Skip to main content

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional, Enterprise, and Gov F2
Incydr Basic, Advanced, and Gov F1
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, no.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Allow Code42 access to OneDrive

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional, Enterprise, and Gov F2
Incydr Basic, Advanced, and Gov F1
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, no.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

To help protect you from data loss, you can use Code42 to monitor files moving to and from users' Microsoft OneDrive for Business.

When you add Microsoft OneDrive for Business as a data connection, you are required to authorize Code42 using your global administrator account in OneDrive for Business. Once authorized, we monitor your organization's OneDrive environment for information about when a user: 

  • Creates or uploads a file
  • Shares a link to a file
  • Shares a file directly with users inside or outside your organization
  • Deletes a file
  • Modifies a file's contents, name, or location

This article explains how to add OneDrive for Business as a data connection, as well as why Code42 requires this level of access. 

Considerations

The following considerations apply to OneDrive. See also the considerations applicable to all cloud storage environments.

  • Code42 attempts to use the UserPrincipalName in OneDrive when displaying user information in Forensic Search. If this attribute in Azure is not an email address, trusted domains do not work as expected.
  • Microsoft OneDrive limits API requests made by third-party integrations such as Code42. Throttling these API requests allows Microsoft to better control their resources, but may slow down Code42 file metadata collection, especially after first configuring access to OneDrive. Consider allowing access to OneDrive when you have decreased activity in your environment.
  • Because Code42 prioritizes file-based monitoring, detection of sharing permissions changes to folders in OneDrive may be delayed.
Monitoring and alerting tools may report download activity
Code42 temporarily streams files from your cloud storage or email service to the Code42 cloud to calculate the file hash. This may be reported as users downloading files. The requesting service's IP address may point to Microsoft Azure hosts.

Code42 never stores file contents or writes them to disk during this process.
A single file event in Forensic Search may represent more than one action in cloud storage
There's not always a strict one-to-one relationship between the actions a user takes on a file in your corporate cloud storage environment and the file event representing those actions in Code42. After detecting activity, Code42 makes a best effort to interpret the user's actions on a file in cloud storage. Code42 may combine several of those actions into one file event to more efficiently and effectively display those details. For example, a user modifying a file repeatedly a few seconds apart in the cloud storage environment may appear as one "file modified" event in Forensic Search.

Throttling of API requests by the cloud storage vendor can also slow Code42's metadata collection and affect how file events are displayed in Forensic Search. Both this throttling and Code42's interpretation of actions can cause multiple actions in cloud storage to be displayed in fewer events in Forensic Search.

Supported Microsoft product plans

Code42 can only connect to your OneDrive environment when supported by your Microsoft product plan. The following plans allow third-party applications to connect to your environment.

OneDrive cloud storage and 365 Business plans Microsoft Enterprise plans
  • OneDrive for Business (Plan 1)
  • OneDrive for Business (Plan 2)
  • Microsoft 365 Business Basic
  • Microsoft 365 Business Standard
  • Microsoft 365 Business Premium
  • Microsoft 365 Apps (for business)
  • Microsoft 365 Apps for enterprise
  • Microsoft Office 365 E1
  • Microsoft Office 365 E3
  • Microsoft Office 365 E5

Connect to OneDrive for Business

Connecting Code42 to your OneDrive environment is a two-step process:

  1. Verify that audit is enabled in your Microsoft environment.
    Code42 monitoring requires that audit is enabled
    Audit must be enabled in your Microsoft environment in order for Code42 to be able to monitor file activity in OneDrive. If audit is not enabled, Code42 cannot collect data and no file events are displayed in Forensic Search.

    If you have one of the Microsoft business product plans, you may need to enable audit in your environment before connecting with Code42. Unless it has previously been disabled, customers with a Microsoft enterprise product plan may already have audit enabled by default.

  2. Authorize Code42's connection to OneDrive.

Step 1: Verify audit is enabled for OneDrive

  1. Sign in to the Microsoft 365 compliance center using your Microsoft global administrator username and password.
  2. Click Show all in the left navigation pane, then click Audit.
    If audit is not enabled in your environment, the banner at the top of the Search tab prompts you to start recording user and admin activity. This banner does not appear if audit is already enabled.
    Enable audit in OneDrive
  3. If prompted, click the banner at the top of the Search tab to enable audit.
    The banner updates to indicate that audit is enabled and you can search for user and admin activity within 24 hours.

