Enterprise Recon 2.7.0

OneDrive Business

The OneDrive Business module has been updated in ER 2.6.0. To continue scanning OneDrive Business Targets:
  1. Upgrade the Master Server, and
  2. Update the OneDrive Business credential sets added in earlier versions of ER2.

This section covers the following topics:

Overview

When OneDrive Business is added as a scan Target, ER2 returns all Microsoft 365 groups and user accounts in each group. You can select specific groups or individual users when setting up the scan schedule, and each group will be presented as a separate location for the OneDrive Business Target.

Example of OneDrive Business structure: OneDrive Business [domain: example.onmicrosoft.com] +- Exchange Online on target MSONE:EXAMPLE.ONMICROSOFT.COM +- Group Engineering +- Group Design

Licensing

For Sitewide Licenses, all scanned OneDrive Business Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, OneDrive Business Targets require Client Licenses, and consume data from the Client License data allowance limit.

See Target Licenses for more information.

Requirements

Requirements Description
Proxy Agent
  • Proxy Agent host with direct Internet access.
Recommended Proxy Agents:
  • Windows Agent with database runtime components
  • Windows Agent
  • Linux Agent with database runtime components
  • Linux Agent
TCP Allowed Connections Port 443

Configure Microsoft 365 Account

For ER 2.6.0 and above, you will need to perform the following setup to scan OneDrive Business Targets:

  1. Generate Client ID and Tenant ID Key
  2. Generate Client Secret Key
  3. Grant API Access

Generate Client ID and Tenant ID Key

  1. With your administrator account, log in to the Azure app registration portal.
  2. In the App registrations page, click + New registration.
  3. In the Register an application page, fill in the following fields:

    Field Description
    Name Enter a descriptive display name for ER2. For example, Enterprise Recon.
    Supported account types Select Accounts in this organizational directory only.
  4. Click Register. You will be redirected to the Overview page for the newly registered app, Enterprise Recon.
  5. Take down the Application (client) ID and Directory (tenant) ID. This is required when you want to Set Up and Scan a OneDrive Business Target.

    Enterprise Recon app Overview in the Microsoft Azure app registration portal.

Generate Client Secret Key

  1. With your administrator account, log in to the Azure app registration portal.
  2. In the App registrations page, go to the Owned applications tab. Click on the app that you registered (e.g. Enterprise Recon) when generating the Client ID and Tenant ID key.
  3. In the Manage panel, click Certificates & secrets.
  4. In the Client secrets section, click + New client secret.
  5. In the Add a client secret page, fill in the following fields:

    Field Description
    Description Enter a descriptive label for the Client Secret key.
    Expires Select a validity period for the Client Secret key.
  6. Click Add. The Value column will contain the Client Secret key.
    Newly created Client Secret key for the Enterprise Recon app.
  7. Copy and save the Client Secret key to a secure location. This is required when you want to Set Up and Scan a OneDrive Business Target.

Grant API Access

To scan OneDrive Business Targets, you will need to grant ER2 permissions to access specific resource APIs.

  1. With your administrator account, log in to the Azure app registration portal.
  2. In the App registrations page, go to the Owned applications tab. Click on the app that you registered (e.g. Enterprise Recon) when generating the Client ID and Tenant ID key.
  3. In the Manage panel, click API permissions.
  4. In the Configured permissions section, click + Add a permission.
  5. In the Request API permissions page, select Microsoft Graph > Application permissions.
  6. Select the following permissions for the Enterprise Recon app:

    API Permissions Description
    • Group.Read.All
    • GroupMember.Read.All
    • Directory.Read.All
    • Files.Read.All
    • Sites.Read.All
    Required for probing and scanning OneDrive Business Targets.
  7. Click Add permissions.
  8. In the Configured permissions page, click on Grant admin consent for <organization name>.
  9. In the Grant admin consent confirmation dialog, click Yes. The Status column for all the newly added API permissions will be updated to "Granted for <organization name>".

Set Up and Scan a OneDrive Business Target

This section describes how to set up OneDrive Business Targets for ER 2.6.0 and above.

  1. Configure Microsoft 365 Account.
  2. From the New Scan page, Add Targets.
  3. In the Select Target Type dialog box, select Microsoft 365 > OneDrive Business.
  4. Fill in the following details:
    Dialog box to configure the path, credentials and proxy agent for OneDrive Business Targets.

    Field Description
    OneDrive Domain

    Enter the Microsoft 365 domain to scan.

    Example: example.onmicrosoft.com

    New Credential Label

    Enter a descriptive label for the OneDrive Business credential set.

    Example: m365-onedrive-exampledomain

    Client IID

    Enter the Client ID.

    Example: clientid-1234-5678-abcd-6d05bf28c2bf

    See Generate Client ID and Tenant ID Key for more information.

    Client Secret Key

    Enter the Client Secret key.

    Example: client~secret.key-CHvV1B5YQfr~6zDjEyv

    See Generate Client Secret Key for more information.

    Tenant ID

    Enter the Tenant ID.

    Example: tenantid-1234-abcd-5678-02011df316f4

    See Generate Client ID and Tenant ID Key for more information.

    Agent to act as proxy host

    Select a Proxy Agent host with direct Internet access.

  5. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  6. Click Commit to add the Target.
  7. Back in the New Scan page, locate the newly added OneDrive Business Target and click on the arrow next to it to display a list of available Microsoft 365 groups for the domain.
  8. Select the Target location(s) to scan.

  9. Click Next.
  10. On the Select Data Types page, select the Data Type Profiles to be included in your scan and click Next.
  11. On the Set Schedule page, configure the parameters for your scan. See Set Schedule for more information.

  12. Click Next.
  13. On the Confirm Details page, review the details of the scan schedule, and click Start Scan to start the scan. Otherwise, click Back to modify the scan schedule settings.

Edit OneDrive Business Target Path

  1. Set Up and Scan a OneDrive Business Target.
  2. In the Select Locations section, select your OneDrive Business Target location and click Edit.
  3. In the Edit OneDrive Business dialog box, enter a (case sensitive) Path to scan. Use the following syntax:

    Folder to Scan Path
    All user accounts in a specific group

    Syntax: <Group Display Name>

    Example: Engineering (SG)

    Specific user account in group

    Syntax: <Group Display Name>/<User Principal Name>

    Example: Engineering (SG)/user1@example.onmicrosoft.com

    Specific folder for user account in group

    Syntax: <Group Display Name>/<User Principal Name>/<Folder>

    Example: Engineering (SG)/user1@example.onmicrosoft.com/ProjectA

    Specific file for user account in group

    Syntax: <Group Display Name>/<User Principal Name>/<Folder>/<File>

    Example: Engineering (SG)/user1@example.onmicrosoft.com/ProjectA/example.html

  4. Click Test and then Commit to save the path to the Target location.

User Account in Multiple Groups

A OneDrive Business-enabled user account that belongs to multiple groups

  • is scanned each time a group the user belongs to is scanned.
  • consumes only 1x data allowance usage regardless of how many times it is scanned as part of different groups.