Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Code42 Support

Allow Code42 Forensic File Search access to OneDrive

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.


To help protect you from data loss, you can use Code42 Forensic File Search to monitor files moving to and from users' Microsoft OneDrive for Business.

When you add Microsoft OneDrive for Business as a data source for Code42 Forensic File Search, you are required to authorize Code42 using your administrator account in OneDrive for Business. Once authorized, Forensic File Search monitors your organization's OneDrive environment for information about when a user: 

  • Creates a file
  • Shares a file
  • Deletes a file
  • Modifies a file

This article explains how to add OneDrive for Business as a data source for Forensic File Search, as well as why Code42 requires this level of access. 


  • To allow Code42 access to OneDrive, you must be a global administrator.
  • Once authorized, Code42 Forensic File Search has access to metadata on users, files, and drives. Learn more about what Code42 monitors
  • You cannot edit the authenticating administrator information once you register the cloud service. If you need to change the authenticating administrator information, you must start over and add a new cloud service.
  • You cannot deauthorize or remove OneDrive as a cloud service in Code42. However, you can remove authorization to Code42 through your OneDrive Administration panel if necessary. 
  • You must be licensed for Code42 Forensic File Search. If your license expires, the cloud service is deauthorized within 24 hours. If you need assistance with licensing, contact your Customer Success Manager (CSM). If you're not sure how to reach your CSM, email and we will connect you. 
  • Microsoft OneDrive limits API requests made by third-party integrations such as Code42. Throttling these API requests allows Microsoft to better control their resources, but may slow down Code42 file metadata collection, especially after first configuring Forensic File Search access to OneDrive. Consider setting up Forensic File search access to OneDrive when you have decreased activity in your environment.
Monitoring and alerting tools may report download activity
Code42 Forensic File Search temporarily streams files from your cloud service to the Code42 cloud to calculate the file hash. This may be reported as users downloading files.

Code42 never stores file contents or writes them to disk during this process.

Before you begin

Configure Forensic File Search before adding Microsoft OneDrive for Business as a cloud service data source.

Add OneDrive for Business 

  1. Sign in to the administration console. 
  2. Select Security Center > Data Sources
    Data sources
  3. Click Add.
    The Add Cloud Service Connection dialog displays. 
  4. From Cloud Service, select Microsoft OneDrive for Business. 
  5. Enter a display name. This name must be unique.
    OneDrive cloud service connection.
  6. Select one of the following options:
  7. Click Authorize
    The Microsoft OneDrive for Business sign in screen appears.
  8. Enter your OneDrive administrator credentials. 
  9. Review the terms and agreements, and click Accept. 
    Microsoft OneDrive for Business is now a cloud service for Forensic File Search.
When will I start seeing file events in Forensic File Search?
The first step to adding cloud service information into Forensic File Search is called initial extraction. This is where Code42 scans the cloud service to get baseline information on your environment. How long this step takes depends on how many files are in your cloud service environment.

For most environments, this step takes about 24 hours. Once the initial extraction is complete, it takes about 20 minutes for a new event to appear in search results.

Next Steps

Now that you have added OneDrive as a data source for Forensic File Search, learn more about:

Upload a .csv file

If you select Specific Users or Groups and click Upload .CSV file, you must upload a .csv file that lists OneDrive users or groups you want to monitor.

General considerations for uploading a .csv file:

  • The .csv file is limited to 1,000 entries.
  • Uploading a new .csv replaces the existing list of people or groups being monitored.

Upload a .csv file listing OneDrive users

To export a list of all OneDrive users to a .csv file, see the Microsoft documentation. You can also use PowerShell or Active Directory to obtain a user list and place it in a .csv file. Create a .csv file from this list that contains only the groups you want to monitor.

For users with email addresses, Code42 reads usernames from column headers labeled Email Address, Email, OwnerPrincipalName, or UserPrincipalName in the .csv file. For users without email addresses, Code42 reads usernames from column headers labeled DisplayName or Owner in the .csv file. If no valid username entries are found for a user in the .csv file, the upload produces an error.

Upload a .csv file listing OneDrive groups

See Microsoft documentation for information about OneDrive groups. Create a .csv file that contains only the groups you want to monitor. Code42 reads the names of groups from the column header labeled Display Name or Groups in the .csv file. If neither of these column headers are specified, the upload produces an error.

The OneDrive group list supports all Office 365 group types:

  • Office 365 Group
  • Security Group
  • Mail-Enabled Security Group
  • Distribution Groups

When a group name is provided, Code42 attempts to look up users with the specified group name from the .csv file. If the group name cannot be found, Code42 proceeds to the next group. Code42 looks for that group again every 24 hours.

As users are added and removed from the monitored groups, Code42 automatically detects changes and adjusts monitoring of users accordingly. Users that are removed from monitored groups have their event history preserved so that it remains searchable in Forensic File Search. When an unmonitored user in your Code42 organization shares a file with a monitored user, the events associated with that file are not captured because the unmonitored user is the owner of the file. Groups that are nested in a monitored group will also be monitored.  

OneDrive permissions 

Forensic File Search collects file events from OneDrive. A file event is any activity observed for a file. For example, creating, modifying, sharing, renaming, moving, or deleting a file generates an event for that file. To see this file activity, Code42 requires access to your OneDrive environment. The OneDrive permissions we request are: 

  • Directory.Read.All
  • Files.Read.All

This set of permissions means Code42 has read-only access to metadata for files, users, and drives within your cloud service environment. In other words, Code42 cannot make changes to your cloud service environment. In addition, Forensic File Search does not monitor the contents of those files, and does not back up files in the cloud service.

More information on file activity 
For more information on the specific metadata and file events collected and stored by Forensic File Search, see the Forensic File Search reference guide