Skip to main content

Netskope Help

Configure Microsoft Office 365 SharePoint Sites for API Data Protection

To configure Microsoft Office 365 SharePoint for API Data Protection, you need to install the Netskope Introspection v2 app to access your Microsoft Office 365 account, and then create a Microsoft Office 365 SharePoint app instance in the Netskope UI.

Important

If your Microsoft Office 365 SharePoint Sites has Require check out of files enabled, see Require Check Out of Files.

There are three parts to this procedure:

  • Remove the Netskope Introspection v1 app.

    Important

    This procedure is applicable to customers who have installed the Netskope Introspection v1 app. Skip this procedure if you have not installed the v1 app.

  • Add the Netskope Introspection v2 app in your Office 365 SharePoint admin account.

  • Configure Netskope to access your Microsoft Office 365 SharePoint app.

Important

Throughout this article, you will be prompted to enter your Office 365 credentials. Netskope does not store your Office 365 credentials. The credentials are used for creating OAuth tokens. Netskope only stores these tokens and not the actual credentials.

Prerequisites

To grant Office 365 access for audit logs, the following prerequisites must be met:

  • A global administrator account is required to grant access to Netskope. Post-grant, this account is not required.

    Note

    The way permissions work in Azure/Office 365 is that Netskope requires an administrator to grant enough privileges for Netskope to perform specific actions. Note that the Netskope app does not receive global admin permissions. It only receives permissions for the scope Netskope requests.

    In particular, the global admin is the only user that can delegate access for application-level permission (as opposed to user level permissions). You can find additional Microsoft documentation on how all these work here. Furthermore, global admin credential is required for Graph and Office 365 Management APIs. Post-grant, Netskope is independent of the granting account for policy processing.

  • You must turn on audit logging in Microsoft 365 admin center. To enable audit logging, log in to https://compliance.microsoft.com/, then on the left navigation, click Audit. If auditing is not turned on for your organization, a banner is displayed prompting you start recording user and admin activity. Click the Start recording user and admin activity banner. It may take up to 60 minutes for the change to take effect.

    Note

    If you do not see this link, auditing has already been turned on for your organization. After you turn it on, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete. You only have to do this once. For additional information, read this support article on the Microsoft site.

Adding the Netskope Introspection v2 app to your SharePoint admin account has these requirements:

  • Installation of the Netskope Introspection v2 app in your Office 365 SharePoint admin account requires the global administrator role in Office 365. For additional details, to assign admin roles in Office 365, refer to this Microsoft Office 365 document.

  • The admin account used to upload the Netskope Introspection v2 app must be added to the Site Collection Administrator.

  • It is important to note that although the Netskope Introspection v2 app is installed through the SharePoint store, the Netskope Introspection v2 app instructions apply to OneDrive and SharePoint apps.

  • In a multi-geo setup, if you intend to monitor a single location, you should install the Netskope Introspection v2 app in that location.

  • The Netskope Introspection v2.0 app requires the following scopes for it to be installed in the Office 365 account:

    Scope

    Description

    Permission

    Social

    To retrieve user profiles.

    Full control

    Tenancy

    The tenancy where the add-in is installed. Includes all children of this scope.

    Full control

    Site collection

    The site collection where the add-in is installed. Includes all children of this scope.

    Full control

    Website

    The website where the add-in is installed. Includes all children of this scope.

    Manage

    List

    List on the website where the add-in is installed.

    Manage

  • The Netskope Introspection v2.0 app requires the following permission privileges:

    Permission Request

    Description

    Permission Included

    Read-only

    Enables apps to view pages, list items, and download documents.

    • View items

    • Open items

    • View versions

    • Create alerts

    • Use self-service site creation

    • View pages

    Write

    Enables apps to view, add, update, and delete items in existing lists and document libraries.

    • Read-only permissions, and:

      • Add items

      • Edit items

      • Delete items

      • Delete versions

      • Browse directories

      • Edit personal user information

      • Manage personal views

      • Add/remove personal web parts

      • Update personal web parts

    Manage

    Enables apps to view, add, update, delete, approve, and customize items or pages within a web site.

    • Write permissions, and:

      • Manage lists

      • Apply themes and borders

      • Apply style sheets

    Full control

    Enables apps to have full control within the specified scope.

    All permissions

Require Check Out of Files

Latest update on Microsoft Office 365 SharePoint's Require check out of files - If this setting is enabled on a SharePoint site, Netskope API Data Protection can quarantine the file but fails to overwrite the original file with a tombstone file. To gracefully handle this kind of a scenario, API Data Protection now provides administrators to identify such files within Incidents and Alerts UI pages. Following two changes are added in the Netskope tenant UI:

  • Under Incidents > DLP, when you click an incident, the UI displays a new tombstone failure message.

    API-Data-Protection_Incident-DLP_New-Tombstone-Msg.png
  • Under Skope IT > EVENTS > Alerts, a new alert type Tombstone Failed is introduced for quarantine action.

    API-Data-Protection_Skope-IT-Alerts_Tombstone-Failed.png