New Capability
Data Access Security - Automated Revocation of Direct Access for SharePoint Online and OneDrive from Resource Views.
Description
This new capability allows for the automatic revocation of direct access to data assets, which is crucial for reducing security risks. By automating this process, customers can better enforce access policies, reduce their attack surface, and maintain a cleaner, more secure access model.
Problem
Directly assigned access, which often falls outside of standard governance processes, creates significant security and governance challenges. This type of access can be easily forgotten, leading to “permission creep” and over-provisioned access that could be exploited. This is a significant risk, especially since directly assigned access still accounts for a significant portion of access.
Solution
Data Access Security is introducing automated direct access revocation for SharePoint Online and OneDrive application types for Data Owners and Administrators. Upon determining unwanted access, simply click Revoke and DAS will remove the undesired access.
You have identified user access you would like to remediate:
External Access to Resource in SharePoint Online
From the Action column, select … to notice the new Revoke option
Click Revoke and Confirm
Revoke Confirmation popup
A task will be initiated to revoke the access and update accordingly:
Task Details overlay
Upon successful completion, navigate back to the Resource Permission view to see the permission has been revoked. You also can confirm on SharePoint Online or OneDrive the permission is no longer granted.
Revoke is also available from the Tree View and User’s Permission Path.
Revoke available from Permission paths
What Permissions Qualify to be Revoked?
| Where is Permission Granted From ? | Can it be Revoked? | Notes |
|---|---|---|
| User direct access on resource | Yes | The primary creator/owner of the resource cannot be revoked even if directly granted. |
| Permission inherited from parent | No | |
| Permission inherited from group | No |
Who is affected?
All customers with a DAS tenant which utilize SharePoint Online and OneDrive connectors
Action required (customer-facing)
This requires API Permission updates your Azure Application registration to enable DAS to revoke access. The application registration will now require files.ReadWrite.All for OneDrive and Sites.ReadWrite.All for Sharepoint online.
Follow the guides below to update each application type:
Note: The change is on step 6 under the section “Assigning API Permissions to the Application” in the Creating an Azure Application documentation.
Revocation will be enabled by default.
By default, this feature will be enabled for SharePoint Online and OneDrive application types. If you prefer not to utilize, simply navigate to Admin > Applications > locate your SharePoint Online/OneDrive application(s) > Actions > Edit. In the General Details screen under Identity Collector, toggle Direct Access Revocation off.
When toggled off, the Revoke option will no longer appear in the Resource screens of any applicable permissions.
Important dates
Sandbox availability: Apr 14, 2026
Production rollout: Apr 21, 2026