Step 2: Authorize the Code42 connection

  1. Sign in to the Code42 console. 
  2. Select Administration > Integrations > Data Connections.
  3. Click Add Data Connection.
    The Add Data Connection dialog displays.
  4. From Data Connection, select Microsoft OneDrive for Business under Cloud Storage.
  5. Enter a display name. This name must be unique.
  6. Code42 prompts you to verify that audit is enabled in your Microsoft environment. You completed this verification in step 1, so click Continue.
  7. Select the scope of users in your OneDrive environment to monitor:
  8. Click Authorize
    The Microsoft OneDrive for Business sign in screen appears.
  9. Enter your OneDrive administrator credentials. 
  10. Review the terms and agreements, and click Accept. 
    Microsoft OneDrive is added as a data connection and Code42 begins the initial indexing process.
    Permissions can be delayed in Microsoft Azure
    The permissions you accept during the authorization process can take up to 1 hour to flow through your Microsoft Azure environment. During this time, Code42 may report an error with the new connection in the Data Connections list. This error clears automatically as soon as Code42 is able to access the Microsoft audit log.

Next Steps

Now that you have added OneDrive as a data connection, learn more about:

Upload a .csv file

If you select Specific Users or Specific Groups and click Upload .CSV file, you must upload a .csv file that lists OneDrive users or groups you want to monitor.

General considerations for uploading a .csv file:

  • The .csv file is limited to 1,000 entries.
  • Uploading a new .csv replaces the existing list of people or groups being monitored.

Upload a .csv file listing OneDrive users

To export a list of all OneDrive users to a .csv file, see the Microsoft documentation. You can also use PowerShell or Active Directory to obtain a user list and place it in a .csv file. Create a .csv file from this list that contains only the users you want to monitor.

In the .csv file, you can specify either email addresses or display names to identify the users to monitor in your OneDrive environment.

If no valid username entries are found for a user in the .csv file or an invalid column header label is present, the upload produces an error.

Upload a .csv file listing OneDrive groups

To create a OneDrive group, see the Microsoft documentation. The OneDrive group list supports all Office 365 group types:

  • Office 365 Group
  • Security Group
  • Mail-Enabled Security Group
  • Distribution Groups

To monitor users in OneDrive groups, create a .csv file that contains only the groups you want to monitor. In this file, use column headers to identify either the name or the email addresses of those groups.

If the .csv file does not contain at least one of these column headers, the upload produces an error.

Code42 looks for users associated with OneDrive groups as follows:

  • When a group's name or email address is provided, Code42 attempts to look up users associated with that group name or group email address.
  • If neither the the group name nor the email address can be found in OneDrive, Code42 proceeds to the next entry in the .csv file. Code42 looks for that group or email address again every 8 hours.

As users are added and removed from the monitored groups, Code42 detects these changes within 24 hours and adjusts monitoring of user drives accordingly.

Users that are removed from monitored groups have their event history preserved so that it remains searchable in Forensic Search. When an unmonitored user in your Code42 organization shares a file with a monitored user, the events associated with that file are not captured because the unmonitored user is the owner of the file.

Groups that are nested in a monitored group are also monitored.  

OneDrive permissions 

Code42 collects file events from OneDrive. A file event is any activity observed for a file. For example, creating, modifying, sharing, renaming, moving, or deleting a file generates an event for that file. To see this file activity, Code42 requires access to your OneDrive environment. The OneDrive permissions we request are: 

  • Directory.Read.All
  • Files.Read.All
  • ActivityFeed.Read

This set of permissions means Code42 has read-only access to metadata for files, users, and drives within that cloud storage environment. In other words, Code42 cannot make changes to your cloud storage. In addition, Code42 does not monitor the contents of those files, and does not back up files in the cloud storage.

More information on file activity
For more information on the specific metadata and file events visible in Forensic Search, see the Forensic Search reference guide.

Troubleshooting

Microsoft Audit Log is inaccessible

If audit is not enabled (or has been disabled) in your Microsoft environment, the Code42 connection enters an Error status and this error message appears in the details for that data connection:

The Microsoft Audit Log is inaccessable. Re-enable the audit log in Microsoft 365 Compliance Center to return this data connection to monitoring.

To resolve the error, enable audit in your Microsoft environment. After you enable audit, Code42 detects the change and returns the connection to the Monitoring status within 24 hours.

Code42 monitoring requires that audit is enabled
Audit must be enabled in your Microsoft environment in order for Code42 to be able to monitor files shared in your corporate OneDrive cloud storage or email attachments sent from your corporate Microsoft Office email accounts. If audit is not enabled, Code42 cannot collect data and no file events appear in Forensic Search.

If you have one of the Microsoft business product plans, you may need to enable audit in your environment before connecting with Code42. Unless it has previously been disabled, customers with a Microsoft enterprise product plan may already have audit enabled by default.

The Code42 application does not have the right permissions

If the connection has been deauthorized in Code42, or if the Code42 application has been removed from your Microsoft Azure environment, the Code42 connection enters an Error status and this error message appears in the details for that data connection:

The Code42 enterprise application in your Microsoft Azure account does not have the right permissions or has been deleted. Deauthorize this data connection and set up a new data connection.

