Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here

Skyhigh Security

Re-enable API Access for Microsoft Exchange Online

IMPORTANT: Microsoft Exchange Online users are required to migrate to 'Graph API' since 'Outlook Rest API' will be fully decommissioned by November 22, 2022. For more details, see here. This requires you to set additional permissions for Microsoft Graph API by re-enabling API access for your Microsoft Exchange Online instances in Skyhigh CASB.

WARNING: You must re-enable the API access for Microsoft Exchange Online in Skyhigh CASB if you have received a notification from Skyhigh CASB Support. If you do not re-enable the API access for Microsoft Exchange Online, On-Demand Scanning (ODS) and some response actions such as Quarantine and Delete will not work as expected for Exchange Online Email DLP.

Prerequisite 

If you use a custom OAuth app to authenticate the API access for Microsoft Exchange Online, ensure that you have set the permissions (User.Read.All, Sites.Read.AllMail.Readwrite, and Directory.Read.All) for Microsoft Graph under Exchange Online API DLP. For details, see Custom oAuth Application for Office 365 and Azure API Integration.

Re-enable API Access

To re-enable API access for Microsoft Exchange Online in Skyhigh CASB, first select a Microsoft Exchange Online instance, then Disable API Access and Enable API Access for that Microsoft Exchange Online instance in Skyhigh CASB.

NOTE: If you have multiple Microsoft Exchange Online instances, re-enable API access for all your Microsoft Exchange Online instances.

You can re-enable API access for Exchange Online Inline Email DLP and Exchange Online Passive Email DLP users.

NOTE: If you use a custom OAuth app to authenticate the API access for Microsoft Exchange Online and do not have the private key and self signed certificate used to enable API access for your tenant, create a self signed certificate using OpenSSL and upload it to the Azure portal. For details, see Custom oAuth Application for Office 365 and Azure API Integration.

Disable API Access

Before you disable API access for a Microsoft Exchange Online instance, make sure that there are no critical API issues displayed under the Overview tab of the Service Management page for that instance. If the instance has any critical API issues, you must resolve them before re-enabling the API for that instance. Some of the known reasons for critical API issues are:

  • If you have Application Access Policies configured that prevent the Skyhigh application from accessing Exchange Online mailboxes, make sure to remove them.
  • If there is an issue with your Microsoft Exchange Online account, make sure that the account has correct subscription and license.
    clipboard_e5af957da20b3323b7b7d0e7670bdea91.png

To disable API access for Microsoft Exchange Online:

  1. In Skyhigh CASB, go to Settings > Service Management
  2. Select Microsoft Exchange Online from the list of Services
    clipboard_ee740c6ac7fe3f7740e292bb10c86cab5.png
  3. Select the required instance from the list of instances provided by Skyhigh CASB, and click Done.
  4. Go to the Setup tab and click Disable API.
    clipboard_ea3051d045cba98dcc7150b08a301c390.png
  5. On the confirmation popup, click Disable.
    clipboard_e1579d23208665fee63c11e2a4678cc42.png

API access is now disabled for your Microsoft Exchange Online instance.

Enable API Access

To enable API access for Microsoft Exchange Online:

  1. Click Enable.
    clipboard_eec50ca6bdaf94405455adb4004fb8180.png
  2. Select the acceptance checkbox and click Next.
    clipboard_ecf7309167fcd026f3118a602f188d1e7.png
  3. Click Provide API Credentials.
    clipboard_e164ad398a2af2d6165a29e6a8cad20f4.png
  4. Provide API credentials for the Microsoft Exchange Online admin account, and in the Permissions requested dialog, click Accept.
  5. If you use a multi tenant OAuth app, select the Microsoft Exchange admin account from the list of admin accounts or enter the credentials of the Microsoft Exchange admin account.
    clipboard_e9ce4d0586c06adf9cd901520dd14c26f.png
  6. Click Accept to accept the permissions. 
    clipboard_ef2cb84df68c5fe806f8544e81fc60704.png
  7. If you use a custom OAuth app, provide the custom OAuth credentials and click Submit. For details, see Skyhigh CASB API Connection.
    clipboard_eb94514beefabd7620840e824a5e2fb0f.png
  8. Click Done.
    clipboard_e741289db2b843164e34f8f02eec5c782.png

API access is now re-enabled for your Microsoft Exchange Online instance.

FAQs

Question Answer
What happens if the API access for Microsoft Exchange Online is not re-enabled in Skyhigh CASB? You must re-enable the API access for Microsoft Exchange Online in Skyhigh CASB if you have received a notification from Skyhigh CASB Support. If you do not re-enable the API access for Microsoft Exchange Online, On-Demand Scanning (ODS) and some response actions such as Quarantine and Delete will not work as expected for Exchange Online Email DLP.

Is there any impact on other Office 365 services such as SharePoint, OneDrive, and Teams?

No

Is it necessary to re-enable API access for Microsoft Exchange Online if Outlook is integrated with a global admin account?

Yes

Is it necessary to provide permissions if Outlook is integrated with a global admin account?

No
Is there a cost to re-enable API access for Microsoft Exchange Online? No
Does the user receive any notifications after the Microsoft Exchange Online instances are migrated to Microsoft Graph API? No

How can users verify the product's functionality after migration?

There are no changes in the product's functionality after migration, and Exchange Online Email DLP continues to function normally. You can verify the product's functionality by quarantining or deleting an email.

How to determine if there are any issues after migration? If there is a issue after migration, what are the steps to reverse the changes and how quickly are the changes reversed?

This feature has been thoroughly tested by Skyhigh CASB QA team. If there are any issues after migration, this feature can be quickly disabled from the backend to ensure continued services using the old Outlook Rest API. Any issues identified after the migration will be resolved before the old Outlook Rest API is decommissioned on November 22, 2022. 

  • Was this article helpful?