Allow Code42 access to OneDrive
Who is this article for?
Incydr, yes.
CrashPlan for Enterprise, no.
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
Overview
To help protect you from data loss, you can use Code42 to monitor files moving to and from users' Microsoft OneDrive for Business.
When you add Microsoft OneDrive for Business as a data connection, you are required to authorize Code42 using your global administrator account in OneDrive for Business. Once authorized, we monitor your organization's OneDrive environment for information about when a user:
This article explains how to add OneDrive for Business as a data connection, as well as why Code42 requires this level of access.
Considerations
- You must be licensed for the Microsoft OneDrive cloud service. If your license expires, the cloud service is deauthorized within 24 hours. If you need assistance with licensing, contact your Customer Success Manager (CSM). If you're not sure how to reach your CSM, email csmsupport@code42.com and we will connect you.
- To allow Code42 access to OneDrive, you must be a global administrator.
- Once authorized, Code42 has access to metadata on users, files, and drives. Learn more about what Code42 monitors.
- The maximum number of user drives that can be monitored in Code42 is 55,000.
- Code42 attempts to use the UserPrincipalName in OneDrive when displaying user information in Forensic Search. If this attribute in Azure is not an email address, trusted domains do not work as expected.
- Code42 does not store information about the administrator account used for authentication. The administrator who authorizes the OneDrive cloud service is solely granting permission for Code42 to read specific data in your OneDrive account.
- If you would like to revoke Code42's access to your OneDrive environment, you need to deauthorize it in Code42 and then remove the Code42 application permissions within your Azure portal.
- Cloud service connections are not available in the Code42 federal environment.
- Microsoft OneDrive limits API requests made by third-party integrations such as Code42. Throttling these API requests allows Microsoft to better control their resources, but may slow down Code42 file metadata collection, especially after first configuring access to OneDrive. Consider allowing access to OneDrive when you have decreased activity in your environment.
- Because Code42 prioritizes file-based monitoring, detection of sharing permissions changes to folders in OneDrive may be delayed.
Before you begin
Enable File Metadata Collection before adding Microsoft OneDrive for Business as a cloud service connection.
Connect to OneDrive for Business
- Sign in to the Code42 console.
- Select Administration > Integrations > Data Connections.
- Click Add Data Connection.
The Add Data Connection dialog displays. - From Data Connection, select Microsoft OneDrive for Business under Cloud Services.
- Enter a display name. This name must be unique.
- Select one of the following options:
- All
Monitors all OneDrive users in your environment. - Specific Users
Monitors only the OneDrive users you designate.- Click Upload .CSV File.
- Select a .csv file containing a list of only those OneDrive users you want to monitor.
For details, see Upload a .csv file listing OneDrive users below.
- Specific Groups
Monitors only the users in the OneDrive groups you designate.- Click Upload .CSV File.
- Select a .csv file containing a list of OneDrive groups whose users you want to monitor.
For details, see Upload a .csv file listing OneDrive groups below.
- All
- Click Authorize.
The Microsoft OneDrive for Business sign in screen appears. - Enter your OneDrive administrator credentials.
- Review the terms and agreements, and click Accept.
Microsoft OneDrive is added as a data connection and Code42 begins the initial indexing of information. For details, see Initial indexing below.
Next Steps
Now that you have added OneDrive as a data connection, learn more about:
- Common use cases for investigating security incidents with Forensic Search
- How to use Forensic Search
- Adding trusted domains to easily identify when files are shared with users not on your list of approved domains.
Upload a .csv file
If you select Specific Users or Specific Groups and click Upload .CSV file, you must upload a .csv file that lists OneDrive users or groups you want to monitor.
General considerations for uploading a .csv file:
- The .csv file is limited to 1,000 entries.
- Uploading a new .csv replaces the existing list of people or groups being monitored.
Upload a .csv file listing OneDrive users
To export a list of all OneDrive users to a .csv file, see the Microsoft documentation. You can also use PowerShell or Active Directory to obtain a user list and place it in a .csv file. Create a .csv file from this list that contains only the users you want to monitor.
