How To Scan SharePoint Online

This section covers the following topics:

• Overview
• Licensing
• Requirements
  • Enable SharePoint Add-in
• Configure SharePoint Add-in
  • Generate Client ID and Client Secret
  • Grant Permissions to SharePoint Add-in
• Set Up SharePoint Online as a Target
• Edit SharePoint Online Target Path
• Deleted SharePoint Online Sites
• Remediate Matches in SharePoint Online
• Unsupported Remediation Locations in SharePoint Online

Overview

When SharePoint Online is added as a scan Target, ER Cloud returns all resources in the SharePoint Online web application. You can select specific site collections, sites, lists, list items, folders and/or files when setting up the scan schedule.

The instructions here work for setting up SharePoint Online as a Target.

To set up SharePoint Online as a Target:

1. Enable SharePoint Add-in (for new SharePoint Online subscriptions only).
2. Configure SharePoint Add-in.
3. Set Up SharePoint Online as a Target.

To scan specific paths in a SharePoint Online Target, refer to Edit SharePoint Online Target Path below.

Licensing

For Sitewide Licenses, all scanned SharePoint Online Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, SharePoint Online Targets require Server & DB Licenses, and consume data from the Server & DB License data allowance limit.

See Target Licenses for more information.

Requirements

Enable SharePoint Add-in

For new SharePoint Online tenants, connect to SharePoint Online using Windows PowerShell and enable the SharePoint Add-in by running the following commands:

# Install the SharePoint PowerShell module Install-Module -Name Microsoft.Online.SharePoint.PowerShell # Set the administrator's account email address $adminUPN="<full email address of a SharePoint administrator account>" # Specify the organization's name to log into $tenant="<name of your Microsoft 365 organization, example: mycompany>" # Set the password in a secure prompt $userCredential = Get-Credential -UserName $adminUPN -Message "Type the password:" # Connect to the SharePoint server using the credentials provided Connect-SPOService -Url https://$tenant-admin.sharepoint.com -Credential $userCredential # Enable custom app (SharePoint Add-in) Set-SPOTenant -DisableCustomAppAuthentication $false

For more information, refer to Granting Access Using SharePoint App-Only.

Configure SharePoint Add-in

Before adding SharePoint Online as a Target, you must register and configure the SharePoint Add-in for use with ER Cloud. The registered SharePoint Add-in must have the required permissions to allow ER Cloud to authenticate and access (scan) the resources in your SharePoint Online environment.

To configure the SharePoint Add-in for ER Cloud:

• Generate Client ID and Client Secret
• Grant Permissions to SharePoint Add-in

Generate Client ID and Client Secret

You need to register the SharePoint Add-in to generate the client ID and client secret key which is required when setting up SharePoint Online as a Target.

To register the SharePoint Add-in:

1. Log in to SharePoint Online and go to the AppRegNew form at <site collection url>/_layouts/15/AppRegNew.aspx.
   For example, https://mycompany.sharepoint.com/_layouts/15/AppRegNew.aspx.

2. In the AppRegNew form, fill in the following fields:
   

   Field	Description
   Client Id	Enter a unique lowercase string, or click Generate to generate a client ID. Example: 1234abcd-56ef-78gh-90ij-1234clientid
   Client Secret	Click Generate to generate a client secret. Example: abcdefghij0123456789klmnopqrst0clientsecret
   Title	Enter a descriptive name for the add-in. Example: Enterprise Recon SPO add-in
   App Domain	The host name of the remote component of the SharePoint Add-in. Example: www.example.com This is a compulsory field when registering the SharePoint Add-in, but is not required for scanning SharePoint Online Targets with ER Cloud.
   Redirect URI	The endpoint in the remote application or service to which Azure Access Control service (ACS) sends an authentication code. Example: https://www.example.com/default.aspx This is a compulsory field when registering the SharePoint Add-in, but is not required for scanning SharePoint Online Targets with ER Cloud.

3. Click Create. The page reloads and displays the details of the newly registered SharePoint Add-in.
4. Take down the Client ID (e.g. 1234abcd-56ef-78gh-90ij-1234clientid) and Client Secret (e.g. abcdefghij0123456789klmnopqrst0clientsecret) for the SharePoint Add-in. These will be required when you set up SharePoint Online as a Target (refer to Set Up SharePoint Online as a Target below).

Grant Permissions to SharePoint Add-in

1. With your administrator account, go to the tenant administration site at <tenant>-admin.sharepoint.com/_layouts/15/appinv.aspx to grant permissions to the registered SharePoint Add-in.
   For example, https://mycompany-admin.sharepoint.com/_layouts/15/appinv.aspx.
2. In the App Id field, enter the client ID (e.g. 1234abcd-56ef-78gh-90ij-1234clientid) for the registered SharePoint Add-in and click Lookup.
   For more information, refer to step 4 of Generate Client ID and Client Secret above.
   

3. In the Permission Request XML field, enter the following permissions for the SharePoint Add-in:

   <AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl"/> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Write"/> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Write"/> </AppPermissionRequests>

4. Click Create.
5. You will be presented with a permission consent dialog. Click Trust It to grant permissions to the SharePoint Add-in.
6. Go to the Site App Permissions page at <tenant>-admin.sharepoint.com/_layouts/15/appprincipals.aspx?Scope=Web.
   For example, https://mycompany-admin.sharepoint.com/_layouts/15/appprincipals.aspx?Scope=Web.
7. In the App Display Name column, look for the registered SharePoint Add-in (e.g. Enterprise Recon SPO add-in).

