Migrate SharePoint and OneDrive NRT DLP Instances to Delta API

Key Benefits of the Delta API

Minimal Rate-Limit Constraints. Reduces rate-limit errors, ensuring responsive and efficient policy enforcement.
Seamless DLP Deployment. Enables direct integration without requiring additional SharePoint app installations.
Optimized Policy Execution. Enhances DLP policy performance, improving accuracy and efficiency.
Granular API Traffic Management. Offers precise control over data access and security policies for improved scalability.
Future-Ready Compatibility. Ensures seamless operation in modern SaaS environments through Microsoft Graph API integration.

Additionally, Microsoft has announced that the web app model will be deprecated by April 2026. After this date, the existing APIs that provide near real-time DLP will no longer function. The migration to the Delta API will ensure that your security controls for SharePoint and OneDrive continue to operate smoothly without any interruptions.

Stay Tuned for the Migration Update

Watch for communication from Skyhigh Security regarding your migration timelines. Follow the instructions in this communication to complete the migration of your SharePoint and OneDrive instances. If you have questions, reach out to your Skyhigh Representative.

Capabilities Scheduled for Migration

This migration includes the following capabilities on Microsoft SharePoint and OneDrive:

Near real-time DLP and response actions.
Collaboration controls, including users and groups.
Classification and DRM controls using Microsoft AIP.

For the complete list of feature matrices, see Feature Matrix.

Impact and Downtime

This migration will not affect your existing DLP or collaboration policies. We are transferring all functionality to the new API framework, which performs the same functions more efficiently and streamlines processes.
In addition to the Delta API migration, we are also planning to migrate selected customers to Delta API enabled POPs.
The migration is only for Microsoft SharePoint and OneDrive instances and does not impact other cloud services, including Microsoft Teams and Exchange.
While we do not anticipate any downtime during this migration, you may notice a delay of a few minutes in the DLP event processing.

Prerequisite

Skyhigh's integration with SharePoint and OneDrive must have access to the Microsoft Graph API scope Sites.ReadWrite.All.

Migrate Delta APIs

You can enable Delta API access for SharePoint and OneDrive using two API integration methods and the necessary application scopes. Based on your selected OAuth application (as mentioned below) during the initial API enablement, perform the required actions:

Global OAuth
Custom OAuth

Global OAuth

Follow the steps below to enable Delta API access for SharePoint and OneDrive:

Disable the API Access for Existing SharePoint and OneDrive Instances Identified for Migration

► Follow the steps to disable API access for the existing SharePoint Online and OneDrive instances.

From the Settings > Service Management, select the SharePoint or OneDrive service.
Select one of the active instances identified for migration. For details about the instance ID and tenant ID, see Skyhigh CASB Instance ID and Tenant ID.
On the Overview tab, note the Integration Account and Resource Admin details.
Select Setup.
Click Disable API to disable the selected instance. Repeat the above steps to disable the active instances of SharePoint and OneDrive services identified for migration.

Restore API Access to SharePoint and OneDrive Instances Disabled for Migration

► Follow the steps to enable API access for the existing SharePoint Online and OneDrive instances.

In Skyhigh CASB, go to Settings > Service Management.
Select one of the disabled SharePoint Online or OneDrive instances from the list of Services.
Go to the Setup tab, and click Enable.
On the Review Prerequisites page, review the mandatory prerequisites.
Activate the checkbox to confirm that you have completed the prerequisites.
Click Next.
Click Provide API Credentials.
- For SharePoint Online, enter the API credentials for your SharePoint Online instance.
Enter your Office 365 global admin account credentials to authorize the API connection.

API access is now enabled for the selected instance in Skyhigh CASB. Repeat the above steps to enable API access for other disabled instances of SharePoint and OneDrive.

Custom OAuth

Follow the steps to enable Delta API access for the existing SharePoint and OneDrive instances:

Log in to the Azure portal at https://portal.azure.com/.
Update the initially created OAuth application to include the Microsoft Graph API scope Sites.ReadWrite.All using the Application permission type. For details, see Custom OAuth Application for Office 365 and Azure API Integration.
Disable API access for existing SharePoint and OneDrive instances identified for migration.
Re-enable API access to SharePoint and OneDrive instances disabled for migration.

