Allow Code42 access to OneDrive

Overview

To help protect you from data loss, you can use Code42 to monitor files moving to and from users' Microsoft OneDrive for Business.

When you add Microsoft OneDrive for Business as a data connection, you are required to authorize Code42 using your global administrator account in OneDrive for Business. Once authorized, we monitor your organization's OneDrive environment for information about when a user:

This article explains how to add OneDrive for Business as a data connection, as well as why Code42 requires this level of access.

Considerations

The following considerations apply to OneDrive. See also the considerations applicable to all cloud services.

Code42 attempts to use the UserPrincipalName in OneDrive when displaying user information in Forensic Search. If this attribute in Azure is not an email address, trusted domains do not work as expected.
Microsoft OneDrive limits API requests made by third-party integrations such as Code42. Throttling these API requests allows Microsoft to better control their resources, but may slow down Code42 file metadata collection, especially after first configuring access to OneDrive. Consider allowing access to OneDrive when you have decreased activity in your environment.
Because Code42 prioritizes file-based monitoring, detection of sharing permissions changes to folders in OneDrive may be delayed.

Supported Microsoft product plans

Code42 can only connect to your OneDrive environment when supported by your Microsoft product plan. The following plans allow third-party applications to connect to your environment.

OneDrive cloud storage and 365 Business plans	Microsoft Enterprise plans
OneDrive for Business (Plan 1) OneDrive for Business (Plan 2) Microsoft 365 Business Basic Microsoft 365 Business Standard Microsoft 365 Business Premium Microsoft 365 Apps (for business)	Microsoft 365 Apps for enterprise Microsoft Office 365 E1 Microsoft Office 365 E3 Microsoft Office 365 E5

Before you begin

Enable File Metadata Collection before adding Microsoft OneDrive for Business as a cloud service connection.

Connect to OneDrive for Business

Connecting Code42 to your OneDrive environment is a two-step process:

Verify that audit log search is enabled in your Microsoft environment.
Code42 monitoring requires audit log search
Audit log search must be enabled in your Microsoft environment in order for Code42 to be able to monitor file activity in OneDrive. If audit log search is not enabled, Code42 cannot collect data and no file events are displayed in Forensic Search.
If you have one of the Microsoft business product plans, you may need to enable audit log search for your environment before connecting with Code42. Unless it has previously been disabled, customers with a Microsoft enterprise product plan may already have audit log search enabled by default.
Authorize Code42's connection to OneDrive.

Step 1: Verify audit log search is enabled for OneDrive

Sign in to the Office 365 Security & Compliance center using your Microsoft global administrator username and password.
Go to Search > Audit log search.
The banner at the top of the screen indicates whether audit log search is enabled in your environment.
If it is not enabled, click Turn on auditing in the banner at the top of the screen to enable audit log search.
The banner updates to indicate that Audit Log search is enabled and you can search for user and admin activity within 24 hours.

Step 2: Authorize the Code42 connection

Sign in to the Code42 console.
Select Administration > Integrations > Data Connections.
Click Add Data Connection.
The Add Data Connection dialog displays.
From Data Connection, select Microsoft OneDrive for Business under Cloud Services.
Enter a display name. This name must be unique.
Code42 prompts you to verify that audit log is enabled in your Microsoft environment. You completed this verification in step 1, so click Continue.
Select the scope of users in your OneDrive environment to monitor:
- All
  Monitors all OneDrive users in your environment.
- Specific Users
  Monitors only the OneDrive users you designate.
  1. Click Upload .CSV File.
  2. Select a .csv file containing a list of only those OneDrive users you want to monitor.
    For details, see Upload a .csv file listing OneDrive users below.
- Specific Groups
  Monitors only the users in the OneDrive groups you designate.
  1. Click Upload .CSV File.
  2. Select a .csv file containing a list of OneDrive groups whose users you want to monitor.
    For details, see Upload a .csv file listing OneDrive groups below.
Click Authorize.
The Microsoft OneDrive for Business sign in screen appears.
Enter your OneDrive administrator credentials.
Review the terms and agreements, and click Accept.
Microsoft OneDrive is added as a data connection and Code42 begins the initial indexing process.

Next Steps

Now that you have added OneDrive as a data connection, learn more about:

Common use cases for investigating security incidents with Forensic Search
How to use Forensic Search
Adding trusted domains to easily identify when files are shared with users not on your list of approved domains.

Upload a .csv file

If you select Specific Users or Specific Groups and click Upload .CSV file, you must upload a .csv file that lists OneDrive users or groups you want to monitor.

General considerations for uploading a .csv file:

The .csv file is limited to 1,000 entries.
Uploading a new .csv replaces the existing list of people or groups being monitored.

