configured to IND and the quarantine mailbox is set to primary data location (PDL) NAM then the quarantine operation will fail for emails sent by the user alice. All other incident response actions like Incident, Delete, Block, Add Header, etc are supported. This limitation applies to Inline Email DLP, Passive (Out-of-band) email DLP and On Demand Scans.

Multi-Geo for Microsoft Teams Chat

Skyhigh CASB support for Multi-geo capabilities for Microsoft Teams Chat is in limited availability and preview.

Known Issues

It is reported that Skyhigh CASB supports the Multi-geo capabilities for Microsoft Teams Chat. However this support is still experimental and any issues should be reported to Skyhigh CASB support team.

  • Was this article helpful?