Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

Re-enable API Access for Microsoft Exchange Online

  1. Last updated
  2. Save as PDF

IMPORTANT: Microsoft Exchange Online users are required to migrate to Graph API since Exchange web services specifically used for Quarantine will be fully decommissioned by October 1, 2026. For more details, see here. This requires you to set additional permissions for Microsoft Graph API by re-enabling API access for your Microsoft Exchange Online instances in Skyhigh CASB.

WARNING: You must re-enable the API access for Microsoft Exchange Online in Skyhigh CASB if you have received a notification from Skyhigh CASB Support. If you do not re-enable the API access for Microsoft Exchange Online, the Quarantine response action will not work as expected for Exchange Online Email DLP.

Prerequisite 

If you use a custom OAuth app to authenticate the API access for Microsoft Exchange Online, ensure that you have set the permissions (User.Read.All, Sites.Read.AllMail.ReadwriteDirectory.Read.All, MailboxItem.ImportExport.All, and Mail.Send) for Microsoft Graph under Exchange Online API DLP. For details, see Custom oAuth Application for Office 365 and Azure API Integration.

Re-enable API Access

Before disabling the API access, you need to disable the transport rule for inline Email DLP and the journal rule if using Passive Email DLP. This is to ensure that your emails do not get bounced back or avoid non-delivery reports when the instances are disabled.

To re-enable API access for Microsoft Exchange Online in Skyhigh CASB, first select a Microsoft Exchange Online instance, then Disable API Access and Enable API Access for that Microsoft Exchange Online instance in Skyhigh CASB.

Once the API has been re-enabled, the transport/journal rules need to be enabled again.

Disable Mail Flow Rule or Journal Rule

This section details how to disable the Mail flow rule and the Journal rule.

For inline:

  1. Go to Exchange Admin Center.
  2. Select Mail flow > Rules.

    clipboard_ea40884eb5647edf761d826e4db207396.png
     
  3. Select Skyhigh CASB DLP Rule and toggle the Disable button.

    clipboard_e8cd4e44888104c7049c1180ecf40582d.png

    The Mail flow rule is disabled.

For Passive:

  1. Go to Microsoft Purview Portal.
  2. Go to Solutions > Data Lifecycle Management > Exchange(Legacy) > Journal rules

    clipboard_e383f70ab5375246882ed7e6551664ae6.png
     
  3. Select the Skyhigh Passive Email DLP journal rule and click Disable.

    clipboard_ec5a8a27639da7271c5cb4e84f2224548.png

    The Journal rule is disabled.

NOTE: If you have multiple Microsoft Exchange Online instances, re-enable API access for all your Microsoft Exchange Online instances.

You need to re-enable API access if you are using Exchange Online Inline Email DLPExchange Online Passive Email DLP, and Exchange Online ODS.

NOTE: If you use a custom OAuth app to authenticate the API access for Microsoft Exchange Online and do not have the private key and self signed certificate used to enable API access for your tenant, create a self signed certificate using OpenSSL and upload it to the Azure portal. For details, see Custom OAuth Application for Office 365 and Azure API Integration.

Disable API Access

Before you disable API access for a Microsoft Exchange Online instance, make sure that there are no critical API issues displayed under the Overview tab of the Service Management page for that instance. If the instance has any critical API issues, you must resolve them before re-enabling the API for that instance. Some of the known reasons for critical API issues are:

  • If you have Application Access Policies configured that prevent the Skyhigh application from accessing Exchange Online mailboxes, make sure to remove them.
  • If there is an issue with your Microsoft Exchange Online account, make sure that the account has the correct subscription and license.
    clipboard_e5af957da20b3323b7b7d0e7670bdea91.png

To disable API access for Microsoft Exchange Online:

  1. In Skyhigh CASB, go to Settings > Service Management
  2. Select Microsoft Exchange Online from the list of Services
    clipboard_ee740c6ac7fe3f7740e292bb10c86cab5.png
  3. Select the required instance from the list of instances provided by Skyhigh CASB, and click Done.
  4. Go to the Setup tab and click Disable API.
    clipboard_ea3051d045cba98dcc7150b08a301c390.png
  5. On the confirmation popup, click Disable.
    clipboard_e1579d23208665fee63c11e2a4678cc42.png

API access is now disabled for your Microsoft Exchange Online instance.

