Enterprise Recon 2.13.0

Microsoft OneNote

Following Microsoft's recent deprecation of authentication tokens with application permissions for Microsoft OneNote, ER 2.13.0 has an updated Microsoft OneNote module that uses the more secure delegated permission tokens for authentication.

To continue scanning Microsoft OneNote Targets:

  1. Upgrade the Master Server, and
  2. Update Microsoft OneNote credential sets added in earlier versions of ER2 by performing re-authentication. See Re-authenticate Microsoft OneNote Credentials for more information.
  3. Create new single-Agent scans for:
    • impacted Microsoft OneNote locations that were reported as inaccessible locations, and
    • existing scans with OneNote locations. Existing scans (ongoing or not yet started) that include OneNote locations may be interrupted even after re-authenticating. Creating new scans to replace the existing ones ensures that the scans transition to the new authentication method and run successfully.
  4. Ensure that all scans against Microsoft OneNote Targets run from a single Agent. As of Enterprise Recon 2.13.0, distributed scanning for OneNote Targets is no longer supported due to the updated authentication method.

This section covers the following topics:

Overview

When Microsoft OneNote is added as a scan Target, ER2 returns the notebooks for all Microsoft 365 groups and user accounts. You can select specific groups, users, notebook folders, notebooks, sections, or pages when setting up the scan schedule.

You can also scan all users with Microsoft OneNote notebooks in your organization's domain by selecting the "All Users" group as a scan location.

Example of Microsoft OneNote structure: Microsoft OneNote [domain: example.onmicrosoft.com] +- Microsoft OneNote on target MS365:EXAMPLE.ONMICROSOFT.COM +- Group Engineering +- User A +- Notebook A +- Section A +- Page 1 +- Page 2 +- Section B +- Page 1 +- Page 2 +- Group Design +- Group's Notebook +- Notebook A +- Section A +- Page 1 +- Page 2 +- Section Group A +- Section A +- Section Group B

Licensing

For Sitewide Licenses, all scanned Microsoft OneNote Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, Microsoft OneNote Targets require Client Licenses, and consume data from the Client License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements Description
Proxy Agent
  • Proxy Agent host with direct Internet access.
  • ER 2.8.0 Agent and newer.
Recommended Proxy Agents:
  • Windows Agent with database runtime components
  • Windows Agent
  • Linux Agent with database runtime components
  • Linux Agent
  • macOS Agent
As of Enterprise Recon 2.13.0, distributed scanning for Microsoft OneNote Targets is no longer supported due to the updated authentication method.
TCP Allowed Connections Port 443

Configure Microsoft 365 Account

  1. Generate Client ID and Tenant ID Key
  2. Generate Client Secret Key

  3. Add Redirect URI
  4. Grant API Access

Generate Client ID and Tenant ID Key

  1. With your administrator account, log in to the Azure app registration portal.
  2. In the App registrations page, click + New registration.
  3. In the Register an application page, fill in the following fields:

    Field Description
    Name Enter a descriptive display name for ER2. For example, Enterprise Recon.
    Supported account types Select Accounts in this organizational directory only.
  4. Click Register. You will be redirected to the Overview page for the newly registered app, Enterprise Recon.
  5. Take down the Application (client) ID and Directory (tenant) ID. This is required when you want to Set Up and Scan a Microsoft OneNote Target.

    Enterprise Recon app Overview in the Microsoft Azure app registration portal.

Add Redirect URI

A redirect URI is where the Microsoft identity platform sends the access code after authentication. To be able to Set Up and Scan a Microsoft OneNote Target, you must add a redirect URI to your Azure app account.

  1. With your administrator account, log in to the Azure app registration portal.
  2. In the App registrations page, go to the Owned applications tab.
  3. Click on the app that you registered (e.g. Enterprise Recon) when generating the Client ID and Tenant ID key.
  4. In the Manage panel, click Authentication.
  5. In the list of redirect URIs, add the default URL https://services.groundlabs.com/secure/access_code, or add a custom URL you want to use. The URL you add here is the URL that you must use later on for Microsoft OneNote authorization when you Set Up and Scan a Microsoft OneNote Target.

    Added Redirect URI for the Enterprise Recon app.

Generate Client Secret Key

  1. With your administrator account, log in to the Azure app registration portal.
  2. In the App registrations page, go to the Owned applications tab. Click on the app that you registered (e.g. Enterprise Recon) when generating the Client ID and Tenant ID key.
  3. In the Manage panel, click Certificates & secrets.
  4. In the Client secrets section, click + New client secret.
  5. In the Add a client secret page, fill in the following fields:

    Field Description
    Description Enter a descriptive label for the Client Secret key.
    Expires Select a validity period for the Client Secret key.
  6. Click Add. The Value column will contain the Client Secret key.

    Newly created Client Secret key for the Enterprise Recon app.

