MS Teams CASB API issues

Webhook issue

 

Webhook for Teams:

  1. Check in the application settings of the adapter that the following settings are enable:

  2. Search in the Adapter log “subscription“ and check if there is some errors.

  3. Go to IIS in the Application pool and check in advanced settings that the “Load user profile“ setting is enable

  4. If all configuration above is configured, send a test message from Teams(chat message or channel message, doesn’t matter) and check in Admin Portal log if we handle the new message, see in the following screenshot the text that should be displayed:

Webhook for OneDrive/SharePoint:

To handle file sharing we need to create a Webhook for each user (OneDrive) and group (SharePoint) that we interested to inspect.

Because is used a lot of resource to create Webhook for each user and group in the organisation, we create Webhook based of the EW Policy , the AD sync fill the table “CLOUD_USERS_GROUPS_SCOPE“ with users, groups that needed a Webhook. See here for more details.

Troubleshooting

  1. Check in the application settings of the adapter that the following setting are enable:

  2. Check in the "CLOUD_USERS_GROUPS_SCOPE" table that the user / group you want to inspect its files is there.

  3. If yes, take the entityID from the table and check in the adapter log that a Webhook successfully created for it.

  4. If all configuration above is configured, upload a test file from OneDrive/SharePoint and check in Admin Portal log if we handle the new file, see in the following screenshot the text that should be displayed:

 

Verify Graph API results

In some cases, such as messages that do not appear in the eDiscovery, the issue might be related to Graph API results.

Getting chat messages

To run a query to get messages of a specific chat - copy the conversation ID from the eDiscovery

or open the chat in a browser and copy the value from the URL between conversations/ and ? like in the example below:

Note - conversation ID might look different from time to time

Then go to the graph explorer here Graph Explorer | Try Microsoft Graph APIs - Microsoft Graph

Sign in with global admin and run the following query:

https://graph.microsoft.com/v1.0/chats/{conversation id}/messages?$top=50&$orderby=createdDateTime+desc

Example of the query with conversation id:

https://graph.microsoft.com/v1.0/chats/19:2f8ffc4b-cd7d-4c6a-b20b-4e70607a9c91_d272ee0e-a99e-4a5a-98fc-1bbe0213417b@unq.gbl.spaces/messages?$top=50&$orderby=createdDateTime+desc

 

The results will be returned in the frame below, it will include data of the last 50 messages of the conversation. The value 50 is the maximum, it can be reduced to any smaller value, like 10.

To retrieve previous messages, you can click on the link: Click here to follow the link.

You can search within the returned results for your chat messages (use Ctrl+F):