8. Take down the Tenant Id from the App Identifier value. This will be required when you set up SharePoint Online as a Target (refer to Set Up SharePoint Online as a Target below).

   # App Identifier format: i:0i.t|ms.sp.ext|<client ID>@<tenant ID> i:0i.t|ms.sp.ext|1234abcd-56ef-78gh-90ij-1234clientid@12345678-abcd-9012-efgh-ijkltenantid Where:

   • Client ID = 1234abcd-56ef-78gh-90ij-1234clientid
   • Tenant ID = 12345678-abcd-9012-efgh-ijkltenantid

Set Up SharePoint Online as a Target

To add a SharePoint Online Target:

1. From the New Scan page, add Targets. Refer to the Add Targets section.
2. In the Select Target Type dialog box, select Microsoft 365 > SharePoint Online.
3. Fill in the following fields:
   

   Field	Description
   SharePoint Online Domain	Enter your SharePoint Online organization name. For example, if you access SharePoint Online at https://mycompany.sharepoint.com, enter mycompany.
   New Credential Label	Enter a descriptive label for the SharePoint Online credential set.
   Client ID	Enter the Client ID for the registered SharePoint Add-in. Example: 1234abcd-56ef-78gh-90ij-1234clientid Refer to step 4 of Generate Client ID and Client Secret above.
   Client Secret Key	Enter the Client Secret key for the registered SharePoint Add-in. Example: abcdefghij0123456789klmnopqrst0clientsecret Refer to step 4 of Generate Client ID and Client Secret above.
   Tenant ID	Enter the Tenant ID key for the registered SharePoint Add-in. Example: 12345678-abcd-9012-efgh-ijkltenantid Refer to step 8 of Grant Permissions to SharePoint Add-in above.
   Agent to act as proxy host	Select a supported Proxy Agent host with direct Internet access.

   Recommended Least Privilege User Approach

   Data discovery or scanning of data requires read access. Remediation actions that act directly on supported file systems including Delete Permanently, Quarantine, Encryption and Masking require write access in order to change, delete and overwrite data.

   To reduce the risk of data loss or privileged account abuse, the Target credentials provided for the intended Target should only be granted read-only access to the exact resources and data that require scanning. Never grant full user access privileges or unrestricted data access to any application if it is not required.

4. Click Test. If ER Cloud can connect to the Target, the button changes to a Commit button.
5. Click Commit to add the Target.

Edit SharePoint Online Path

1. Set Up SharePoint Online as a Target.
2. In the Select Locations section, select your SharePoint Online Target and click Edit.
3. In the Edit SharePoint Online dialog box, enter the site collection to scan in the Path. Use the following syntax:

   Description, Syntax and Example
   Scan all resources for the SharePoint Online web application. This includes all site collections, sites, lists, list items, folders and files. Syntax: Leave Path blank.
   Scan a site collection. This includes all sites, lists, list items, folders and files for the site collection. Syntax: <organization>.sharepoint.com/<site_collection> Example: https://example.sharepoint.com/operations
   Scan a site in a site collection. Syntax: <organization>.sharepoint.com/<site_collection>/<site> Example: https://example.sharepoint.com/operations/my-site
   Scan all lists in a site collection. Syntax: <organization>.sharepoint.com/<site_collection>/:site/:list Example: https://example.sharepoint.com/operations/:site/:list
   Scan a specific list in a site collection. Syntax: <organization>.sharepoint.com/<site_collection>/:site/:list/<list> Example: https://example.sharepoint.com/operations/:site/:list/my-list A list item in a specific list cannot be individually added and scanned. You can only scan the entire list.
   Scan all folders and files in a site collection. Syntax: <organization>.sharepoint.com/<site_collection>/:site/:file Example: https://example.sharepoint.com/operations/:site/:file
   Scan a specific folder in a site collection. Syntax: <organization>.sharepoint.com/<site_collection>/:site/:file/<folder> Example: https://example.sharepoint.com/operations/:site/:file/documents
   Scan a specific file in a site collection. Syntax: <organization>.sharepoint.com/<site_collection>/:site/:file/<file> Example: https://example.sharepoint.com/operations/:site/:file/my-file.txt
   Scan a specific file within a folder in a site collection. Syntax: <organization>.sharepoint.com/<site_collection>/:site/:file/<folder>/<file> Example: https://example.sharepoint.com/operations/:site/:file/documents/my-file.txt

4. Click Test and then Commit to save the path to the Target location.

Deleted SharePoint Online Sites

In SharePoint Online, deleted sites or site collections are retained for 93 days in the site Recycle Bin, unless deleted permanently. These deleted sites or site collections in SharePoint Online Targets are still discoverable by ER Cloud, but will result in "HTTP 404" errors when attempting to probe or scan them.

Remediate Matches in SharePoint Online

The following remediation actions are supported for SharePoint Online Targets:

• Act Directly on Selected Location

  • Mask all sensitive data
  • Delete Permanently
  • Quarantine
• Mark Locations for Compliance Report
• PRO Delegated Remediation

To remediate matches in SharePoint Online, refer to the Perform Remedial Actions section.

For more information on the supported remedial actions, refer to the Remedial Actions in ER Cloud section.

Unsupported Remediation Locations in SharePoint Online

The following locations and/or objects in SharePoint Online Targets are not supported for remedial actions that act directly on match locations:

• List items
• Site pages
• News posts

For more information on the unsupported locations for remediation for each Target, refer to the Unsupported Remediation Locations by Target section.

PRO This feature is only available in Enterprise Recon Cloud PRO Edition. To find out more about upgrading your ER Cloud license, please contact Ground Labs Licensing. See Subscription License for more information.