Allow Code42 access to OneDrive
Who is this article for?
Instructor, no.
Incydr Professional, Enterprise, Gov F2, and Horizon, yes.
Incydr Basic, Advanced, and Gov F1, yes.
CrashPlan Cloud, no.
Retired product plans, yes.
CrashPlan for Small Business, no.
Overview
To help protect you from data loss, you can use Code42 to monitor files moving to and from users' Microsoft OneDrive for Business.
When you add Microsoft OneDrive for Business as a data connection, you are required to authorize Code42 using your global administrator account in OneDrive for Business. Once authorized, we monitor your organization's OneDrive environment for information about when a user:
This article explains how to add OneDrive for Business as a data connection, as well as why Code42 requires this level of access.
Considerations
The following considerations apply to OneDrive. See also the considerations applicable to all cloud storage environments.
- Code42 requires a Microsoft license or subscription that includes Audit (Standard) in order to monitor file activity in your OneDrive environment.
- Audit must be turned on in your OneDrive environment.
- Code42 attempts to use the UserPrincipalName in OneDrive when displaying user information in Forensic Search. If this attribute in Azure is not an email address, trusted domains do not work as expected.
- Microsoft OneDrive limits API requests made by third-party integrations such as Code42. Throttling these API requests allows Microsoft to better control their resources, but may slow down Code42 file metadata collection, especially after first configuring access to OneDrive. Consider allowing access to OneDrive when you have decreased activity in your environment.
- Because Code42 prioritizes file-based monitoring, detection of sharing permissions changes to folders in OneDrive may be delayed.
Supported Microsoft licenses
To connect to your OneDrive environment, Code42 requires a Microsoft license or subscription that includes Audit (Standard).
Connect to OneDrive for Business
Connecting Code42 to your OneDrive environment is a two-step process:
- Verify that auditing is turned on in your Microsoft environment.
Code42 monitoring requires that audit is turned on
Audit must be turned on in your Microsoft environment in order for Code42 to be able to monitor file activity in OneDrive. If auditing is off, Code42 cannot collect data and no file events are displayed in Forensic Search.If you have one of the Microsoft business licenses, you may need to turn on auditing in your environment before connecting with Code42. Unless it has previously been turned off, customers with a Microsoft enterprise license may already have auditing turned on by default.
-
Authorize Code42's connection to OneDrive.
Step 1: Verify auditing is turned on for OneDrive
- Sign in to the Microsoft Purview compliance portal using your Microsoft global administrator username and password.
- Click Show all in the left navigation pane, then click Audit.
If auditing is turned off in your environment, the banner at the top of the Search tab prompts you to start recording user and admin activity. This banner does not appear if auditing is already on.
- If prompted, click the banner at the top of the Search tab to turn on audit.
The banner updates to indicate that auditing is enabled and you can search for user and admin activity within 24 hours.
Step 2: Authorize the Code42 connection
- Sign in to the Code42 console.
- Select Administration > Integrations > Data Connections.
- Click Add data connection.
The Add data connection panel opens. - From Data connection, select Microsoft OneDrive for Business under Cloud storage.
- Enter a Display name. This name must be unique.
- Code42 prompts you to verify that auditing is turned on in your Microsoft environment. You completed this verification in step 1, so select the I've completed these steps check box and then click Continue.
- Select the scope of users in your OneDrive environment to monitor:
- All: Monitors all OneDrive users in your environment.
- Specific users: Monitors only the OneDrive users you designate.
- Click Upload .CSV file.
- Select a .csv file containing a list of only those OneDrive users you want to monitor. For details, see Upload a .csv file listing OneDrive users below.
- Specific groups: Monitors only the users in the OneDrive groups you designate.
- Click Upload .CSV file.
- Select a .csv file containing a list of OneDrive groups whose users you want to monitor. For details, see Upload a .csv file listing OneDrive groups below.
- Click Authorize.
The Microsoft OneDrive for Business sign in screen appears. - Enter your OneDrive administrator credentials.
- Review the terms and agreements, and click Accept.
Microsoft OneDrive is added as a data connection and Code42 begins the initial indexing process.
Next steps
Now that you have added OneDrive as a data connection, learn more about:
- Common use cases for investigating security incidents with Forensic Search
- How to use Forensic Search
- Adding trusted domains to easily identify when files are shared with users not on your list of approved domains
Upload a .csv file
If you select Specific users or Specific groups and click Upload .CSV file, you must upload a .csv file that lists OneDrive users or groups you want to monitor.
General considerations for uploading a .csv file:
- The .csv file is limited to 1,000 entries.
- Uploading a new .csv replaces the existing list of people or groups being monitored.
Upload a .csv file listing OneDrive users
To export a list of all OneDrive users to a .csv file, see the Microsoft documentation. You can also use PowerShell or Active Directory to obtain a user list and place it in a .csv file. Create a .csv file from this list that contains only the users you want to monitor.
In the .csv file, you can specify either email addresses or display names to identify the users to monitor in your OneDrive environment.
- If identifying users by their email address, list those email addresses under a column header labeled either Email or Email Address. Click to download an example of users identified by email address.
- Alternately, you can identify users who do not have email addresses by their display names. OneDrive does not require users to be associated with an email address, so some users are identified by their display name instead. List these display names under a column header labeled either DisplayName or Owner. Click to download an example of users identified by display name.
If no valid username entries are found for a user in the .csv file or an invalid column header label is present, the upload produces an error.
Upload a .csv file listing OneDrive groups
To create a OneDrive group, see the Microsoft documentation. The OneDrive group list supports all Office 365 group types:
- Office 365 Group
- Security Group
- Mail-Enabled Security Group
- Distribution Groups
To monitor users in OneDrive groups, create a .csv file that contains only the groups you want to monitor. In this file, use column headers to identify either the name or the email addresses of those groups.
- Code42 reads the display name of groups from the column header labeled Display Name or Groups. In the .csv file, specify this name exactly as it appears in OneDrive or Azure Active Directory. Click to download an example of groups identified by display name.
- Alternately, Code42 reads the email addresses of a group from the column header labeled Email or Email Address. In the .csv file, specify the email address associated with each group. Click to download an example of groups identified by email address.
If the .csv file does not contain at least one of these column headers, the upload produces an error.
Code42 looks for users associated with OneDrive groups as follows:
- When a group's name or email address is provided, Code42 attempts to look up users associated with that group name or group email address.
- If neither the the group name nor the email address can be found in OneDrive, Code42 proceeds to the next entry in the .csv file. Code42 looks for that group or email address again every 8 hours.
As users are added and removed from the monitored groups, Code42 detects these changes within 24 hours and adjusts monitoring of user drives accordingly.
Users that are removed from monitored groups have their event history preserved so that it remains searchable in Forensic Search. When an unmonitored user in your Code42 organization shares a file with a monitored user, the events associated with that file are not captured because the unmonitored user is the owner of the file.
Groups that are nested in a monitored group are also monitored.
OneDrive permissions
Code42 collects file events from OneDrive. A file event is any activity observed for a file. For example, creating, modifying, sharing, renaming, moving, or deleting a file generates an event for that file. To see this file activity, Code42 requires access to your OneDrive environment. The OneDrive permissions we request are:
- Directory.Read.All
- Files.Read.All
- ActivityFeed.Read
Troubleshooting
Microsoft Audit Log is inaccessible
The Code42 application does not have the right permissions
There is an issue with the connection
Maximum user drive number exceeded
Data connection is already registered or the email address is not valid
Reconfigure scoping for user and group monitoring
External resources
Microsoft: