Configure Microsoft Office 365 SharePoint Sites for API Data Protection
Configure Microsoft Office 365 SharePoint Sites for API Data Protection
To configure Microsoft Office 365 SharePoint for API Data Protection, you need to install the Netskope Introspection v2 app to access your Microsoft Office 365 account, and then create a Microsoft Office 365 SharePoint app instance in the Netskope UI.
Important
If your Microsoft Office 365 SharePoint Sites has Require check out of files enabled, see Require Check Out of Files.
There are three parts to this procedure:
- Remove the Netskope Introspection v1 or v2.0.0.1 app.
Important
This procedure is applicable to customers who have installed the Netskope Introspection v1 or v2.0.0.1 app. Skip this procedure if you have not installed the v1 or v2.0.0.1 app.
- Add the Netskope Introspection v2.0.0.3 app in your Office 365 SharePoint admin account.
- Configure Netskope to access your Microsoft Office 365 SharePoint app.
Important
Throughout this article, you will be prompted to enter your Office 365 credentials. Netskope does not store your Office 365 credentials. The credentials are used for creating OAuth tokens. Netskope only stores these tokens and not the actual credentials.
Prerequisites
To grant Office 365 access for audit logs, the following prerequisites must be met:
- A global administrator account is required to grant access to Netskope. Post-grant, this account is not required.
Note
The way permissions work in Azure/Office 365 is that Netskope requires an administrator to grant enough privileges for Netskope to perform specific actions. Note that the Netskope app does not receive global admin permissions. It only receives permissions for the scope Netskope requests.
In particular, the global admin is the only user that can delegate access for application-level permission (as opposed to user level permissions). You can find additional Microsoft documentation on how all these work here. Furthermore, global admin credential is required for Graph and Office 365 Management APIs. Post-grant, Netskope is independent of the granting account for policy processing.
- You must turn on audit logging in Microsoft 365 admin center. To enable audit logging, log in to https://compliance.microsoft.com/, then on the left navigation, click Audit. If auditing is not turned on for your organization, a banner is displayed prompting you start recording user and admin activity. Click the Start recording user and admin activity banner. It may take up to 60 minutes for the change to take effect.
Note
If you do not see this link, auditing has already been turned on for your organization. After you turn it on, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete. You only have to do this once. For additional information, read this support article on the Microsoft site.
Adding the Netskope Introspection v2.0.0.3 app to your SharePoint admin account has these requirements:
- Installation of the Netskope Introspection v2.0.0.3 app in your Office 365 SharePoint admin account requires the global administrator role in Office 365. For additional details, to assign admin roles in Office 365, refer to this Microsoft Office 365 document.
- The admin account used to upload the Netskope Introspection v2.0.0.3 app must be added to the Site Collection Administrator.
- It is important to note that although the Netskope Introspection v2.0.0.3 app is installed through the SharePoint store, the Netskope Introspection v2.0.0.3 app instructions apply to OneDrive and SharePoint apps.
- In a multi-geo setup, if you intend to monitor a single location, you should install the Netskope Introspection v2.0.0.3 app in that location.
- The Netskope Introspection v2.0.0.3 app requires the following scopes for it to be installed in the Office 365 account:
Scope Description Permission Social
To retrieve user profiles.
Read
Tenancy
The tenancy where the add-in is installed. Includes all children of this scope.
Full control
Site collection
The site collection where the add-in is installed. Includes all children of this scope.
Full control
Website
The website where the add-in is installed. Includes all children of this scope.
Manage
List
List on the website where the add-in is installed.
Manage
- The Netskope Introspection v2.0.0.3 app requires the following permission privileges:
Permission Requested Description Permission Included Read-only
Enables apps to view pages, list items, and download documents.
View items
Open items
View versions
Create alerts
Use self-service site creation
View pages
Write
Enables apps to view, add, update, and delete items in existing lists and document libraries.
Read-only permissions, and:
Add items
Edit items
Delete items
Delete versions
Browse directories
Edit personal user information
Manage personal views
Add/remove personal web parts
Update personal web parts
Manage
Enables apps to view, add, update, delete, approve, and customize items or pages within a web site.
Write permissions, and:
Manage lists
Apply themes and borders
Apply style sheets
Full control
Enables apps to have full control within the specified scope.
All permissions
Require Check Out of Files
Latest update on Microsoft Office 365 SharePoint’s Require check out of files – If this setting is enabled on a SharePoint site, Netskope API Data Protection can quarantine the file but fails to overwrite the original file with a tombstone file. To gracefully handle this kind of a scenario, API Data Protection now provides administrators to identify such files within Incidents and Alerts UI pages. Following two changes are added in the Netskope tenant UI:
- Under Incidents > DLP, when you click an incident, the UI displays a new tombstone failure message.
- Under Skope IT > EVENTS > Alerts, a new alert type Tombstone Failed is introduced for quarantine action.
