SharePoint serves as the document management hub for millions of organizations, storing everything from internal policies to customer contracts, HR records to financial reports. This concentration of business documents inevitably includes sensitive personal information that requires protection—employee data in HR documents, customer details in contracts, financial information in reports. Automated redaction ensures this data is protected consistently across SharePoint's vast document libraries.
Our SharePoint integration brings intelligent PII detection directly into your Microsoft 365 environment. Documents are automatically processed as they're uploaded or modified, with redacted versions created according to your policies. Whether you need to protect documents before external sharing, prepare files for eDiscovery, or ensure ongoing compliance across document libraries, the integration handles redaction without disrupting your existing workflows.
Integration Architecture
The SharePoint integration connects through Microsoft's standard APIs:
Connection Methods:
- Microsoft Graph API: Primary interface for SharePoint Online, handling file operations and metadata
- SharePoint Webhooks: Real-time notifications for document changes
- Power Automate Connector: Custom workflow integration
- Azure Functions: Serverless processing for event-driven redaction
// Integration flow
1. Document uploaded to SharePoint
2. Webhook triggers Azure Function
3. Function downloads document via Graph API
4. Document sent to RedactionAPI
5. Redacted document uploaded back to SharePoint
6. Optional: Move original to secure archive
Setup and Configuration
Step 1: Azure AD App Registration
// Required permissions
{
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "Sites.ReadWrite.All",
"type": "Role"
},
{
"id": "Files.ReadWrite.All",
"type": "Role"
}
]
}
]
}
Step 2: Configure SharePoint Webhook
POST https://graph.microsoft.com/v1.0/subscriptions
{
"changeType": "created,updated",
"notificationUrl": "https://your-function.azurewebsites.net/api/webhook",
"resource": "/sites/{site-id}/lists/{list-id}",
"expirationDateTime": "2024-02-15T00:00:00Z",
"clientState": "secretClientState"
}
Step 3: Deploy Azure Function
// Azure Function for webhook processing
module.exports = async function (context, req) {
// Validate webhook notification
if (req.query.validationToken) {
return { body: req.query.validationToken };
}
const notifications = req.body.value;
for (const notification of notifications) {
// Get changed file
const file = await graphClient
.api(`/sites/${notification.siteId}/drive/items/${notification.resourceId}`)
.get();
// Download file content
const content = await graphClient
.api(`/sites/${notification.siteId}/drive/items/${notification.resourceId}/content`)
.get();
// Send to RedactionAPI
const redacted = await redactionClient.redactFile(content, {
filename: file.name,
policies: ['pii', 'phi']
});
// Upload redacted version
await graphClient
.api(`/sites/${notification.siteId}/drive/items/${notification.resourceId}/content`)
.put(redacted);
}
};
Power Automate Integration
Use our Power Automate connector for no-code workflows:
Available Actions:
- Redact Document - Process a single file
- Redact Text - Process text content
- Check Job Status - Monitor async processing
- Get Redaction Report - Retrieve detection details
Example Flow: Redact on Upload
Trigger: When a file is created (SharePoint)
↓
Action: Get file content (SharePoint)
↓
Action: Redact Document (RedactionAPI)
- File Content: File Content from previous step
- Redaction Types: pii, phi, pci
↓
Action: Update file (SharePoint)
- File Content: Redacted Content
↓
Action: Add item to list (SharePoint)
- List: Redaction Audit Log
- Details: Redaction report from previous step
Example Flow: Redact Before External Sharing
Trigger: When a sharing link is created (SharePoint)
↓
Condition: Is link for external users?
