Enterprise Recon Cloud 2.12.0

Download ER Cloud 2.12.0 User Guide (PDF)

All Documentation > ER Cloud 2.12.0 User Guide > How-to Guides > Scan Locations (Targets) Overview > Add Cloud Target > How To Scan OneDrive Business

How To Scan OneDrive Business

This section covers the following topics:

Overview
Licensing
Requirements
Configure Microsoft 365 Account
Set Up and Scan a OneDrive Business Target
Edit OneDrive Business Target Path
Remediate Matches in OneDrive Business
Unsupported Types and Folders in OneDrive Business
User Account in Multiple Groups

Overview

When OneDrive Business is added as a scan Target, ER Cloud returns all Microsoft 365 groups and user accounts in each group. You can select specific groups or individual users when setting up the scan schedule, and each group will be presented as a separate location for the OneDrive Business Target.

You can also scan all users with OneDrive Business in your organization's domain by selecting the "All Users" group as a scan location.

Example of OneDrive Business structure: OneDrive Business [domain: example.onmicrosoft.com] +- OneDrive Business on target MSONE:EXAMPLE.ONMICROSOFT.COM +- Group Engineering +- Group Design

If there are multiple Microsoft 365 groups with the same display name in your domain, ER Cloud will only retrieve the first group occurrence. For example, if there are three groups with the same display name, "Engineering", ER Cloud will only probe, scan and return results for the first "Engineering" group for the OneDrive Business Target.

Licensing

For Sitewide Licenses, all scanned OneDrive Business Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, OneDrive Business Targets require Client Licenses, and consume data from the Client License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements	Description
Proxy Agent	Proxy Agent host with direct Internet access. Recommended Proxy Agents: Windows Agent with database runtime components Windows Agent Linux Agent with database runtime components Linux Agent
TCP Allowed Connections	Port 443

Description

Proxy Agent

Proxy Agent host with direct Internet access.

Recommended Proxy Agents:

Windows Agent with database runtime components
Windows Agent
Linux Agent with database runtime components
Linux Agent

TCP Allowed Connections

Port 443

Configure Microsoft 365 Account

Instructions for configuring a cloud service account's security settings are provided here for the user's convenience only. For the most up-to-date instructions, please consult the cloud service provider's official documentation.

Generate Client ID and Tenant ID Key

With your administrator account, log in to the Azure app registration portal.
In the App registrations page, click + New registration.

In the Register an application page, fill in the following fields:

Field	Description
Name	Enter a descriptive display name for ER Cloud. For example, Enterprise Recon.
Supported account types	Select Accounts in this organizational directory only.

Click Register. You will be redirected to the Overview page for the newly registered app, Enterprise Recon.
Take down the Application (client) ID and Directory (tenant) ID. This is required when you want to set up and scan a OneDrive Business Target. Refer to Set Up and Scan a OneDrive Business Target.

Generate Client Secret Key

With your administrator account, log in to the Azure app registration portal.
In the App registrations page, go to the Owned applications tab. Click on the app that you registered (e.g. Enterprise Recon) when generating the Client ID and Tenant ID key.
In the Manage panel, click Certificates & secrets.
In the Client secrets section, click + New client secret.

In the Add a client secret page, fill in the following fields:

Field	Description
Description	Enter a descriptive label for the Client Secret key.
Expires	Select a validity period for the Client Secret key.

Click Add. The Value column will contain the Client Secret key.
Copy and save the Client Secret key to a secure location. This is required when you want to set up and scan a OneDrive Business Target. Refer to Set Up and Scan a OneDrive Business Target.

Save your Client Secret key in a secure location. You cannot access this Client Secret key once you navigate away from the page.

Grant API Access

To scan OneDrive Business Targets, you will need to grant ER Cloud permissions to access specific resource APIs.

With your administrator account, log in to the Azure app registration portal.
In the App registrations page, go to the Owned applications tab. Click on the app that you registered (e.g. Enterprise Recon) when generating the Client ID and Tenant ID key.
In the Manage panel, click API permissions.
In the Configured permissions section, click + Add a permission.
In the Request API permissions page, select Microsoft Graph > Application permissions.

Select the following permissions for the Enterprise Recon app:

API Permissions	Description
Group.Read.All GroupMember.Read.All Directory.Read.All Files.Read.All Sites.Read.All	Required for probing and scanning OneDrive Business Targets.
Files.ReadWrite.All	Required for remediating OneDrive Business Targets.

Click Add permissions.
In the Configured permissions page, click on Grant admin consent for <organization name>.
In the Grant admin consent confirmation dialog, click Yes. The Status column for all the newly added API permissions will be updated to "Granted for <organization name>".

Set Up and Scan a OneDrive Business Target

Configure Microsoft 365 Account.
From the New Scan page, add Targets. Refer to the Add Targets section.
In the Select Target Type dialog box, select Microsoft 365 > OneDrive Business.

Fill in the following details:

Dialog box to configure the path, credentials and proxy agent for OneDrive Business Targets.

Field	Description
OneDrive Domain	Enter the Microsoft 365 domain to scan. Example: example.onmicrosoft.com Only accounts where the user principal name (UPN) shares the same domain as specified in the OneDrive Domain field will be scanned and/or listed when probing the Target. For example, if OneDrive Domain is set to example.onmicrosoft.com, user1@example2.onmicrosoft.com will not be scanned and/or listed when probing the Target even if the user belongs to a group in the example.onmicrosoft.com domain. To scan multiple domains within your organization's Microsoft 365 environment, add these domains as separate OneDrive Business Targets.
New Credential Label	Enter a descriptive label for the OneDrive Business credential set. Example: m365-onedrive-exampledomain
Client ID	Enter the Client ID. Example: clientid-1234-5678-abcd-6d05bf28c2bf For more information, refer to Generate Client ID and Tenant ID Key.
Client Secret Key	Enter the Client Secret key. Example: client~secret.key-CHvV1B5YQfr~6zDjEyv For more information, refer to Generate Client Secret Key.
Tenant ID	Enter the Tenant ID. Example: tenantid-1234-abcd-5678-02011df316f4 For more information, refer to Generate Client ID and Tenant ID Key.
Agent to act as proxy host	Select a Windows or Linux Proxy Agent host with direct Internet access.