For users with email addresses, Code42 reads usernames from column headers labeled Email Address, Email, OwnerPrincipalName, or UserPrincipalName in the .csv file. For users without email addresses, Code42 reads usernames from column headers labeled DisplayName or Owner in the .csv file. If no valid username entries are found for a user in the .csv file, the upload produces an error.
Upload a .csv file listing OneDrive groups
To create a OneDrive group, see the Microsoft documentation. The OneDrive group list supports all Office 365 group types:
- Office 365 Group
- Security Group
- Mail-Enabled Security Group
- Distribution Groups
To monitor users in OneDrive groups, create a .csv file that contains only the groups you want to monitor. In this file, use column headers to identify either the name or the email addresses of those groups.
- Code42 reads the display name of groups from the column header labeled Display Name or Groups. In the .csv file, specify this name exactly as it appears in OneDrive or Azure Active Directory.
- Alternately, Code42 reads the email addresses of a group from the column header labeled Email or Email Address. In the .csv file, specify the email address associated with each group.
If the .csv file does not contain at least one of these column headers, the upload produces an error.
Code42 looks for users associated with OneDrive groups as follows:
- When a group's name or email address is provided, Code42 attempts to look up users associated with that group name or group email address.
- If neither the the group name nor the email address can be found in OneDrive, Code42 proceeds to the next entry in the .csv file. Code42 looks for that group or email address again every 8 hours.
As users are added and removed from the monitored groups, Code42 detects these changes within 24 hours and adjusts monitoring of user drives accordingly.
Users that are removed from monitored groups have their event history preserved so that it remains searchable in Forensic Search. When an unmonitored user in your Code42 organization shares a file with a monitored user, the events associated with that file are not captured because the unmonitored user is the owner of the file.
Groups that are nested in a monitored group are also monitored.
Initial indexing
Once you complete authorization, Code42 starts monitoring your OneDrive environment for file activity right away. At the same time, Code42 begins indexing drives in your OneDrive environment. During this process, Code42 discovers all in-scope drives and indexes all of their files. The time to complete the initial indexing of a drive is directly related to the number of files within the drive, not the size of the files.
As Code42 progresses through initial indexing, information about the drives that Code42 has processed appears under Status on the OneDrive details panel. This status lists the total number of drives in your environment that are being monitored for ongoing activity. It also shows how many of those drives are still being indexed compared to the number that have completed the initial indexing process.
To speed up the process, file hashes are omitted. As a result, you see the message Hash Unavailable. File not modified since initial extraction in the MD5 Hash and SHA256 Hash fields displayed for these files in Forensic Search. However, the files will be hashed when new file activity occurs.
Code42 cannot index, discover, or monitor shared libraries in your OneDrive environment. While you can create a shared library within OneDrive, such libraries are actually created as Team Sites in SharePoint. Because Code42 can only monitor drives in OneDrive (and not Team Sites in SharePoint, Teams, or Outlook), any shared libraries in your environment are excluded.
How long does initial indexing take?
The length of time it takes for initial indexing to complete is dependent on the size of your environment.
Because Code42 monitors your environment for activity while indexing users' drives, it detects newly uploaded or created files typically within minutes. It can take up to 20 minutes for file events in your OneDrive environment to appear in search results in Forensic Search or to trigger any alert rules that you have set up. New file events may take up to an hour to appear on the Risk Exposure dashboard or in the User Profile.
Code42 discovers new drives added to your environment within 8 hours and begins indexing them immediately after discovery.
OneDrive permissions
Code42 collects file events from OneDrive. A file event is any activity observed for a file. For example, creating, modifying, sharing, renaming, moving, or deleting a file generates an event for that file. To see this file activity, Code42 requires access to your OneDrive environment. The OneDrive permissions we request are:
- Directory.Read.All
- Files.Read.All
- ActivityFeed.Read
Troubleshooting
Maximum user drive number exceeded
Data connection is already registered or the email address is not valid
Reconfigure scoping for user and group monitoring
External resources
- Microsoft: Manage sharing in OneDrive and SharePoint
- Microsoft: Microsoft Graph permissions reference