Views:

As Microsoft's licensing models for Teams APIs impose usage restrictions and licensing requirements on API calls, you need to use your own app registered with Azure AD and select an applicable licensing model when provisioning Teams Chat. For details about the licensing models, see Microsoft Documentation.

The following table summarizes the licensing models and the supported Cloud App Security protection under each model.

ModelLicensing and Payment RequirementsSupported Cloud App Security Protection
Model A
  • An appropriate Microsoft 365 E5 license
  • Payment to Microsoft when the API usage exceeds the upper limit
  • Scan messages and files.
  • Block or pass messages and files upon detecting risks.
Model B
  • Payment to Microsoft for each API call
  • No license required
  • Scan messages and files.
  • Pass messages and files upon detecting risks.
     
    Blocking messages or files is not supported.
     
Evaluation ModeNo license or payment required
  • Scan messages and files.
  • Block or pass messages and files upon detecting risks.
     
    As this model provides limited API calls, Cloud App Security can scan and take action on only a limited number of messages and files.
     

If you have already provisioned Teams Chat in the old way without creating your own app, Evaluation Mode applies. Trend Micro recommends that you update the provisioning to have access to all the licensing models and continued Cloud App Security protection by performing the following:

Go to Administration > Service Account, locate your Teams Chat service account, click Protect with Your Own App, and complete the provisioning by referring to the operations in this topic.

To provision a Service Account for Teams Chat from the Cloud App Security web console:

  1. Log on to the Cloud App Security management console.
  2. Hover over Teams Chat and click Provision.

    Provision - MS Team Chat

    Click the image to enlarge.

  3. Create an app in Azure AD for protecting Teams Chat.
    For details, see Creating an Azure AD App for Teams Chat Protection.
  4. Specify the app ID and secret, and click Grant Permission.

    Grant Permission

    Click the image to enlarge.

     
    • If for some reason the access token becomes invalid after the provisioning, go to Administration > Service Account to create a new access token for the service account. For more information, see Service Account.
    • If the secret becomes invalid or you want to change to another app after the provisioning, go to Administration > Service Account, locate your Teams Chat service account, and click Update Secret or Change App to start replacing the secret or changing to another app. The subsequent procedure is the same as the provisioning described in this topic.
     
  5. Specify your Office 365 Global Administrator credentials, and click Sign in.
  6. Click Accept to grant Cloud App Security the permission to use the Graph API to access your Teams Chat related service data.

    Permission Requested

    Click the image to enlarge.

  7. Go back to the Cloud App Security management console and select a Microsoft licensing model.

    Evaluation Mode

    Click the image to enlarge.

     
    To change the protection mode after provisioning, see Configuring Microsoft Licensing Model Settings for Teams Chat.
     
  8. Click Done. Cloud App Security then updates the Teams Chat data in your organization. The time required depends on how much data you have in Teams Chat.

    Tasks

    Click the image to enlarge.

  9. Hover over the ring icon in the upper-right corner of the management console.
    If the message Teams Chat protected appears on the Notifications screen, the provisioning is successful.

    Teams Chat Protected

    Click the image to enlarge.

Keywords: setup provision for MS Teams chat,configure CAS to scan MS Teams files and chat,create service account for Microsoft Teams,prevent data loss in MS Teams Chat