Recommended Least Privilege User Approach

Data discovery or scanning of data requires read access. Remediation actions that act directly on supported file systems including Delete Permanently, Quarantine, Encryption and Masking require write access in order to change, delete and overwrite data.

To reduce the risk of data loss or privileged account abuse, the Target credentials provided for the intended Target should only be granted read-only access to the exact resources and data that require scanning. Never grant full user access privileges or unrestricted data access to any application if it is not required.

Click Test. If ER Cloud can connect to the Target, the button changes to a Commit button.
Click Commit to add the Target.
Back in the New Scan page, locate the newly added OneDrive Business Target and click on the arrow next to it to display a list of available Microsoft 365 groups for the domain.
Select the Target location(s) to scan:
1. If "All Users" is selected, ER Cloud scans all user accounts in the Microsoft 365 domain.
  
  "All Users" is a default, non-configurable virtual group in ER Cloud that automatically includes all user accounts in the Microsoft 365 domain. If a similar "All Users" group pre-exists in your Microsoft 365 environment, we recommend that you change the display name for that group as it will be viewed as a duplicate group and will not be displayed in ER Cloud.
2. If only specific groups are selected, ER Cloud only scans user accounts in the selected groups.
For OneDrive Business Target location paths that contain special characters (e.g. "#", "%", "&", etc…), probe the Target to add and scan the location. Refer to Probe Targets in the Start a Scan section.
Click Test. If ER Cloud can connect to the Target, the button changes to a Commit button.
Click Commit to add the Target.
(Optional) On the Select Locations page, probe the Target to browse and select specific Target locations to scan. Refer to Probe Targets in the Start a Scan section.
Click Next.
On the Select Data Types page, select the data type profiles to be included in your scan (refer to the Use Data Type Profile section) and click Next.
On the Set Schedule page, configure the parameters for your scan. For more information, refer to Set Schedule in the Start a Scan section.
Click Next.
On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Edit OneDrive Business Target Path

Set Up and Scan a OneDrive Business Target.
In the Select Locations section, select your OneDrive Business Target location and click Edit.

For OneDrive Business Target location paths that contain special characters (e.g. "#", "%", "&", etc…), probe the Target instead to add and scan the location. Refer to Probe Targets in the Start a Scan section.

In the Edit OneDrive Business dialog box, enter a (case sensitive) Path to scan. Use the following syntax:

Folder to Scan	Path
All user accounts in all groups	Syntax: All Users Example: All Users
All user accounts in a specific group	Syntax: <Group Display Name> Example: Engineering (SG)
Specific user account in group	Syntax: <Group Display Name>/<User Principal Name> Example: Engineering (SG)/user1@example.onmicrosoft.com
Specific folder for user account in group	Syntax: <Group Display Name>/<User Principal Name>/<Folder> Example: Engineering (SG)/user1@example.onmicrosoft.com/ProjectA
Specific file for user account in group	Syntax: <Group Display Name>/<User Principal Name>/<Folder>/<File> Example: Engineering (SG)/user1@example.onmicrosoft.com/ProjectA/example.html

Click Test and then Commit to save the path to the Target location.

Remediate Matches in OneDrive Business

Potential Impact of Retention Policies
Remediation can result in the permanent erasure or modification of data (and metadata). Once performed, remedial actions cannot be undone. Your organization's configured retention policies impact the behavior of the remedial actions applied to the current and historical versions of the match object. For more information, refer to Remediation Behavior in OneDrive Business Targets or contact the Ground Labs Support Team.

The following remediation actions are supported for OneDrive Business Targets:

Act Directly on Selected Location
- Mask all sensitive data
- Delete Permanently
- Quarantine
Mark Locations for Compliance Report
PRO Delegated Remediation

To remediate matches in OneDrive Business, refer to the Perform Remedial Actions section.

For more information on the supported remedial actions, refer to the Remedial Actions in ER Cloud section.

Unsupported Types and Folders in OneDrive Business

ER Cloud does not support scanning of the following types and folders for the OneDrive Business Target:

Notebooks. To scan the Notebooks folder, set up and scan the Microsoft OneNote Target instead. Refer to the Scan Microsoft OneNote section.
OneNote file types and folders stored in OneDrive Business but outside the default Notebooks folder. To scan these files and notebook folders, set up and scan the Microsoft OneNote Target instead. Refer to the Scan Microsoft OneNote section.
Recycle bin.
User's Preservation Hold library.

Check the Inaccessible Locations page for any errors that were encountered when scanning the OneDrive Business Target. Refer to View Inaccessible Locations in the View Targets Page section.

User Account in Multiple Groups

A OneDrive Business-enabled user account that belongs to multiple groups

is scanned each time a group the user belongs to is scanned.
consumes only 1x data allowance usage regardless of how many times it is scanned as part of different groups.

OneDrive Business-enabled user account "user1@mycompany.com" belongs to Groups "A1" and "A2". When Groups "A1" and "A2" are added to the same scan, user account "user1@mycompany.com" is scanned once when Group "A1" is scanned, and a second time when Group "A2" is scanned. User account "user1@mycompany.com" consumes only one Client License, and 1x Client License data allowance despite having been scanned twice.