Enable API Access

To enable API access for Microsoft Exchange Online:

  1. Click Enable.
    clipboard_eec50ca6bdaf94405455adb4004fb8180.png
  2. Select the acceptance checkbox and click Next.
    clipboard_ecf7309167fcd026f3118a602f188d1e7.png
  3. Click Provide API Credentials.
    clipboard_e164ad398a2af2d6165a29e6a8cad20f4.png
  4. Provide API credentials for the Microsoft Exchange Online admin account, and in the Permissions requested dialog, click Accept.
  5. If you use a multi tenant OAuth app, select the Microsoft Exchange admin account from the list of admin accounts or enter the credentials of the Microsoft Exchange admin account.
    clipboard_e9ce4d0586c06adf9cd901520dd14c26f.png
  6. Click Accept to accept the permissions. 
    clipboard_e853ac8a1737cc19d142c12c74463aeed.png
  7. If you use a custom OAuth app, provide the custom OAuth credentials and click Submit. For details, see Skyhigh CASB API Connection.
    clipboard_eb94514beefabd7620840e824a5e2fb0f.png
  8. Click Done.
    clipboard_e741289db2b843164e34f8f02eec5c782.png

API access is now re-enabled for your Microsoft Exchange Online instance.

Re-enable Mail Flow Rule or Journal Rule

This section details how to enable the Mail flow rule and the Journal rule.

For inline:

  1. Go to Exchange Admin Center.
  2. Select Mail flow > Rules.
  3. Select the Skyhigh CASB DLP Rule and toggle the Enable button.

    clipboard_e1107d4638f45b2b1e27f2c0272bb1557.png

    The Mail flow rule is enabled.

For Passive:

  1. Go to Microsoft Purview Portal.
  2. Go to Solutions > Data Lifecycle Management > Exchange(Legacy) > Journal rules

    clipboard_e383f70ab5375246882ed7e6551664ae6.png
     
  3. Select the Skyhigh Passive Email DLP journal rule and click Enable.

    clipboard_e8f53dae726fea4f327b4bea83ad49b4d.png

    The Journal rule is enabled.

FAQs

Question Answer
What happens if the API access for Microsoft Exchange Online is not re-enabled in Skyhigh CASB? You must re-enable the API access for Microsoft Exchange Online in Skyhigh CASB if you have received a notification from Skyhigh CASB Support. If you do not re-enable the API access for Microsoft Exchange Online, the Quarantine response action will not work as expected for Exchange Online Email DLP.

Is there any impact on other Office 365 services such as SharePoint, OneDrive, and Teams?

 No

Is it necessary to re-enable API access for Microsoft Exchange Online if Outlook is integrated with a global admin account?

 Yes

Is it necessary to provide permissions if Outlook is integrated with a global admin account?

 No
Is there a cost to re-enable API access for Microsoft Exchange Online? No
Does the user receive any notifications after the Microsoft Exchange Online instances are migrated to Microsoft Graph API? No

How can users verify the product's functionality after migration?

There are no changes in the product's functionality after migration, and Exchange Online Email DLP continues to function normally. You can verify
the product's functionality by quarantining an email. 
How to determine if there are any issues after migration? If there is an issue after migration, what are the steps to reverse the changes, and how quickly are the changes reversed?

This feature has been thoroughly tested and in case of any issues, the feature will be quickly disabled from the backend to ensure continued services using the old EWS API. Any issues identified after the migration will be resolved before the old EWS API is decommissioned on October 1, 2026. 
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.