Enterprise Recon 2.2

OneDrive

This section covers the following topics:

Scanning a OneDrive Business Target

To scan OneDrive Business, you must add your Microsoft 365 organization as a Target. Each user's OneDrive Business account is represented internally by Microsoft as a "My Site" Site Collection. For ER2 to scan the OneDrive Business user account, we have to be granted permissions to scan these Site Collections.

On the Web Console, browsing an added OneDrive Business Target lists all Office 365 user accounts within the domain. Select only user accounts that have OneDrive Business enabled to add them as scan locations. Scanning a user account that does not have OneDrive Business enabled will result in ER2 reporting it as an inaccessible location.

Licensing

For Sitewide Licenses, all scanned OneDrive Business Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, OneDrive Business Targets require Client Licenses, and consume data from the Client License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements Description
Proxy Agent
  • Proxy Agent host with direct Internet access.
  • Cloud service-specific access keys.
TCP Allowed Connections Port 443

Preparing to Add Target Location

Before adding OneDrive Business as a Target, you have to perform the following on your Microsoft 365 organization:

  1. Add OneDrive Business User Accounts to a Group
  2. Add Secondary Site Collection Administrator to All OneDrive Business User Accounts

Once done, see Set OneDrive Business as a Target Location.

Add OneDrive Business User Accounts to a Group

  1. Create a new Microsoft 365 group. This group will be used to hold all Microsoft 365 users with OneDrive Business enabled. Name it "ER2OneDrive" or similar. See Microsoft: Create a group in the Microsoft 365 admin center for more information.
  2. Connect to SharePoint Online using the SharePoint Online Management Shell. Using the Management Shell, get a list of all Microsoft 365 users with OneDrive Business enabled. See Microsoft: Get a list of all user OneDrive URLs in your organization for more information.
  3. Add the list of Microsoft 365 users with OneDrive Business enabled to the "ER2OneDrive" group.

Add Secondary Site Collection Administrator to All OneDrive Business User Accounts

  1. Create a service account to scan OneDrive Business, or use an existing service account. This service account should be assigned Global Administrator permissions.

  2. Add the service account as a secondary administrator for the "My Site" Site Collection on all target OneDrive Business accounts.

    1. Connect to the SharePoint Online Admin Center.
    2. Navigate to user profiles > Manage User Profiles.
    3. Search for a specific user profile and click on Manage site collection owners.
    4. In the site collection owners window, add the service account as the secondary site collection administrator.
    5. Repeat this for all OneDrive for Business accounts.

Set OneDrive Business as a Target Location

  1. From the New Scan page, Add Targets.
  2. In the Select Target Type dialog box, select Microsoft 365 > OneDrive Business.
  3. In the OneDrive Details section, fill in the following fields:
    Dialog box to configure the path, credentials and proxy agent for a OneDrive Business Target.

    Field Description
    OneDrive Domain

    Enter your OneDrive Business domain name. For example, example.onmicrosoft.com.

    OneDrive Account Authorization Obtain the OneDrive access code:
    1. In OneDrive Details, click on OneDrive Account Authorization. This opens the OneDrive account authorization page in a new browser tab.
    2. Log into your Microsoft service account. See Add Secondary Site Collection Administrator to all OneDrive Business user accounts for more information.
    3. Click Yes.
    4. Copy the Access Code.

    OneDrive account authorization page displaying access code.

    Access Code Enter the Access Code obtained during OneDrive Account Authorization.
    Agent to act as proxy host Select a Proxy Agent host with direct Internet access.
  4. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  5. Click Commit to add the Target.
  6. Click on the arrow next to the newly added OneDrive Business Target to display a list of groups.
  7. Select the "ER2OneDrive" group.

  8. Click Next to continue configuring your scan.

Add a Path for OneDrive Business

  1. Set OneDrive Business as a Target Location.
  2. In the Select Locations section, select your OneDrive Business Target and click + Add New Location.
  3. In the Select Type dialog box, select Microsoft 365 > OneDrive Business and click Customise.
  4. In the OneDrive Details section, enter the Path to scan. Use the following syntax:

    Folder to Scan Path
    All user accounts in a specific group

    Syntax: <Group Display Name>

    Example: Engineering (SG)

    Specific user account in group

    Syntax: <Group Display Name>/<User Principal Name>

    Example: Engineering (SG)/user1@example.com

    Specific folder for user account in group

    Syntax: <Group Display Name>/<User Principal Name>/<Folder>

    Example: Engineering (SG)/user1@example.com/ProjectA

    Specific file for user account in group

    Syntax: <Group Display Name>/<User Principal Name>/<Folder>/<File>

    Example: Engineering (SG)/user1@example.com/ProjectA/example.html

  5. Click on OneDrive Account Authorization and follow the on-screen instructions. Enter the Access Code obtained into the Access Code field.

  6. Click Test and then Commit to save the path to the Target location.

User Account in Multiple Groups

A OneDrive Business-enabled user account that belongs to multiple groups

  • is scanned each time a group the user belongs to is scanned.
  • consumes only 1x data allowance usage regardless of how many times it is scanned as part of different groups.