To troubleshoot this error, verify whether the Code42 application exists in Microsoft Azure.

Verify the Code42 application exists in Microsoft Azure

  1. Log in to portal.azure.com.
  2. Click Azure Active Directory.
  3. Click Enterprise Applications.
  4. In the Enterprise applications list, look for an application with a name starting with "Code42."
    • For OneDrive, look for the "Code42 Cloud Services" enterprise application.
    • For Microsoft Office 365 email, look for the "Code42 Email Data Connector" enterprise application.
  5. If the Code42 application is listed, continue to the next section to grant admin consent to reset its permissions. If it is not listed, deauthorize the connection in the Code42 console and set up a new data connection.

If the Code42 application exists in Microsoft Azure, follow these steps to grant admin consent to reset its permissions:

  1. Click the application name in the Enterprise applications list to open its details.
  2. Under Security in the left navigation pane, click Permissions.
  3. Click Grant admin consent for Code42 to reset the application's permissions to those required for monitoring.
    After you grant the application permissions, Code42 detects the change and returns the connection to the Monitoring status within 24 hours. You have resolved the error and are finished with troubleshooting.

If the app doesn't exist, deauthorize the connection in Code42 and set up a new one

If the Code42 application does not exist in Microsoft Azure, set up a new Code42 connection to your Microsoft environment.

  1. Sign in to the Code42 console.
  2. Select Administration > Integrations > Data Connections
  3. Locate the service to deauthorize in the table, then click View details View details icon.
  4. Click Deauthorize.
  5. Set up a new Code42 OneDrive cloud storage or Microsoft Office 365 email service connection using your Microsoft 365 administrator credentials.

There is an issue with the connection

Other issues—such as a change in your administrator credentials—can cause the Code42 connection to enter an Error status. When such unknown errors occur, the following error message appears in the Code42 details for that data connection:

There was an issue with the connection to <data connection>. Deauthorize <data connection> and set up a new data connection to resolve the issue, or contact Code42 for support.

To resolve this error:

  1. Deauthorize the data connection.
  2. Remove Code42's access in the email service environment:
  3. Set up a new Code42 data connection using your Google or Microsoft 365 administrator credentials.

If these steps don't resolve your error, contact our Customer Champions for support.

Maximum user drive number exceeded

Code42 can monitor a maximum number of drives in your cloud storage environment, depending on vendor:

  • Box and Microsoft OneDrive: 500,000 drives
  • Google Drive: 55,000 drives

If Code42 detects more than the maximum number of drives, the following error appears at the top of the Data Connections screen: "The number of supported user drives (<DriveMaximum>) for this connector has been exceeded. Deauthorize the connector and reauthorize with fewer than <DriveMaximum> drives."

"Number of supported user drives exceeded" message

If you receive this message:

  1. Deauthorize the cloud storage data connection.
  2. Resume monitoring the cloud storage data connection.
    You are prompted to set up the cloud storage data connection again.
  3. In the Add Users step of the reauthorization process, select the Specific Users or Specific Groups option and ensure that the total number of drives included is below the maximum limit.

Data connection is already registered or the email address is not valid

You can authorize a Microsoft 365 account in Code42 only once as a cloud storage data connection (to monitor file movement in OneDrive Drive locations) and once as an email service (to monitor file attachments sent outside your company).

When you attempt to register the same Microsoft 365 account for multiple cloud storage or email services, the following message appears: “This data connection has already been registered or the email address is not valid for this domain.” This message appears when you attempt to register the same account:

  • For more than one cloud storage or email service in the same Code42 environment.
  • In a second Code42 environment after first registering that account in a different Code42 environment.

To resolve the issue:

  • Verify the Code42 environment with which the Microsoft 365 account has been registered. To register the Microsoft 365 account with a different Code42 environment, first deauthorize it in the Code42 environment where it is currently registered.
  • Verify that the account has been added only once as a cloud storage data connection or only once as an email service.
  • Consider creating another Microsoft 365 account for the data you want to monitor using a new email address under a different domain. You can add multiple unique Microsoft 365 accounts as Code42 data connections as long as the accounts are not associated in any way.

Reconfigure scoping for user and group monitoring

If needed, you can reconfigure the cloud storage's scoping to add new users or groups or switch from monitoring specific users to monitoring specific groups.

  1. Deauthorize the cloud storage connection.
    You do not need to remove the Code42 application from the cloud storage environment. The app registration remains valid even if it is deauthorized.
  2. Resume monitoring the cloud storage connection.
    You are prompted to set up the cloud storage connection again.
  3. In the Add Users step of the reauthorization process, select the appropriate monitoring option, and then upload a new .csv file containing the updated users or groups you want to monitor.
  • Was this article helpful?