Skip to main content

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional and Enterprise
Incydr Basic and Advanced
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, no.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Allow Code42 access to Microsoft Office 365 email (non-DLP)

Overview

To help protect you from data loss, you can use Code42 to investigate attachments sent through users' Microsoft Office 365 Outlook email accounts. 

When you add Microsoft Office 365 as a data connection, you must authorize Code42 as a registered client API using your administrator account. Once connected, Code42 monitors your organization's email environment from that point forward to collect information about all attachments emailed by monitored users. That attachment file information then becomes available in Forensic Search for investigation.   

This article explains how to add Microsoft Office 365 email as a data connection.

Considerations

The following considerations apply to the Microsoft Office 365 connection. See also the considerations applicable to all email services.

  • Like the Microsoft OneDrive data connection, Code42's Microsoft Office 365 email requires that audit is enabled in your environment.
  • Code42 can only monitor email attachments sent by Microsoft Office 365 users who have a subscription that includes Advanced Audit. See the Microsoft documentation for more information on Advanced Audit and how to assign users the appropriate license or add-on license. You can also use the tools in the Microsoft 365 admin center to view an individual user's licensing or export a list of users who have a specific license.
  • Administrators do not need to have a subscription that includes Advanced Audit to authorize the Code42 connection. However, if you also want to monitor any email attachments that these administrators send in that environment, then the same subscription requirements apply.

Connect to Microsoft Office 365 email

Connecting Code42 to your Microsoft Office 365 email environment is a two-step process:

  1. Verify that audit is enabled in your Microsoft environment.
    Code42 monitoring requires that audit is enabled
    Audit must be enabled in your Microsoft environment in order for Code42 to be able to monitor email attachments sent from your corporate Microsoft Office email accounts. If audit is not enabled, Code42 cannot collect data and no file events are displayed in Forensic Search.

    If you have one of the Microsoft business product plans, you may need to enable audit in your environment before connecting with Code42. Unless it has previously been disabled, customers with a Microsoft enterprise product plan may already have audit enabled by default.

  2. Authorize Code42's connection to Microsoft Office 365 email.

Step 1: Verify audit is enabled for Microsoft Office 365 email

  1. Sign in to the Microsoft 365 compliance center using your Microsoft global administrator username and password.
  2. Under Solutions in the left navigation pane, click Audit. You may need to click Show all to view Audit in the navigation list.
    If audit is not enabled in your environment, the banner at the top of the Search tab prompts you to start recording user and admin activity. This banner does not appear if audit is already enabled.
    Enable audit in Microsoft Office 365
  3. If prompted, click the banner at the top of the Search tab to enable audit.
    The banner updates to indicate that audit is enabled and you can search for user and admin activity within 24 hours.

Step 2: Authorize the Code42 connection

  1. Sign in to the Code42 console
  2. Select Administration > Integrations > Data Connections.
  3. Click Add Data Connection.
    The Add Data Connection dialog displays.
  4. From Data Connection, select Microsoft Office 365 under Email Services. 
  5. Enter a display name. This name must be unique.
  6. Click Authorize.
    The Microsoft Office 365 sign in screen appears.
  7. Enter your Microsoft Office 365 administrator credentials. 
  8. Review the terms and agreements, including the requested Office 365 email permissions, and click Accept.
    Microsoft Office 365 is added as an email data connection.
    Permissions can be delayed in Microsoft Azure
    The permissions you accept during the authorization process can take up to 1 hour to flow through your Microsoft Azure environment. During this time, Code42 may report an error with the new connection in the Data Connections list. This error clears automatically as soon as Code42 is able to access the Microsoft audit log.

The next time that an attachment is emailed by a user with the required license, information about that file is recorded as an event by Code42. For details, see Attachment metadata below.