  7. Copy and save the Client Secret key to a secure location. This is required when you want to Set Up and Scan a Microsoft OneNote Target.

Grant API Access

To scan Microsoft OneNote Targets, you will need to grant ER2 permissions to access specific resource APIs.

  1. With your administrator account, log in to the Azure app registration portal.
  2. In the App registrations page, go to the Owned applications tab. Click on the app that you registered (e.g. Enterprise Recon) when generating the Client ID and Tenant ID key.
  3. In the Manage panel, click API permissions.
  4. In the Configured permissions section, click + Add a permission.
  5. In the Request API permissions page, select Microsoft Graph > Application permissions.
  6. Select the following permissions for the Enterprise Recon app:

    API Permissions Description
    • Group.Read.All
    • User.Read.All
    • Directory.Read.All
    • Notes.Read.All
    Required for probing and scanning Microsoft OneNote Targets.
  7. Click Add permissions.
  8. In the Configured permissions page, click on Grant admin consent for <organization name>.
  9. In the Grant admin consent confirmation dialog, click Yes. The Status column for all the newly added API permissions will be updated to "Granted for <organization name>".

Set Up and Scan a Microsoft OneNote Target

This section describes how to set up Microsoft OneNote Targets for ER 2.8.0 and above.

  1. Configure Microsoft 365 Account.
  2. From the New Scan page, Add Targets.
  3. In the Select Target Type dialog box, select Microsoft 365 > Microsoft OneNote.
  4. Fill in the following details:

    Dialog box to configure the path, credentials and proxy agent for Microsoft OneNote Targets.

    Dialog box to configure the path, credentials and proxy agent for Microsoft OneNote Targets.

    Field Description
    OneNote Domain

    Enter the Microsoft 365 domain to scan.

    Example: example.onmicrosoft.com

    Only accounts where the user principal name (UPN) shares the same domain as specified in the OneNote Domain field will be scanned and/or listed when probing the Target.

    For example, if OneNote Domain is set to example.onmicrosoft.com, user1@example2.onmicrosoft.com will not be scanned and/or listed when probing the Target even if the user belongs to a group in the example.onmicrosoft.com domain.

    To scan multiple domains within your organization's Microsoft 365 environment, add these domains as separate Microsoft OneNote Targets.

    New Credential Label

    Enter a descriptive label for the Microsoft OneNote credential set.

    Example: m365-microsoftonenote-exampledomain

    Client ID

    Enter the Client ID.

    Example: clientid-1234-5678-abcd-6d05bf28c2bf

    See Generate Client ID and Tenant ID Key for more information.

    Client Secret Key

    Enter the Client Secret key.

    Example: client~secret.key-CHvV1B5YQfr~6zDjEyv

    See Generate Client Secret Key for more information.

    Tenant ID

    Enter the Tenant ID.

    Example: tenantid-1234-abcd-5678-02011df316f4

    See Generate Client ID and Tenant ID Key for more information.

    Redirect URL

    To use the default URL (https://services.groundlabs.com/secure/access_code), leave this field blank.

    To use a custom URL, enter the custom URL.

    The redirect URL must be included in your Azure application's list of redirect URIs, otherwise the authorization will fail. See Configure Microsoft 365 Account - Add Redirect URI.
    Microsoft OneNote Authorization
    1. Click the Microsoft OneNote Authorization link to grant access to your Microsoft account. Copy the code and paste to the Access Code field.
    2. Enter the user name and password and sign in.
      To be able to scan all user accounts in the Microsoft 365 domain, sign in with an administrator account.
    3. In the new tab that opens, copy the access code. This code expires in 10 minutes. Copy the code and paste to the Access Code field.
    4. Back in the Microsoft OneNote window, in the Access Code field, paste the code copied in the previous step.

      The code expires in ten minutes. If you were unable to use the code within ten minutes, simply click the "Microsoft OneNote Authorization" link again.

    Agent to act as proxy host

    Select a Windows, Linux or macOS Proxy Agent host with direct Internet access.

    As of Enterprise Recon 2.13.0, distributed scanning for Microsoft OneNote Targets is no longer supported due to the updated authentication method.
  5. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  6. Click Commit to add the Target.
  7. Back in the New Scan page, locate the newly added Microsoft OneNote Target and click on the arrow next to it to display a list of available Microsoft 365 groups for the domain.
  8. Select the Target location(s) to scan.
    1. If "All Users" is selected, ER2 scans all user accounts in the Microsoft 365 domain.

      Non-admin accounts
      If you signed in with a non-administrator account, the listed Target locations will only be the user accounts belonging to the same group(s) as the signed in account. To scan all user accounts in the Microsoft 365 domain, you must sign in with an administrator account during authorization (see Microsoft OneNote Authorization).
    2. If only specific groups are selected, ER2 only scans notebooks from user accounts or notebook folders in the selected groups.

