SOLVED

Cloud App Security - Admin Quarantine with SharePoint

%3CLINGO-SUB%20id%3D%22lingo-sub-1852663%22%20slang%3D%22en-US%22%3ECloud%20App%20Security%20-%20Admin%20Quarantine%20with%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1852663%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20want%20to%20setup%20the%20admin%20quarantine%20in%20Cloud%20App%20Security%20pointing%20to%20SharePoint.%20Unfortunately%20we%20see%20only%20OneDrive%20locations%20and%20only%202-3%20SharePoint%20sites.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20known%20configuration%20for%20the%20SharePoint%20sites%2C%20that%20they%20get%20available%20in%20MCAS%3F%20I%20couldn't%20find%20any%20information%20on%20the%20docs%20or%20other%20blogs.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1852663%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Equarantine%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1859393%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20App%20Security%20-%20Admin%20Quarantine%20with%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1859393%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F382145%22%20target%3D%22_blank%22%3E%40NiklasM%3C%2FA%3E!%20The%20SPO%20sites%20that%20are%20missing...%20were%20those%20names%20changed%20ever%3F%20Or%2C%20are%20they%20the%20names%20that%20were%20first%20assigned%20to%20those%20sites%20when%20they%20were%20created%3F%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1859833%22%20slang%3D%22en-US%22%3ERe%3A%20Cloud%20App%20Security%20-%20Admin%20Quarantine%20with%20SharePoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1859833%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F708110%22%20target%3D%22_blank%22%3E%40Sarahzin%3C%2FA%3EWe%20have%20two%20scenarios%3A%3C%2FP%3E%3CP%3E1.)%20Our%20customer%20created%20a%20new%20site%20only%20for%20this%20and%20the%20name%20was%20not%20changed%20after%20the%20creation.%20The%20site%20is%20not%20visible%20in%20MCAS.%20But%20sites%20that%20are%20created%20the%20same%20way%20(maybe%20different%20permissions)%20are%20available.%3C%2FP%3E%3CP%3E2.)%20I%20also%20tested%20it%20with%20the%20Contoso%20Test%20Tenant%20and%20there%20are%20only%20the%20sites%20%22%3CA%20href%3D%22https%3A%2F%2Fm365x123456.sharepoint.com%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fm365x123456.sharepoint.com%3C%2FA%3E%22%20and%20%22%3CA%20href%3D%22https%3A%2F%2Fm365x123456.sharepoint.com%2Fportals%2Fhub%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fm365x123456.sharepoint.com%2Fportals%2Fhub%3C%2FA%3E%22%20available.%20I%20have%20not%20changed%20anything%20in%20the%20Contoso%20Tenant%20yet.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20will%20create%20a%20new%20site%20in%20my%20Contoso%20Tenant%20to%20see%20if%20I%20can%20get%20deeper%20in%20this%20topic.%20But%20at%20the%20end%20it%20would%20be%20important%2C%20also%20for%20the%20Docs%2C%20to%20have%20a%20clear%20answer%20how%20to%20configure%20the%20SharePoint%20Site.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

We want to setup the admin quarantine in Cloud App Security pointing to SharePoint. Unfortunately we see only OneDrive locations and only 2-3 SharePoint sites.

 

Is there a known configuration for the SharePoint sites, that they get available in MCAS? I couldn't find any information on the docs or other blogs.

5 Replies

Hi @NiklasM! The SPO sites that are missing... were those names changed ever? Or, are they the names that were first assigned to those sites when they were created? 

 

@SarahzinWe have two scenarios:

1.) Our customer created a new site only for this and the name was not changed after the creation. The site is not visible in MCAS. But sites that are created the same way (maybe different permissions) are available.

2.) I also tested it with the Contoso Test Tenant and there are only the sites "https://m365x123456.sharepoint.com" and "https://m365x123456.sharepoint.com/portals/hub" available. I have not changed anything in the Contoso Tenant yet.

 

I will create a new site in my Contoso Tenant to see if I can get deeper in this topic. But at the end it would be important, also for the Docs, to have a clear answer how to configure the SharePoint Site.

@NiklasM @Sarahzin I've also ran into this issue in multiple M365 tenants.  Initially only OneDrive user sites appear in the list when searching for an Admin quarantine folder location, but over time SharePoint sites start to appear in the results.  I don't recall the exact timing, but it did take several days before the dedicated SpO site that was created specifically for the Admin Quarantine appeared in the search results for assignment of the Admin Quarantine folder location.  

 

Questions

  • Could this be some type of indexing delay (within MCAS or SpO/O365 Graph, etc.) that follows initial service integration (AIP/O365 Connector - Files)? 
  • If so, could the Docs be updated to set a reasonable expectation for how long it may take once a new SpO site is created until it's available to actually assign to the Admin Quarantine folder location (via search results)? 
  • Is there any way to speed up the process?

ialvan_0-1611933583767.png

 

@NiklasM @Sarahzin 

UPDATE:  Found this info in a previous thread :smile:

MCAS detects new folders only after some file activity has been performed in them.

I suggest you upload a single file to the new folder, which will cause MCAS to pick it up.

 

Questions

  • Could this be some type of indexing delay (within MCAS or SpO/O365 Graph, etc.) that follows initial service integration (AIP/O365 Connector - Files)? 
  • If so, could the Docs be updated to set a reasonable expectation for how long it may take once a new SpO site is created until it's available to actually assign to the Admin Quarantine folder location (via search results)? - The info above would be helpful to include in the Docs article on Admin Quarantine.
  • Is there any way to speed up the process? - Yes, see above.
 
best response confirmed by NiklasM (Occasional Contributor)
Solution

@ialvan @NiklasM 

 

Documentation has been updated.

 

Cloud App Security only detects new SharePoint and OneDrive folders, including if they are set as the admin quarantine folder, after some file activity has been performed in them.

 

Protect files with Cloud App Security admin quarantine | Microsoft Docs