Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Migrate SharePoint and OneDrive NRT DLP Instances to Delta API

  1. Last updated
  2. Save as PDF
Limited Availability: Skyhigh CASB Delta API Migration/Integration for SharePoint Online and OneDrive is a limited availability feature. To migrate existing SharePoint Online and OneDrive instances to the Microsoft Delta API framework or enable Delta APIs for new SharePoint Online and OneDrive instances in your tenant, contact Skyhigh Support

The SharePoint and OneDrive web app model is set for deprecation by April 2026, requiring a transition to modern API capabilities, the Delta API Framework. The Delta API framework introduces enhanced Data Loss Prevention (DLP) support for SharePoint Online and OneDrive, utilizing Microsoft Graph APIs. This upgrade replaces legacy APIs, reducing rate-limit errors and improving policy enforcement for greater efficiency and scalability. 

Key Benefits of the Delta API
  • Minimal Rate-Limit Constraints. Reduces rate-limit errors, ensuring responsive and efficient policy enforcement.
  • Seamless DLP Deployment. Enables direct integration without requiring additional SharePoint app installations.
  • Optimized Policy Execution. Enhances DLP policy performance, improving accuracy and efficiency.
  • Granular API Traffic Management. Offers precise control over data access and security policies for improved scalability.
  • Future-Ready Compatibility. Ensures seamless operation in modern SaaS environments through Microsoft Graph API integration.

Migrate Existing Microsoft SharePoint and OneDrive

If you have configured the OAuth application with the Microsoft Graph API scope Sites.ReadWrite.All using the Application permission type, you can skip the following steps and contact Skyhigh Support to migrate existing Microsoft SharePoint Online and OneDrive NRT DLP Instances to Delta API Framework.

Perform the following steps to configure OAuth application:

  1. Disable the existing instances of SharePoint Online and OneDrive. 
  2. Enable Delta APIs for Microsoft SharePoint Online and OneDrive in Skyhigh CASB using the below two authorization methods:
Configure Global OAuth Contact Skyhigh Support to enable Delta API using Global OAuth.
Configure Custom OAuth

Follow the steps below to enable Delta APIs:

  1. Configure OAuth application with the Microsoft Graph API scope Sites.ReadWrite.All using the Application permission type.  
  2. Configure an Application Registration in the Azure Portal. For details, see Custom oAuth Application for Office 365 and Azure API Integration.
  3. Contact Skyhigh Support to enable Delta API access for SharePoint Online and OneDrive. 

The Skyhigh Security team will discover and attach the Subscription of resources on Delta API Pipeline and then switch the DLP event processing from Legacy API to Delta API Pipeline. 

Disable/Roll Back Delta API Access for SharePoint Online and OneDrive

  • Disable Delta API access for SharePoint Online and OneDrive: To disable Delta API access for new SharePoint Online and OneDrive instances integrated with Skyhigh CASB, contact Skyhigh Support.
  • Roll back Delta API access for SharePoint Online and OneDrive: To roll back Skyhigh CASB API integration for existing SharePoint Online and OneDrive instances from the Microsoft Delta API model to the SharePoint Add-in app model, contact Skyhigh Support.

NOTE: Once you have successfully disabled Delta API access for new SharePoint Online and OneDrive instances, NRT DLP protection is also disabled for your SharePoint Online and OneDrive instances.

 

IMPORTANT: 

  • Make sure you do not re-enable Delta API access for a Skyhigh CASB tenant using a different Microsoft account than the account currently linked to the tenant, as this affects the collection of DLP events for discovered resources in SharePoint Online and OneDrive for the Skyhigh CASB tenant.
  • To re-enable Delta API access for new SharePoint Online and OneDrive instances, you can create a new SharePoint Online and OneDrive instance using a new Microsoft account in Skyhigh CASB.

Feature Matrix

Skyhigh CASB Delta API integration for SharePoint Online and OneDrive supports various Data Loss Prevention (DLP) policy rules and collaboration use cases. You can create DLP policies to identify sensitive content shared in files or folders within SharePoint Online and OneDrive. Additionally, these policies allow you to take remediation actions on any sensitive content that is uploaded to SharePoint Online and OneDrive.

► Supported DLP Policy Rules and Response Actions in SharePoint Online and OneDrive.
DLP Policy Rules DLP Response Actions Supported
Data Identifier
  • Create an Incident 
  • Quarantine
  • Delete
  • User Email Notification
  • Send Email Notification
 Yes
File Name
  • Create an Incident 
  • Quarantine
  • Delete
  • User Email Notification
  • Send Email Notification
 Yes
File Path/Folder ID
  • Create an Incident 
  • Quarantine
  • Delete
  • User Email Notification
  • Send Email Notification
 Yes
File Size
  • Create an Incident 
  • Quarantine
  • Delete
  • User Email Notification
  • Send Email Notification
 Yes
File Type
  • Create an Incident 
  • Quarantine
  • Delete
  • User Email Notification
  • Send Email Notification
 Yes
Keywords
  • Create an Incident 
  • Quarantine
  • Delete
  • User Email Notification
  • Send Email Notification
 Yes
Regular Expression
  • Create an Incident 
  • Quarantine
  • Delete
  • User Email Notification
  • Send Email Notification
 Yes
► Supported Pure Collaboration (individual users and O365 groups) use cases for SharePoint Online and OneDrive.
Pure Collaboration Use Cases Supported