Delta API Migration (Handled by Skyhigh Support Team)

After the SharePoint and OneDrive APIs are enabled with the required scopes, the tenant is ready for the Delta API Migration. The Skyhigh team will perform the following steps in an automated workflow to complete the Delta API migration process:

Validation. Ensure that the access tokens have the required permissions available for migration.
Discovery. Discover SharePoint and OneDrive resources that need to be migrated to the Delta API.
Switch. Pivot event processing from legacy APIs to Delta APIs.
Post-check. Ensure migration has been completed and that tenant health metrics are accurate.

Additional Resources

Feature Matrix

Skyhigh CASB Delta API integration for SharePoint Online and OneDrive supports various Data Loss Prevention (DLP) policy rules and collaboration use cases. You can create DLP policies to identify sensitive content shared in files or folders within SharePoint Online and OneDrive. Additionally, these policies allow you to take remediation actions on any sensitive content that is uploaded to SharePoint Online and OneDrive.

► Supported DLP Policy Rules and Response Actions in SharePoint Online and OneDrive.

DLP Policy Rules	DLP Response Actions	Supported
Data Identifier	Create an Incident Quarantine Delete User Email Notification Send Email Notification	Yes
File Name	Create an Incident Quarantine Delete User Email Notification Send Email Notification	Yes
File Path/Folder ID	Create an Incident Quarantine Delete User Email Notification Send Email Notification	Yes
File Size	Create an Incident Quarantine Delete User Email Notification Send Email Notification	Yes
File Type	Create an Incident Quarantine Delete User Email Notification Send Email Notification	Yes
Keywords	Create an Incident Quarantine Delete User Email Notification Send Email Notification	Yes
Regular Expression	Create an Incident Quarantine Delete User Email Notification Send Email Notification	Yes

► Supported Pure Collaboration (individual users and O365 groups) use cases for SharePoint Online and OneDrive.

Pure Collaboration Use Cases	Supported	Near real-time (NRT) DLP Protection		DLP Policy Ruleset	DLP Policy Response Actions
		File	Folder
Public Shared Links	Partially	Yes	No	Shared Link - Public	Create an Incident Remove Link User Email Notification Send Email Notification
Organization-level Shared Links	Partially	Yes	No	Shared Link - Org	Create an Incident Remove Link User Email Notification Send Email Notification
Permissions for Collaborators	Partially	Yes	No	Invite Collaborators	Create an Incident Revoke Sharing for User Email Notification Send Email Notification

► Supported Content-aware Collaboration (individual users and O365 groups) use cases for SharePoint Online and OneDrive.

Content-aware Collaboration Use Cases	Supported	Near real-time (NRT) DLP Protection		DLP Policy Ruleset	DLP Policy Response Actions
		File	Folder
Public Shared Links with sensitive content	Yes	Yes	Yes	Shared Link - Public + Content/Metadata rule	Create an Incident Quarantine Delete Remove Link User Email Notification Send Email Notification
Organization-level Shared Links with sensitive content	Yes	Yes	Yes	Shared Link - Org + Content/Metadata rule	Create an Incident Quarantine Delete Remove Link User Email Notification Send Email Notification
Permissions for Collaborators on files or folders with sensitive content	Yes	Yes	Yes	Invite Collaborators + Content/Metadata rule	Create an Incident Quarantine Delete Revoke Sharing for User Email Notification Send Email Notification

► DLP Policy Rules and Response Actions for the supported features in SharePoint Online and OneDrive.

