Skip to main content

Netskope Help

Configure Microsoft 365 OneDrive for the Next Generation API Data Protection

Important

* Microsoft 365 OneDrive (commercial) and SharePoint (commercial) apps are now available on the Next Generation API Data Protection platform. Please note the following important points:

  • If you currently use the classic version of Microsoft 365 OneDrive and SharePoint apps, no action required. You should continue to use the classic version that you use today. Netskope will notify you via a banner message on the Netskope tenant UI when you can switch over to the Next Generation apps.

  • If you currently do not use the classic version of Microsoft 365 OneDrive and SharePoint apps, Netskope will make these apps available to you in phases. To check if these apps are available on your Netskope tenant, follow the instruction below:

    1. Log in to your Netskope tenant and navigate to Settings > API-enabled Protection > SaaS > Next Gen.

    2. Locate the OneDrive or SharePoint apps from the list.

    3. For OneDrive & SharePoint, click either of the apps, then click the SETUP <app name> INSTANCE button. Under the Office 365 Environment drop-down, if you see Commercial, you are eligible to configure the app on the Next Generation API Data Protection platform.

    If you do not see the apps, stay tuned, the apps will be made available in due course. In the meanwhile, you can continue to set up these apps available under Settings > API-enabled Protection > SaaS > Classic.

To configure Microsoft 365 OneDrive (Commercial & GCC High) for the Next Generation API Data Protection, follow the instructions below.

Prerequisites

Before configuring Microsoft 365 OneDrive (Commercial & GCC High) for the Next Generation API Data Protection, review the prerequisite.

  • A global administrator account is required to grant access to Netskope. Post-grant, you can either delete or downgrade this account.

    Note

    The way permissions work in Azure/Office 365 is that Netskope requires an administrator to grant enough privileges for Netskope to perform specific actions. Note that the Netskope app does not receive global admin permissions. It only receives permissions for the scope Netskope requests.

  • You must turn on audit logging in Microsoft 365 admin center. To enable audit logging, follow the steps below:

    1. Log in to https://compliance.microsoft.com/.

    2. On the left navigation, click Audit.

      If auditing is not turned on for your organization, a banner is displayed prompting you to start recording user and admin activity.

      Figure 16. Enable Audit Logging in Microsoft 365 Admin Center
      Enable Audit Logging in Microsoft 365 Admin Center


    3. Click the Start recording user and admin activity banner.

      Note

      • It may take up to 60 minutes for the change to take effect.

      • After enabling, the first application event contents can take up to 12 hours to show up in Skope IT.

Configure Netskope to Access your Microsoft 365 OneDrive Account

To authorize Netskope to access your Microsoft 365 OneDrive account, follow the steps below:

  1. Log in to the Netskope tenant UI: https://<tenant hostname>.goskope.com and go to Settings > API-enabled Protection > SaaS > Next Gen.

  2. Under Apps, select OneDrive and click Setup OneDrive Instance.

    The Setup Instance window opens.

  3. Under Office 365 Environment, select either GCC High or Commercial and then Grant Access.

    Note

    GCC High is designed for U.S. federal, state, and local government customers.

    The Microsoft Login window opens.

  4. Enter the global administrator username and password.

  5. Keep Consent on behalf of your organization unchecked and Accept the permissions.

    Figure 17. GCC High
    GCC High
    Figure 18. Commercial
    GCC High




    Note

    The Netskope CASB API for OneDrive [GCC High] app now require you to allow the Have full control of all site collections permission. This permission replaces the earlier Read items in all site collections permission. The new permission now allows the following:

    • Policy actions: Allows Netskope to revoke permissions from files that have violated a policy.

    • Activity scan: Allows Netskope to get notifications of the latest and most accurate permission updates for files & folders from the Microsoft Graph API.

    The Netskope CASB API app is installed in Azure AD with additional permissions once you grant access to the Microsoft 365 OneDrive app.

  6. After accepting the permissions, you will be redirected to the successful result page. Click Close.

Refresh your browser, and you should see a green check icon next to the instance name.

Note

To identify if the SaaS app instance is GCC High or commercial, a GCC High app instance name will be suffixed by .us.

Post grant, you can either delete or downgrade the global administrator account. To know more: Delete or Downgrade the Global Administrator Account.

Next, you can can view the Next Generation API Data Protection Inventory page to get deep insights on various entities on your Microsoft 365 OneDrive account. For more information on the Inventory page, see Next Generation API Data Protection Inventory.

Note

The Inventory page may display entities for the Microsoft 365 OneDrive GCC High version. However, this is still in beta stage.

You can receive audit events and standard user behavior analytic alerts in Skope IT. To know more: Next Generation API Data Protection Skope IT Events.

Next, you should configure a Next Generation API Data Protection policy. To do so, see Next Generation API Data Protection Policy Wizard.