Near real-time (NRT) DLP Protection

 DLP Policy Ruleset DLP Policy Response Actions
    File   Folder    
Public Shared Links Partially Yes No Shared Link - Public
  • Create an Incident 
  • Remove Link
  • User Email Notification
  • Send Email Notification
Organization-level Shared Links Partially Yes No Shared Link - Org
  • Create an Incident 
  • Remove Link
  • User Email Notification
  • Send Email Notification
Permissions for Collaborators Partially Yes No Invite Collaborators
  • Create an Incident
  • Revoke Sharing for 
  • User Email Notification
  • Send Email Notification
► Supported Content-aware Collaboration (individual users and O365 groups) use cases for SharePoint Online and OneDrive.
Content-aware Collaboration Use Cases Supported

    Near real-time (NRT) DLP Protection

 DLP Policy Ruleset DLP Policy Response Actions
    File Folder    
Public Shared Links with sensitive content Yes Yes Yes Shared Link - Public + Content/Metadata rule
  • Create an Incident 
  • Quarantine
  • Delete
  • Remove Link
  • User Email Notification
  • Send Email Notification
Organization-level Shared Links with sensitive content Yes Yes Yes Shared Link - Org + Content/Metadata rule
  • Create an Incident 
  • Quarantine
  • Delete
  • Remove Link
  • User Email Notification
  • Send Email Notification
Permissions for Collaborators on files or folders with sensitive content Yes Yes Yes Invite Collaborators + Content/Metadata rule
  • Create an Incident 
  • Quarantine
  • Delete
  • Revoke Sharing for
  • User Email Notification
  • Send Email Notification
► DLP Policy Rules and Response Actions for the supported features in SharePoint Online and OneDrive.
Feature DLP Policy Rules DLP Response Actions Supported
SharePoint (SP) Classification Content/Metadata rule, Regex, Collaborators + SP Classification, Shared Link + SP Classification
  • Incident
  • Apply SharePoint Classification
  • Revoke Collaboration
  • Remove Link
 Yes
Azure Information Protection (AIP) Content/Metadata rule, Regex rule, Shared Link, Pure Collaboration, Content-aware Collaboration, Classification (SP, AIP), Content-aware Shared Link
  • Incident
  • Apply AIP
  • Quarantine
  • Delete
 Yes
Seclore DRM Keyword, Metadata, Regex
  • Apply DRM
 Yes
Manual, Bulk Remediation Content/Metadata rule, Pure Collaboration, Content-aware Collaboration
  • Quarantine
  • Delete
  • Quarantine Restore
  • Quarantine Delete
  • Remove Shared Link
  • Revoke Collaboration
  • User Email Notification
  • Send Email Notification
 Yes

Frequently Asked Questions

►  FAQs about migrating from traditional SharePoint Add-in app model to the advanced Delta API model.
  
Click here to view the Frequently Asked Questions about migrating to Delta API from app-based installation.

Q1. What are the drivers for this migration?

A: The objective of the Delta API migration is to onboard all Microsoft Sharepoint and Onedrive customer tenants/instances to the new Delta API Pipeline, which leverages updated Graph APIs from Microsoft.

NOTE: Microsoft is planning to deprecate the SharePoint WebApp Model in April 2026. With this approach, the existing SharePoint and OneDrive NRT DLP functionality will not work. Hence, all Skyhigh customers have to migrate to Delta APIs to maintain continued functionality.

 

The Delta API framework provides a more reliable experience by reducing any rate-limit issues that are encountered on the legacy APIs.

 

Q2. What is the deadline for this Migration?

A: Microsoft Sharepoint retires on April 2026. Hence, Skyhigh recommends proceeding with migration by Q4-2025 and moving away from app-based installation.

 

Q3. What is the scope of this migration?

A: Migrate Microsoft Sharepoint and OneDrive instances for Near Real Time DLP events. 

 

Q4. What benefits are linked to migration?

A: With the new Delta API Pipeline, Skyhigh aims to provide the following benefits:

  • Implement near real-time DLP with optimized APIs that minimize rate limit concerns.
  • DLP implementation will not require any SharePoint app installations, streamlining your security setup process.
  • Delivering performance improvements in executing DLP policies at scale.
  • Improved monitoring and error handling by leveraging the latest Microsoft technology stack.
     

Q5. What capabilities will get moved to Delta APIs as part of this migration?

A: This migration includes the following capabilities on Microsoft Sharepoint and OneDrive:

  • Near real-time DLP and response actions.
  • Collaboration controls including users, and groups.
  • Classification and DRM controls using Microsoft AIP.

For the complete list of feature matrices, see Feature Matrix.

 

Q6. What features are on the roadmap for Delta API Migration?

A: On-Demand scans are being built on the Delta API framework. This capability will not be impacted by the April 2026 deadline.

 

Q7. Is there any impact on additional Microsoft services linked to migration?

A: There is no impact on additional Microsoft 365 Services including MS Teams and Exchange.

 

Q8. Is there any downtime expected during this Migration?

A: Yes. We expect to see a few minutes of downtime for specific customers requiring a change in their application scopes while disabling and re-enabling the API.

 

Q9. Are there any specific prerequisites that customers need to have in place before the migration?

A: The OAuth token should have Graph API role "Sites.ReadWrite.All" with permission type "Application" for both Sharepoint and OneDrive Instances. It applies to Custom OAuth tokens as well. For details, see Skyhigh documentation.