Upload a .csv file listing OneDrive users

To export a list of all OneDrive users to a .csv file, see the Microsoft documentation. You can also use PowerShell or Active Directory to obtain a user list and place it in a .csv file. Create a .csv file from this list that contains only the users you want to monitor.

For users with email addresses, Code42 reads usernames from column headers labeled Email Address, Email, OwnerPrincipalName, or UserPrincipalName in the .csv file. For users without email addresses, Code42 reads usernames from column headers labeled DisplayName or Owner in the .csv file. If no valid username entries are found for a user in the .csv file, the upload produces an error.

Upload a .csv file listing OneDrive groups

To create a OneDrive group, see the Microsoft documentation. The OneDrive group list supports all Office 365 group types:

Office 365 Group
Security Group
Mail-Enabled Security Group
Distribution Groups

To monitor users in OneDrive groups, create a .csv file that contains only the groups you want to monitor. In this file, use column headers to identify either the name or the email addresses of those groups.

Code42 reads the display name of groups from the column header labeled Display Name or Groups. In the .csv file, specify this name exactly as it appears in OneDrive or Azure Active Directory.
Alternately, Code42 reads the email addresses of a group from the column header labeled Email or Email Address. In the .csv file, specify the email address associated with each group.

If the .csv file does not contain at least one of these column headers, the upload produces an error.

Code42 looks for users associated with OneDrive groups as follows:

When a group's name or email address is provided, Code42 attempts to look up users associated with that group name or group email address.
If neither the the group name nor the email address can be found in OneDrive, Code42 proceeds to the next entry in the .csv file. Code42 looks for that group or email address again every 8 hours.

As users are added and removed from the monitored groups, Code42 detects these changes within 24 hours and adjusts monitoring of user drives accordingly.

Users that are removed from monitored groups have their event history preserved so that it remains searchable in Forensic Search. When an unmonitored user in your Code42 organization shares a file with a monitored user, the events associated with that file are not captured because the unmonitored user is the owner of the file.

Groups that are nested in a monitored group are also monitored.

OneDrive permissions

Code42 collects file events from OneDrive. A file event is any activity observed for a file. For example, creating, modifying, sharing, renaming, moving, or deleting a file generates an event for that file. To see this file activity, Code42 requires access to your OneDrive environment. The OneDrive permissions we request are:

Directory.Read.All
Files.Read.All
ActivityFeed.Read

Troubleshooting

Maximum user drive number exceeded

Code42's maximum number of drives allowed for monitoring in cloud service connections is 55,000. If Code42 detects more than this number of drives, the following error appears on the Data Connections screen:

The number of supported user drives (55,000) for this connector has been exceeded. Deauthorize the connector and reauthorize with fewer than 55,000 drives.

If you receive this message:

Deauthorize the cloud service connection.
Resume monitoring the cloud service connection.
You are prompted to set up the cloud service connection again.
In the Add Users step of the reauthorization process, select the Specific Users or Specific Groups option and ensure that the total number of drives included is below the 55,000 drive limit.

Data connection is already registered or the email address is not valid

You can authorize a Microsoft 365 account in Code42 only once as a cloud service (to monitor file movement in OneDrive Drive locations) and once as an email service (to monitor file attachments sent outside your company).

When you attempt to register the same Microsoft 365 account for multiple cloud or email services, the following message appears: “This data connection has already been registered or the email address is not valid for this domain.” This message appears when you attempt to register the same account:

For more than one cloud or email service in the same Code42 environment.
In a second Code42 environment after first registering that account in a different Code42 environment.

To resolve the issue:

Verify the Code42 environment with which the Microsoft 365 account has been registered. To register the Microsoft 365 account with a different Code42 environment, first deauthorize it in the Code42 environment where it is currently registered.
Verify that the account has been added only once as a cloud service or only once as an email service.
Consider creating another Microsoft 365 account for the data you want to monitor using a new email address under a different domain. You can add multiple unique Microsoft 365 accounts as Code42 data connections as long as the accounts are not associated in any way.

Reconfigure scoping for user and group monitoring

If needed, you can reconfigure the cloud service's scoping to add new users or groups or switch from monitoring specific users to monitoring specific groups.

Deauthorize the cloud service connection.
You do not need to remove the Code42 application from the cloud service. The app registration remains valid even if it is deauthorized.
Resume monitoring the cloud service connection.
You are prompted to set up the cloud service connection again.
In the Add Users step of the reauthorization process, select the appropriate monitoring option, and then upload a new .csv file containing the updated users or groups you want to monitor.

External resources

Microsoft: Manage sharing in OneDrive and SharePoint
Microsoft: Microsoft Graph permissions reference