Feature	DLP Policy Rules	DLP Response Actions	Supported
SharePoint (SP) Classification	Content/Metadata rule, Regex, Collaborators + SP Classification, Shared Link + SP Classification	Incident Apply SharePoint Classification Revoke Collaboration Remove Link	Yes
Azure Information Protection (AIP)	Content/Metadata rule, Regex rule, Shared Link, Pure Collaboration, Content-aware Collaboration, Classification (SP, AIP), Content-aware Shared Link	Incident Apply AIP Quarantine Delete	Yes
Seclore DRM	Keyword, Metadata, Regex	Apply DRM	Yes
Manual, Bulk Remediation	Content/Metadata rule, Pure Collaboration, Content-aware Collaboration	Quarantine Delete Quarantine Restore Quarantine Delete Remove Shared Link Revoke Collaboration User Email Notification Send Email Notification	Yes

Frequently Asked Questions

► FAQs about migrating from the traditional SharePoint Add-in app model to the advanced Delta API model.

►

Click here to view the Frequently Asked Questions about migrating to Delta API from app-based installation.

Q1. What are the drivers for this migration?

A: The objective of the Delta API migration is to onboard all Microsoft SharePoint and OneDrive customer tenants/instances to the new Delta API Pipeline, which leverages updated Graph APIs from Microsoft.

NOTE: Microsoft is planning to deprecate the SharePoint Web App Model in April 2026. With this approach, the existing SharePoint and OneDrive NRT DLP functionality will not work. Hence, all Skyhigh customers have to migrate to Delta APIs to maintain continued functionality.

The Delta API framework provides a more reliable experience by reducing any rate-limit issues that are encountered on the legacy APIs.

Q2. What is the deadline for this Migration?

A: Microsoft SharePoint retires in April 2026. Hence, Skyhigh recommends proceeding with migration by Q4-2025 and moving away from app-based installation.

Q3. What is the scope of this migration?

A: Migrate Microsoft SharePoint and OneDrive instances for Near Real Time DLP events.

Q4. What benefits are linked to migration?

A: With the new Delta API Pipeline, Skyhigh aims to provide the following benefits:

Implement near real-time DLP with optimized APIs that minimize rate limit concerns.
DLP implementation will not require any SharePoint app installations, streamlining your security setup process.
Delivering performance improvements in executing DLP policies at scale.
Improved monitoring and error handling by leveraging the latest Microsoft technology stack.

Q5. What capabilities will get moved to Delta APIs as part of this migration?

A: This migration includes the following capabilities on Microsoft SharePoint and OneDrive:

Near real-time DLP and response actions.
Collaboration controls including users, and groups.
Classification and DRM controls using Microsoft AIP.

For the complete list of feature matrices, see Feature Matrix.

Q6. What features are on the roadmap for Delta API Migration?

A: On-Demand scans are being built on the Delta API framework. This capability will not be impacted by the April 2026 deadline.

Q7. Is there any impact on additional Microsoft services linked to migration?

A: There is no impact on additional Microsoft 365 Services, including MS Teams and Exchange.

Q8. Is there any downtime expected during this Migration?

A: Yes. We expect to see a few minutes of downtime for specific customers requiring a change in their application scopes while disabling and re-enabling the API.

Q9. Are there any specific prerequisites that customers need to have in place before the migration?

A: The OAuth token should have Graph API Sites.ReadWrite.All role with permission type Application for both SharePoint and OneDrive Instances. It applies to Custom OAuth tokens as well. For details, see Skyhigh documentation.

Q10. Is Lightning Link a candidate for migration?

A: No. Push Notifications, a core component of Lightning Link (LL) will not work in the Delta API pipeline due to limitations in the Microsoft Graph API model. This Lightning link feature will continue to operate as expected in the Legacy API until April 2026.

Q11. I am using SharePoint, OneDrive, and Lightning Link. What would be the migration strategy to the Delta API pipeline?

A: We will migrate all OneDrive and SharePoint customers to the Delta API pipeline. Lightning Link will continue to work in the Legacy API pipeline.

Q12. What is the implication of SharePoint Web App deprecation on Lightning Link?

A: Post April 2026, the Lightning Link will cease to work once SharePoint Web App is deprecated. Lightning Link will reach its End of Support (EOS) in April 2026.