New Capability
Data Access Security is now introducing Campaign Revocation! This allows for any directly granted access for SharePoint Online and OneDrive via rejected records in DAS Campaigns to be automatically revoked!
Description
This new capability allows for the automatic revocation of direct access to data assets, which is crucial for reducing security risks. By automating this process, customers can better enforce access policies, reduce their attack surface, and maintain a cleaner, more secure access model.
Problem
Directly assigned access, which often falls outside of standard governance processes, creates significant security and governance challenges. This type of access can be easily forgotten, leading to âpermission creepâ and over-provisioned access that could be exploited. This is a significant risk, especially since directly assigned access still accounts for a significant portion of access.
Solution
Data Access Security is introducing automated direct access revocation for SharePoint Online and OneDrive application types for rejected records within DAS permission campaigns.
Prereq:
To ensure this feature will function properly, ensure your SharePoint Online and OneDrive applications have the proper API Permissions within their corresponding Azure application registration.
Note: Once the application registration has been updated, please ensure you rerun your Crawl and Permission Collection tasks .
See Campaign Revocation (Permission Changes Required) | 
Action required (customer facing). Also ensure Direct Access Revocation is enabled in the application configuration.
Details:
As a DAS/Org Admin or DAS Compliance Manager, once in DAS, navigate to Compliance > Access Certification. Next click Create Campaign
Enter General Details information (ensure campaign type is set to Permissions), select a Filter List which contains a direct permission on SharePoint Online and/or OneDrive, enter all Review Levels and Reviewers.
Next, you will notice a new screen called âPermission Revocationâ. The toggle must be set to enabled to allow for any permissions which are directly granted to be revoked. DAS services will assess rejected records for qualified permissions, reach out to the endpoint and remove the access which has been rejected.
The Execute option allows you to define if a campaign is prematurely ended to not perform or continue to perform the revocation option. Ending a campaign prematurely is when the âEnd Campaignâ button is used from the Campaign Management screen which stops the campaign and ends all records regardless of if they are still pending review. The default setting is revocation will not be performed when a Campaign is ended early.
After saving the campaign, the campaign will initiate as normal.
Once the reviewer has assessed the records, and if there are records which qualify to be revoked, compliance managers and administrators will notice a new Status called âRevocation In Progressâ. This will indicate a task has been initiated to remove the rejected access.
When clicking into the Campaign, a new tab will be displayed named âAutomatic Revocationâ which will display qualified records and their associated revocation status.
If for some reason there revocation failures (improper permissions granted to the DAS application, someone manually removed the permission from the endpoint prior to the revocation but after the campaign started, etc.) the campaign will transition to a status of Revocation Failed.
When accessing the failed revocation campaign details you will notice a warning indication on the Automation Revocation tab with details of the failure reasons listed under Revocation Result
From there, if the issues have been corrected, you can click Rerun Revocation which will restart the revocation task to remove the rejected permissions.
Otherwise, you can Ignore Failures. Choosing this option will transition the campaign to a Completed status but will not retry the revocation task. This action cannot be undone.
What Permissions Qualify to be Revoked?
| Where is Permission Granted From ? | Can it be Revoked? | Notes |
|---|---|---|
| User direct access on resource | Yes | The primary creator/owner of the resource cannot be revoked even if directly granted. |
| Permission inherited from parent | No | |
| Permission inherited from group | No |
Who is affected?
All customers with a DAS tenant which utilize SharePoint Online and OneDrive connectors.
Action required
This requires API Permission updates your Azure Application registration to enable DAS to revoke access. The application registration will now require files.ReadWrite.All for OneDrive and Sites.ReadWrite.All for SharePoint online.
To update follow the guides below for each application type.
Ref:
- Creating an Azure Application for OneDrive - SailPoint Data Access Security Connector Documentation
- Creating an Azure Application for SharePoint Online - SailPoint Data Access Security Connector Documentation
Note: The change is on step 6 under the section âAssigning API Permissions to the Applicationâ in the Creating an Azure Application documentation.
By default, this feature will be enabled for SharePoint Online and OneDrive application types. If you prefer not to utilize, simply navigate to Admin > Applications > locate your SharePoint Online/OneDrive application(s) > Actions > Edit. In the General Details screen under Identity Collector, toggle Direct Access Revocation off.
Important dates
Sandbox availability: May 13, 2026
Production rollout: May 26, 2026