Next Steps

Now that you have added Microsoft Office 365 as a data connection, learn more about:

Attachment metadata

Once you complete authorization, information about email attachments becomes available in Code42 Forensic Search. When an attachment is emailed by a user with the required license, information about that attachment is sent to Code42. This attachment information includes the following:

  • Filename
  • Hash, when available
  • Email address of the sender and recipients 
Forensic Search timing
Email attachment information typically becomes available in Forensic Search results within 30 minutes, but may take longer in some cases.

The Date Observed for the event indicates the date and time the attachment was emailed through Microsoft Office 365, not when the file event appeared in Code42. 
More information on file activity
For more information on the specific metadata and file events visible in Forensic Search, see the Forensic Search reference guide.

Required permissions 

User subscription requirements

Due to permissions, Code42 can only monitor email accounts in your environment with an assigned subscription that includes Advanced Audit. After you authorize the connection to your email environment, Code42 scans all users to identify who has a subscription that includes Advanced Audit. Only the emails sent by those users are monitored for attached files. 

You can use tools in the Microsoft 365 admin center to view an individual user's licensing or export a list of users who have a specific license.

Advanced audit is included in these Microsoft subscriptions:

  • Microsoft 365 Enterprise E5, A5, and G5
  • Office 365 Enterprise E5 and A5

Advanced audit is also available in the Microsoft 365 E5 Compliance or Microsoft 365 E5 eDiscovery and Audit add-ons for other E3 or A3 subscriptions. See the Microsoft documentation for more information on Advanced Audit and how to assign users the appropriate license or add-on license.

Code42 connection permission requirements

When a user with the required subscription emails an attachment, Code42 collects information about the attached file along with the sender and recipients for the email.

To see this file activity, Code42 requires access to your Office 365 email environment. The Office 365 email permissions we request are:

  • ActivityFeed.Read
  • Files.Read.All
  • Mail.Read
  • Mail.ReadBasic
  • User.Read

This set of permissions means Code42 has read-only access to metadata for emails, attached files, and users within that email service. In other words, Code42 cannot make changes to the emails, data, or users in your email environment. In addition, Code42 does not monitor the contents of those files, and does not back up files in the email service.

More information on file activity
For more information on the specific metadata and file events visible in Forensic Search, see the Forensic Search reference guide.

Troubleshooting

Microsoft Audit Log is inaccessible

If audit is not enabled (or has been disabled) in your Microsoft environment, the Code42 connection enters an Error status and this error message is displayed in the Code42 Microsoft Office 365 email service connection details:

The Microsoft Audit Log is inaccessable. Re-enable the audit log in Microsoft 365 Compliance Center to return this data connection to monitoring.

To resolve the error, enable audit in your Microsoft environment. After you enable audit, Code42 detects the change and returns the connection to the Monitoring status within 24 hours.

Code42 monitoring requires that audit is enabled
Audit must be enabled in your Microsoft environment in order for Code42 to be able to monitor email attachments sent from your corporate Microsoft Office email accounts. If audit is not enabled, Code42 cannot collect data and no file events are displayed in Forensic Search.

If you have one of the Microsoft business product plans, you may need to enable audit in your environment before connecting with Code42. Unless it has previously been disabled, customers with a Microsoft enterprise product plan may already have audit enabled by default.

The Code42 application does not have the right permissions

If the connection has been deauthorized in Code42, or if the Code42 application has been removed from your Microsoft Azure environment, the Code42 connection enters an Error status and this error message is displayed in the Code42 Microsoft Office 365 email service connection details:

The Code42 enterprise application in your Microsoft Azure account does not have the right permissions or has been deleted. Deauthorize this data connection and set up a new data connection.

Troubleshooting this error is a multi-step process:

  1. Verify that the Code42 application exists in Microsoft Azure.
  2. If the Code42 application still exists, grant admin consent to reset its permissions.
  3. If the Code42 application no longer exists, deauthorize the connection in Code42 and set up a new Microsoft Office 365 email connection.

Verify the Code42 application exists in Microsoft Azure

  1. Log in to portal.azure.com.
  2. Click Azure Active Directory.
  3. Click Enterprise Applications.
  4. In the Enterprise applications list, look for an application with a name starting with "Code42 Email Data Connector."

