Multi-Geo Model for Office 365
Multi-Geo capability in Office 365 allows you to organize users and their data to spread across multi-geographic regions using a single Office 365 tenant. You have the flexibility to choose the country or region where each employee’s Office 365 data is stored at-rest. This promotes businesses to meet their global data residency goals and digitally transform with Office 365.
Create a single global tenant for the entire organization, so all users can access their data regardless of their locations. You can create tenant in your home data center region and add more satellite regions as they expand. For more details, see Microsoft 365 Multi-Geo.
Skyhigh CASB supports the Multi-geo capabilities for SharePoint, OneDrive, MS Teams Chat* and Exchange Online.
(* known issue see below)
NOTE: To support the multi-geo environment in Skyhigh CASB, enable Office 365 Multi-Geo feature in your Skyhigh CASB tenant. For details, contact Skyhigh CASB Support.
Configure Multi-Geo feature for Office 365 in Skyhigh CASB
You can enable a multi-geo environment for Office 365 applications such as SharePoint, and OneD
rive in Skyhigh CASB. For SharePoint and OneD rive specific configuration is needed with multiple instances.Configure Multi-Geo for OneDrive
Multi-Geo for OneDrive allows security admin to create and configure a OneDrive service instance in Skyhigh CASB to monitor activities of users in specific geo for DLP and Activity Monitoring. DLP is supported both in near real-time and on-demand scan modes.
For example, say "myorg" is a multinational corporation located in 3 different regions: Headquarters in Canada and branches in the European Union and Australia. A group of OneDrive users of the organization has selected the preferred location as Canada, so OneDrive Account data is stored in this region. To monitor the OneDrive Account location, you need to create and configure instances for that specific region.
IMPORTANT:
- Skyhigh CASB monitors the OneDrive account for multiple preferred regions only when a separate service instance of OneDrive is created for each region.
- The activities of users who are assigned to the preferred data location are monitored for DLP and Activity Monitoring.
To configure OneDrive instance for the preferred data location:
- Login to Skyhigh CASB as admin.
- Go to Settings > Service Management.
- From the Service Management page, click Add Service Instance to add OneDrive instance, and enter an Instance Name.
- Select the OneDrive instance from the Services list. (If no services are listed, contact Skyhigh CASB Support for help.)
- Under Setup, click Enable to enable API access.
- On the Enable API Review Prerequisites page, review the prerequisites, and then click the checkbox to confirm that you have completed the prerequisites. Click Next.
- On the Enable API page, click Provide API Credentials.
- Enter the preferred region's Geo Administrator Email and click Submit.
The multi geo location is configured successfully with OneDrive.
NOTE: When the admin has more than one geo-location assigned for administrative purposes, Skyhigh Security considers the 'preferred data location' (PDL) of the administrator as the geo that needs to be monitored.
Configure Multi-Geo for SharePoint
Multi-Geo for SharePoint allows security admin to create and configure a SharePoint service instance in Skyhigh CASB to monitor SharePoint sites in specific geo for DLP and Activity Monitoring. DLP is supported both in near real-time and on-demand scan modes.
IMPORTANT:
- Skyhigh CASB monitors the SharePoint sites for multiple regions only when a separate service instance of SharePoint is created for each region.
- The SharePoint sites that are assigned to the preferred data location are monitored for DLP and Activity Monitoring.
To configure SharePoint instance for the preferred data location:
- Login to Skyhigh CASB as admin.
- Go to Settings > Service Management.
- From the Service Management page, click Add Service Instance to add SharePoint instance, and enter an Instance Name.
- Select the SharePoint instance from the Services list. (If no services are listed, contact Skyhigh CASB Support for help.)
- Under Setup, click Enable to enable API access.
- On the Enable API Review Prerequisites page, review the prerequisites, and then click the checkbox to confirm that you have completed the prerequisites. Click Next.
- On the Enable API page, click Provide API Credentials.
- Enter the preferred region's Geo Administrator Email and SharePoint admin center URL and click Submit.
The multi geo location is configured successfully with SharePoint.
NOTE: If the admin has more than one geo-location assigned for administrative purposes, Skyhigh Security considers the 'preferred data location' (PDL) of the administrator as the geo that needs to be monitored.
Multi-Geo for Exchange Online
Skyhigh CASB supports the Multi-geo capabilities for Exchange Online for all deployment modes. Inline Email DLP, Passive (Out-of-band) email DLP and On Demand Scans for Email are all supported with the following known issues:
Known Issue
The "Quarantine" operation for emails is only successful when the sender's mailbox is in the same geo location as the quarantine user's mailbox. E.g. when a user alice has the primary data location (PDL) and mailbox configured to IND and the quarantine mailbox is set to primary data location (PDL) NAM then the quarantine operation will fail for emails sent by the user alice. All other incident response actions like Incident, Delete, Block, Add Header, etc are supported. This limitation applies to Inline Email DLP, Passive (Out-of-band) email DLP and On Demand Scans.
Multi-Geo for Microsoft Teams Service
Currently, our Skyhigh CASB does not support multi-geo capabilities for the Microsoft Teams service.