Migrate Microsoft 365 OneDrive from Classic to Next Generation API Data Protection

Migrate Microsoft 365 OneDrive from Classic to Next Generation API Data Protection

The article provides guidance for customers currently using the Classic API Data Protection for Microsoft 365 OneDrive. It outlines a clear process for migrating to the enhanced Next Generation API Data Protection, which offers improved performance and functionality. The migration involves key steps, including preparation, configuration updates, and verification, ensuring a smooth transition to the more advanced platform.

Next Generation API Data Protection does not support Microsoft 365 Multi-Geo on OneDrive and SharePoint presently. This is because Microsoft does not provide any Graph APIs to support Multi-Geo. If you use this feature for Microsoft 365 OneDrive or SharePoint, continue to use these apps on the classic API Data Protection platform. To learn more about Microsoft 365 Multi-Geo Support in classic API Data Protection, see Microsoft Office 365 Multi-Geo Support.
If your real-time policy includes quarantine as an action, you cannot create a Next Generation API Data Protection quarantine profile. This limitation exists because real-time policies currently support only the classic API Data Protection quarantine profile. Stay tuned for updates on when real-time policies will support the Next Generation API Data Protection quarantine profile.

Migration Steps

Here are the broad steps to migrate your classic Microsoft 365 OneDrive instance to Next Generation.

  1. Create a new Next Generation API Data Protection Microsoft 365 OneDrive instance. To learn more: see sample video.

  2. If you use the forensic feature in classic, follow these steps:

    1. Create a new Next Generation forensic instance, profile, and enable forensic. To learn more: see sample video.

    2. Delete the classic forensic profile from Policies > PROFILES > Forensic, then navigate to Settings > Configure App Access > Classic, select the SaaS app, click the instance and uncheck Forensic.

  3. Disable the existing classic API Data Protection policies from Policies > API Data Protection > SAAS > Classic.

  4. Create new policies on Next Generation API Data Protection from Policies > API Data Protection > SAAS > Next Gen. To learn more: see sample video.

  5. Delete the existing classic API Data Protection policies from Policies > API Data Protection > SAAS > Classic.

    Running Classic and Next Generation policies simultaneously can lead to unexpected behavior if legal hold or quarantine profiles exist on both platforms. Additionally, this setup risks upstream throttling due to rate limits, potentially interrupting all protections. Therefore, Netskope strongly discourages running Classic and Next Generation policies and legal hold/quarantine profiles concurrently.
  6. Go to Settings > Configure App Access > Classic. Select the Microsoft 365 OneDrive app, click the instance and uncheck CASB API.

  7. Wait for six months or the duration of your incident retention period. Consult your Netskope sales representative to confirm the exact retention period. During this time, you can manage incidents and work with quarantined files.

  8. Delete the classic Microsoft 365 OneDrive instance. To do so, navigate to Settings > Configure App Access > Classic, select the SaaS app, then click the Remove Instance icon to delete the app instance.

There are a few noteworthy differences in the way Netskope displays DLP incidents and Skope IT alerts in classic and Next Generation API Data Protection. If you have any forward integration like log ingestor, etc where these values are ingested, you should update these values. To learn more: Classic vs Next Generation DLP Incidents & Skope IT Alerts.

To learn more about the Next Generation API Data Protection feature matrix per cloud app, see Next Generation API Data Protection Feature Matrix per Cloud App.

Share this Doc

Migrate Microsoft 365 OneDrive from Classic to Next Generation API Data Protection

Or copy link

In this topic ...