Grant admin consent to the Code42 application in Microsoft Azure

If the Code42 email service application exists in Microsoft Azure, follow these steps to grant admin consent to reset its permissions:

  1. If the Code42 email service application exists in Microsoft Azure, click the application name in the Enterprise applications list to open its details.
  2. Under Security in the left navigation pane, click Permissions.
  3. Click Grant admin consent for Code42 to reset the application's permissions to those required for monitoring.
    After you grant the application permissions, Code42 detects the change and returns the connection to the Monitoring status within 24 hours. You have resolved the error and are finished with troubleshooting.

In Code42, deauthorize the connection and set up a new one

If the Code42 email service does not exist in Microsoft Azure, set up a new Code42 connection to your Microsoft Office 365 environment.

  1. Sign in to the Code42 console.
  2. Select Administration > Integrations > Data Connections
  3. Locate the service to deauthorize in the table, then click View details View details.
  4. Click Deauthorize.
  5. Set up a new Code42 Microsoft Office 365 Email connection using your Microsoft Office 365 administrator credentials.

There is an error with the connection

Other issues - such as a change in your Microsoft Office 365 administrator credentials - can cause the Code42 connection to enter an Error status. When such unknown errors occur, this error message is displayed in the Code42 Microsoft Office 365 email service connection details:

There was an issue with the connection to <Display Name>. Deauthorize and resume monitoring Display Name> to resolve the issue, or contact Code42 for support.

To resolve this error:

  1. Deauthorize the Microsoft Office 365 email service connection.
  2. Remove Code42's access in your Microsoft Office 365 environment by deleting the Code42 application from your Microsoft Azure environment.
  3. Set up a new Code42 Microsoft Office 365 Email connection using your Microsoft Office 365 administrator credentials.
    If these steps don't resolve your error, contact your Code42 Customer Champion.

Data connection is already registered or the email address is not valid

You can authorize a Microsoft 365 account in Code42 only once as a cloud storage data connection (to monitor file movement in OneDrive Drive locations) and once as an email service (to monitor file attachments sent outside your company).

When you attempt to register the same Microsoft 365 account for multiple cloud storage or email services, the following message appears: “This data connection has already been registered or the email address is not valid for this domain.” This message appears when you attempt to register the same account:

  • For more than one cloud storage or email service in the same Code42 environment.
  • In a second Code42 environment after first registering that account in a different Code42 environment.

To resolve the issue:

  • Verify the Code42 environment with which the Microsoft 365 account has been registered. To register the Microsoft 365 account with a different Code42 environment, first deauthorize it in the Code42 environment where it is currently registered.
  • Verify that the account has been added only once as a cloud storage data connection or only once as an email service.
  • Consider creating another Microsoft 365 account for the data you want to monitor using a new email address under a different domain. You can add multiple unique Microsoft 365 accounts as Code42 data connections as long as the accounts are not associated in any way.

No file events in Forensic Search

If file events aren't appearing for email attachments in Forensic Search, verify that:

  • Users have the required Microsoft or Office 365 subscription.

    Code42 can only monitor email attachments that are sent by users who have specific Office 365 subscriptions. After you authorize the connection, Code42 identifies the users in your Microsoft environment that have both:

    • An email account
    • The required subscription to be monitored

    If file events aren't appearing in Forensic Search as expected, verify that the email users in your Microsoft environment:

    • Have an email account
    • Are active users
    • Have been assigned the correct Microsoft or Office O365 subscriptions.

    You can use tools in the Microsoft 365 admin center to view an individual user's licensing or export a list of users who have a specific license.

  • The Microsoft Office 365 email service has not been deauthorized in Code42.

    Deauthorizing an email service in Code42 prevents Forensic Search from accessing or displaying that data. If the connection no longer exists in either your Code42 or Microsoft Office 365 environment, you need to re-add Microsoft Office 365 as an email data connection for Code42.

  • Was this article helpful?