3rd Party App Limitations

3rd Party App Limitations

This article outlines the third-party app limitations that could affect the functionality of Next Generation API Data Protection.

Microsoft 365 Apps

Impacted ApplicationLimitationReason

  • Microsoft 365 OneDrive

  • Microsoft 365 SharePoint

    Impact of Microsoft 365 SharePoint setting - Allow only users in specific security groups to share externally

    Thumbnail

    When this setting is enabled on a SharePoint tenant, Microsoft omits the public sharing link from the Graph API response to Netskope. As a result, Netskope is unable to accurately assess exposure. Additionally, the policy action cannot remove external sharing from a document while this setting is enabled.
    Microsoft Graph API limitation
    Microsoft 365 SharePointThrottling issues of SharePoint tenants with large number of sub-sites

    Microsoft 365 SharePoint uses “listener processes”, called event receivers, to collect events when a client application registers for event notifications. These event receivers run and consume resources in customer's Microsoft 365 SharePoint environment.

    Microsoft Graph API generates a far larger number of event receivers than the older Microsoft 365 SharePoint APIs.

    To prevent excessive resource consumption due to the number of event receivers, Microsoft has introduced a hard limit at 2000 libraries per site.

    This could cause throttling issues for Microsoft 365 SharePoint tenants that exceed this 2000 libraries per site limit.
    Microsoft Graph API limitation
    Microsoft 365 SharePointLimitation while computing ‘Site’ exposure

    Microsoft Graph APIs do not provide sharing information at the site level. Consequently, Next Generation API Data Protection calculates exposure only for drives and drive items, but not for sites.

    Sites in a Microsoft 365 SharePoint instance will still appear in the Next Generation API Data Protection inventory, with their 'Exposure' status always set to 'Owner.'
    Microsoft Graph API limitation
    Microsoft 365 SharePointMicrosoft 365 SharePoint site collection-specific group

    Microsoft Graph APIs do not provide the list of members for site collection-specific groups in Microsoft 365 SharePoint. As a result, Next Generation API Data Protection cannot enumerate the members of these groups to calculate exposure. However, this limitation does not impact other groups, such as M365 groups.
    Microsoft Graph API limitation

    • Microsoft 365 OneDrive

    • Microsoft 365 SharePoint

      No support for OneNote files

      DLP and malware scanning are not supported for OneNote files because Microsoft Graph APIs do not provide download URLs for them. As a result, Netskope cannot scan OneNote files for DLP or threat protection on Microsoft 365 OneDrive and SharePoint.
      Microsoft Graph API limitation
      Microsoft 365 SharePointNo support for SharePoint Lists

      While exposure information for folders and files (drives/driveItems) can be retrieved via the Microsoft Graph API, metadata for SharePoint lists is not accessible. As a result, Next Generation API Data Protection for Microsoft 365 SharePoint does not support SharePoint lists.
      Microsoft Graph API limitation
      Microsoft 365 SharePointHub visitor groups in Microsoft 365 SharePoint

      Since 'Hub visitors' are simply another type of Microsoft 365 SharePoint group, their information is not accessible through Microsoft Graph APIs.
      Microsoft Graph API limitation

      • Microsoft 365 OneDrive

      • Microsoft 365 SharePoint

        Adding/Removing ‘Owner’ level access from files/folders

        "Site Collection Administrators" will maintain 'Owner' access to files and folders, and this cannot be changed using Microsoft Graph APIs.
        Microsoft Graph API limitation

        • Microsoft 365 OneDrive

        • Microsoft 365 SharePoint

          Limitation regarding ‘Deleted Groups’

          When a file is shared with a group that is later deleted, the Microsoft Graph API will still indicate that the file is shared with that group. Additionally, any members who were part of the group prior to its deletion will retain access to the file.

          Due to this limitation, during onboarding or provisioning, Netskope has no effective means to assess the exposure of files shared with groups that were deleted before the Microsoft account was connected. Consequently, these files will appear on the Next Generation API Data Protection Inventory page with an EXPOSURE status of UNSPECIFIED. As a result, no alerts will be generated, and no policy actions will be applied to these files.

          To resolve this issue, customers are advised to remove the deleted groups from the permission list of affected files. Once this is completed, Netskope will be able to accurately calculate exposure and enforce policy actions for those files.
          Microsoft Graph API limitation
          Microsoft 365 SharePointNo support for Microsoft 365 SharePoint sites created by Microsoft Loop

          As Microsoft Loop is still in public preview, the necessary permissions are not publicly documented. Consequently, when Netskope encounters this type of 'site' during provisioning, it will provision the site but not its subsites, drives, or drive items.
          Microsoft Loop limitation

          • Microsoft 365 OneDrive

          • Microsoft 365 SharePoint

            Limitations in Multi-Geo Support

            Due to limitations in the underlying Microsoft Graph API, Netskope cannot monitor or receive files or changes from non-primary geos in a multi-geo Microsoft 365 account.
            Microsoft Graph API limitation
            Microsoft 365 TeamsReal-time membership tracking in channel meetings

            For channel meetings initiated via 'Meet Now,' the Microsoft Graph API does not send webhooks while the meeting is in progress. As a result, Netskope cannot track changes in channel meeting membership during the live meeting. However, once the meeting concludes and the chat is posted in the channel, normal policy processing will resume, as Netskope will then receive webhooks for membership and data changes from Microsoft.
            Microsoft Graph API limitation
            Share this Doc

            3rd Party App Limitations

            Or copy link

            In this topic ...