↓
Yes Branch:
Action: Get file content
↓
Action: Redact Document (RedactionAPI)
↓
Action: Create file in "External Share" library
↓
Action: Update sharing link to new file
↓
Action: Send approval email
Document Library Configuration
Configure redaction policies per library:
Library-Level Settings:
{
"libraryId": "Documents",
"siteUrl": "https://contoso.sharepoint.com/sites/HR",
"policies": {
"redactionTypes": ["pii", "phi"],
"triggerOn": ["create", "update"],
"excludePatterns": ["*.pdf.redacted"],
"outputLocation": "same",
"preserveOriginal": true,
"originalLocation": "/sites/HR/Archived"
}
}
Folder-Specific Rules:
{
"rules": [
{
"path": "/Employee Records/*",
"redactionTypes": ["ssn", "dob", "salary"],
"outputSuffix": "_redacted"
},
{
"path": "/Customer Contracts/*",
"redactionTypes": ["pii", "financial"],
"preserveOriginal": false
},
{
"path": "/Public/*",
"enabled": false
}
]
}
Sensitivity Label Integration
Integrate with Microsoft Information Protection labels:
Label-Based Policies:
{
"labelPolicies": {
"Confidential": {
"redactionTypes": ["pii", "phi", "pci"],
"enforceRedaction": true,
"blockIfUnredacted": true
},
"Internal": {
"redactionTypes": ["ssn", "credit_card"],
"enforceRedaction": false,
"warnIfUnredacted": true
},
"Public": {
"redactionTypes": ["all_pii"],
"enforceRedaction": true,
"autoLabel": false
}
}
}
Workflow Example:
// When document receives "Confidential" label
1. SharePoint triggers label change event
2. Azure Function retrieves document
3. Document sent to RedactionAPI with "Confidential" policy
4. Redacted document saved
5. Original moved to secure archive
6. Audit event logged to compliance center
Batch Processing
Process existing documents in bulk:
Batch Configuration:
// Batch processing for existing libraries
const batchConfig = {
siteUrl: "https://contoso.sharepoint.com/sites/Legal",
libraries: ["Contracts", "Client Files"],
filters: {
modifiedAfter: "2023-01-01",
fileTypes: [".docx", ".pdf", ".xlsx"],
excludeFolders: ["Archive", "Templates"]
},
processing: {
batchSize: 100,
throttleMs: 1000, // Respect SharePoint limits
retryAttempts: 3
},
output: {
location: "redacted",
preserveStructure: true
}
};
// Start batch processing
const job = await redactionClient.batchProcess(batchConfig);
console.log(`Processing ${job.totalFiles} files, Job ID: ${job.id}`);
Delta Processing:
// Only process changed documents since last run
const deltaConfig = {
siteUrl: "https://contoso.sharepoint.com/sites/HR",
deltaToken: lastDeltaToken, // From previous run
onComplete: (result) => {
// Store new delta token for next run
saveDeltaToken(result.deltaToken);
}
};
eDiscovery Support
Prepare documents for legal and compliance processes:
eDiscovery Workflow:
// Export and redact for legal hold
const ediscoveryConfig = {
source: {
type: "complianceCenter",
caseId: "case-12345",
searchId: "search-67890"
},
redaction: {
types: ["witness_names", "third_party_pii"],
preserveRelevant: ["defendant", "plaintiff"],
markRedactions: true
},
output: {
format: "pdf",
includeAuditReport: true,
location: "/sites/Legal/eDiscovery/Case-12345"
}
};
Privilege Review:
// Redact before privilege review
1. Documents exported from Content Search
2. Automated PII redaction applied
3. Reviewers see redacted versions
4. Privileged documents tagged
5. Final production with appropriate redaction
Version Management
Control how redacted versions interact with SharePoint versioning:
Version Policies:
- Replace: Redacted content replaces original (creates new version)
- Parallel: Create separate redacted file alongside original
- Archive: Move original to archive, redacted takes its place
- Branch: Create redacted branch for specific audiences
// Version configuration
{
"versionPolicy": "archive",
"archiveSettings": {
"location": "/sites/Compliance/Original Documents",
"preserveMetadata": true,
"retentionDays": 2555, // 7 years
"accessRestriction": "ComplianceAdmins"
}
}
Metadata and Custom Columns
Track redaction status in SharePoint metadata:
// Custom columns for redaction tracking
{
"columns": [
{
"name": "RedactionStatus",
"type": "choice",
"choices": ["Pending", "Processing", "Complete", "Failed"]
},
{
"name": "RedactionDate",
"type": "dateTime"
},
{
"name": "DetectionsFound",
"type": "number"
},
{
"name": "RedactionTypes",
"type": "multiChoice",
"choices": ["PII", "PHI", "PCI", "Custom"]
}
]
}
SharePoint On-Premises
For SharePoint Server installations:
Gateway Agent:
// On-premises gateway configuration
{
"gateway": {
"mode": "agent",
"connectionString": "your-gateway-connection",
"sharePointUrl": "https://sharepoint.contoso.local",
"authentication": {
"type": "NTLM",
"domain": "CONTOSO"
}
},
"processing": {
"localProcessing": false, // Send to cloud API
"hybridMode": true
}
}
Hybrid Deployment:
- Gateway agent runs on-premises
- Connects to SharePoint Server via internal network
- Securely transmits documents to cloud API
- Returns redacted documents to SharePoint
- No direct external access to SharePoint required
Audit and Compliance
Comprehensive logging for compliance requirements:
// Audit log entry
{
"timestamp": "2024-01-15T10:30:00Z",
"eventType": "DocumentRedacted",
"siteUrl": "https://contoso.sharepoint.com/sites/HR",
"libraryName": "Employee Records",
"fileName": "performance_review_2023.docx",
"fileId": "01ABC...",
"user": "[email protected]",
"detections": {
"ssn": 3,
"name": 12,
"address": 2
},
"action": "replaced",
"originalArchived": true,
"archiveLocation": "/sites/Compliance/Archive/..."
}
Compliance Center Integration:
- Events logged to Microsoft 365 Audit Log
- Custom activity types for redaction events
- Integration with Compliance Manager
- Support for retention policies on audit data