      Non-admin accounts
      If you signed in with a non-administrator account, the listed Target locations will be limited to:
      • Notebooks from user who are in the same group(s) as the signed in account, and/or
      • Notebook folders of the group(s) the signed in account belongs to.
  9. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  10. Click Commit to add the Target.
  11. (Optional) On the Select Locations page, probe the Target to browse and select specific Target locations to scan.

  12. Click Next.
  13. On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.
  14. On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information.

  15. Click Next.
  16. On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Edit Microsoft OneNote Target Path

  1. Set Up and Scan a Microsoft OneNote Target.
  2. In the Select Locations section, select your Microsoft OneNote Target location and click Edit.

  3. In the Edit Microsoft OneNote dialog box, enter a (case sensitive) Path to scan. Use the following syntax:

    Locations to Scan Path
    All notebooks for all users in all groups

    Syntax: All Users

    Example: All Users

    All notebooks for all users or in the notebook folder of a specific group

    Syntax: <Group Display Name>

    Example: Engineering

    All notebooks in the notebook folder of a specific group

    Syntax: <Group Display Name>/g

    Example: Engineering/g

    Specific notebook for a specific user in a specific group

    Syntax: <Group Display Name>/<User Principal Name>/<Notebook>

    Example: Engineering/user1@example.onmicrosoft.com/Q1 Notebook

    Specific notebook in the notebook folder of a specific group

    Syntax: <Group Display Name>/g/<Notebook>

    Example: Engineering/g/Q1 Notebook

    Specific section of a notebook for a specific user in a specific group

    Syntax: <Group Display Name>/<User Principal Name>/<Notebook>/<Section>

    Example: Engineering/user1@example.onmicrosoft.com/Q1 Notebook/Section A

    Specific section or section group of a notebook in the notebook folder of a specific group

    Syntax: <Group Display Name>/g/<Notebook>/<Section or Section Group>

    Example: Engineering/g/Q1 Notebook/SG Branch

    Specific section or nested section in a section group of a specific notebook in the notebook folder of a specific group

    Syntax: <Group Display Name>/<Notebook Folder>/<Notebook>/<Section Group>/<Section or Nested Section>

    Example: Engineering/g/Q1 Notebook/SG Branch/Section A

    Specific pages in a section of a specific notebook for a specific user in a specific group

    Syntax: <Group Display Name>/<User Principal Name>/<Notebook>/<Section>/<Page>

    Example: Engineering/user1@example.onmicrosoft.com/Q1 Notebook/Section A/Page 1

    Specific pages in a section of a specific notebook in the notebook folder of a specific group

    Syntax: <Group Display Name>/g/<Notebook>/<Section>/<Page>

    Example: Engineering/g/Q1 Notebook/Section A/Page 1

  4. Click the Microsoft OneNote Authorization link and follow the on-screen instructions. Enter the access code obtained into the Access Code field.

  5. Click Test and then Commit to save the path to the Target location.

Re-authenticate Microsoft OneNote Credentials

  1. Log in to the ER2 Web Console.
  2. Go to Settings > Target Credentials.
  3. Hover over the Microsoft OneNote Target credential set and click Edit.
    Example of Microsoft OneNote credential set.
  4. If needed, update the value for the Tenant ID, Client ID, Client Secret Key, and Redirection URL fields.

  5. Click the Microsoft OneNote Authorization link and follow the on-screen instructions.
    Example of a Microsoft OneNote credential set in "Edit" view.
  6. Enter the access code obtained into the Access Code field in the credential editor.

  7. Click Save.

Matches in Attachments in Microsoft OneNote

Matches that are found in attachments in notebooks are reported as distinct match locations from its parent page.

Example:

Page 1 in "Section A" of "Notebook A" contains the files "team-building.txt" and "members.txt". If matches are found in both files, ER2 reports this as two match locations, where "team-building.txt" and "members.txt" are distinct match locations.

Microsoft OneNote Remediation

The following remediation actions are supported for Microsoft OneNote Targets:

Users in Multiple Groups

This section describes the behavior of users that are members of multiple groups for the Microsoft OneNote Target.

License Consumption

A notebook owned by a user account that belongs to multiple groups

  • is scanned each time a group the user belongs to is scanned.
  • consumes only 1x data allowance usage regardless of how many times it is scanned as part of different groups.

Scan Results

Matches that are found in notebooks owned by users that belong to multiple groups will be reported as a distinct match count for each group.

Take for example a simplified Microsoft OneNote Target for the domain "example.onmicrosoft.com" below:

EXAMPLE.ONMICROSOFT.COM 55 matches +– Engineering 30 matches +– UserA 10 matches +– UserB 20 matches +– Design 25 matches +– UserA 10 matches +– UserC 15 matches

Matches found in notebook owned by "UserA" will be included in the match count for both Engineering and Design groups.


PRO This feature is only available in Enterprise Recon PRO Edition. To find out more about upgrading your ER2 license, please contact Ground Labs Licensing. See Subscription License for more information.