Skyhigh CASB Delta APIs Early Access Release Notes 6.8.0 (Feb 2025)
Enhancements
Skyhigh CASB Delta API Migration for SharePoint Online and OneDrive
The SharePoint WebApp Model is set for deprecation by April 2026, requiring a transition to modern API capabilities, the Delta API Framework. The Delta API framework introduces enhanced Data Loss Prevention (DLP) support for SharePoint Online and OneDrive, utilizing Microsoft Graph APIs. This upgrade replaces legacy APIs, reducing rate-limit errors and improving policy enforcement for greater efficiency and scalability.
You can enable Delta APIs for SharePoint Online and OneDrive based on the following instance type:
- Existing Instances: Migrate existing SharePoint Online and OneDrive instances from the traditional SharePoint Add-in app model to the advanced Delta API model. For migration related queries, see Frequently Asked Questions.
- New Instances: Integrate Skyhigh CASB with new SharePoint Online and OneDrive instances using Delta APIs. For details, see Integrate SharePoint Online/OneDrive via Delta API.
Skyhigh CASB Delta API Integration for SharePoint Online/OneDrive supports the following DLP Policy rules and response actions for near real-time DLP on sensitive content uploaded to SharePoint Online and OneDrive services.
Feature Matrix
Supported DLP Policy Rules and Response Actions in SharePoint Online/OneDrive
| DLP Policy Rules | DLP Response Actions | Supported |
|---|---|---|
| Data Identifier |
|
Yes |
| File Name |
|
Yes |
| File Path/Folder ID |
|
Yes |
| File Size |
|
Yes |
| File Type |
|
Yes |
| Keywords |
|
Yes |
| Regular Expression |
|
Yes |
Skyhigh CASB Delta API Integration for SharePoint Online/OneDrive supports the following DLP Collaboration use cases to identify sensitive content shared in files or folders in SharePoint Online and OneDrive.
Supported Pure Collaboration (Individual Users and O365 Groups) Use Cases for SharePoint Online/OneDrive
| Pure Collaboration Use Cases | Supported |
Near real-time (NRT) DLP Protection |
DLP Policy Ruleset | DLP Policy Response Actions | |
|---|---|---|---|---|---|
| File | Folder | ||||
| Public Shared Links | Partially | Yes | No | Shared Link - Public |
|
| Organization-level Shared Links | Partially | Yes | No | Shared Link - Org |
|
| Permissions for Collaborators | Partially | Yes | No | Invite Collaborators |
|
Supported Content-aware Collaboration (Individual Users and O365 Groups) Use Cases for SharePoint Online/OneDrive
| Content-aware Collaboration Use Cases | Supported |
Near real-time (NRT) DLP Protection |
DLP Policy Ruleset | DLP Policy Response Actions | |
|---|---|---|---|---|---|
| File | Folder | ||||
| Public Shared Links with sensitive content | Yes | Yes | Yes | Shared Link - Public + Content/Metadata rule |
|
| Organization-level Shared Links with sensitive content | Yes | Yes | Yes | Shared Link - Org + Content/Metadata rule |
|
| Permissions for Collaborators on files or folders with sensitive content | Yes | Yes | Yes | Invite Collaborators + Content/Metadata rule |
|
DLP Policy Rules, and Response Actions for the Supported Features in SharePoint Online/OneDrive
| Feature | DLP Policy Rules | DLP Response Actions | Supported |
|---|---|---|---|
| SharePoint (SP) Classification | Content/Metadata rule, Regex, Collaborators + SP Classification, Shared Link + SP Classification |
|
Yes |
| Azure Information Protection (AIP) | Content/Metadata rule, Regex rule, Shared Link, Pure Collaboration, Content-aware Collaboration, Classification (SP, AIP), Content-aware Shared Link |
|
Yes |
| Seclore DRM | Keyword, Metadata, Regex |
|
Yes |
| Manual, Bulk Remediation | Content/Metadata rule, Pure Collaboration, Content-aware Collaboration |
|
Yes |
Known Issues
| Issue Description | Found Version |
|---|---|
|
Skyhigh CASB DLP will not be applied to the following resources created after integrating SharePoint and OneDrive instances using Microsoft Delta API:
This known issue will be addressed in the upcoming releases. |
SSE 6.5.1 |
| The Splash framework uses Microsoft Graph APIs to perform Quarantine remediation actions for files in SharePoint and OneDrive. While the SharePoint Add-in app model moves a specific version of a file containing violating content, the Splash framework moves the entire file. This is because Microsoft Graph APIs do not support moving a specific version of a file. | SSE 6.5.1 |
Frequently Asked Questions
- ► Click here to view the frequently asked questions about migrating from traditional SharePoint Add-in app model to the advanced Delta API model.
-
Q1. What are the drivers for this migration?
A: The objective of the Delta API migration is to onboard all Microsoft Sharepoint and Onedrive customer tenants/instances to the new Delta API Pipeline, which leverages updated Graph APIs from Microsoft.
NOTE: Microsoft is planning to deprecate the SharePoint WebApp Model in April 2026. With this approach, the existing SharePoint and OneDrive NRT DLP functionality will not work. Hence, all Skyhigh customers have to migrate to Delta APIs to maintain continued functionality.
The Delta API framework provides a more reliable experience by reducing any rate-limit issues that are encountered on the legacy APIs.
Q2. What is the deadline for this Migration?
A: Microsoft Sharepoint retires on April 2026. Hence, Skyhigh recommends proceeding with migration by Q4-2025 and moving away from app-based installation.
Q3. What is the scope of this migration?
A: Migrate Microsoft Sharepoint and OneDrive instances for Near Real Time DLP events.
Q4. What benefits are linked to migration?
A: With the new Delta API Pipeline, Skyhigh aims to provide the following benefits:
- Implement near real-time DLP with optimized APIs that minimize rate limit concerns.
- DLP implementation will not require any SharePoint app installations, streamlining your security setup process.
- Delivering performance improvements in executing DLP policies at scale.
- Improved monitoring and error handling by leveraging the latest Microsoft technology stack.
Q5. What capabilities will get moved to Delta APIs as part of this migration?
A: This migration includes the following capabilities on Microsoft Sharepoint and OneDrive:
- Near real-time DLP and response actions.
- Collaboration controls including users, and groups.
- Classification and DRM controls using Microsoft AIP.
For the complete list of feature matrices, see Feature Matrix.
Q6. What features are on the roadmap for Delta API Migration?
A: On-Demand scans are being built on the Delta API framework. This capability will not be impacted by the April 2026 deadline.
Q7. Is there any impact on additional Microsoft services linked to migration?
A: There is no impact on additional Microsoft 365 Services including MS Teams and Exchange.
Q8. What are the steps to migrate Microsoft Sharepoint and Onedrive Instances?
A: Please work with your TAM/CSM and Skyhigh support to help migrate existing Microsoft SP/OD Instances. At a high level, migration includes the following steps:
- Check if the correct API roles and prerequisites are addressed.
- Discover and attach the Subscription of resources on Delta API Pipeline.
- Switch the DLP event processing from Legacy API to Delta API Pipeline.
Q9. Are there any specific prerequisites that customers need to have in place before the migration?
A: The OAuth token should have Graph API role "Sites.ReadWrite.All" with permission type "Application" for both Sharepoint and OneDrive Instances. It applies to Custom OAuth tokens as well. For details, see Skyhigh documentation.