Enterprise Recon 2.6.1

SharePoint Online

The SharePoint Online module has been updated in ER 2.6.0. To continue scanning SharePoint Online Targets:
  1. Upgrade the Master Server, and
  2. Update the SharePoint Online credential sets added in earlier versions of ER2.

This section covers the following topics:

Overview

The instructions here work for setting up SharePoint Online as a Target.

To set up SharePoint Online as a Target:

  1. Configure SharePoint Add-in
  2. Set Up SharePoint Online as a Target

To scan specific paths in a SharePoint Online Target, see Edit SharePoint Online Target Path.

Licensing

For Sitewide Licenses, all scanned SharePoint Online Targets consume data from the Sitewide License data allowance limit.

For Non-Sitewide Licenses, SharePoint Online Targets require Server & DB Licenses, and consume data from the Server & DB License data allowance limit.

See Target Licenses for more information.

Requirements

Component Description
Proxy Agent ER 2.0.28 Agent and newer.

Recommended Proxy Agents:

  • Windows Agent with database runtime components
  • Windows Agent
  • Linux Agent with database runtime components
  • Linux Agent
  • FreeBSD Agent

TCP Allowed Connections Port 443 for cloud services.

Configure SharePoint Add-in

Before adding SharePoint Online as a Target, you must register and configure the SharePoint Add-in for use with ER2. The registered SharePoint Add-in must have the required permissions to allow ER2 to authenticate and access (scan) the resources in your SharePoint Online environment.

To configure the SharePoint Add-in for ER2:

Generate Client ID and Client Secret

You need to register the SharePoint Add-in to generate the client ID and client secret key which is required when setting up SharePoint Online as a Target.

To register the SharePoint Add-in:

  1. Log in to SharePoint Online and go to the AppRegNew form at <site collection url>/_layouts/15/AppRegNew.aspx.
    For example, https://mycompany.sharepoint.com/_layouts/15/AppRegNew.aspx.
  2. In the AppRegNew form, fill in the following fields:
    AppRegNew form for SharePoint Add-in Registration

    Field Description
    Client Id

    Enter a unique lowercase string, or click Generate to generate a client ID.

    Example: 1234abcd-56ef-78gh-90ij-1234clientid

    Client Secret

    Click Generate to generate a client secret.

    Example: abcdefghij0123456789klmnopqrst0clientsecret

    Title

    Enter a descriptive name for the add-in.

    Example: Enterprise Recon SPO add-in

    App Domain

    The host name of the remote component of the SharePoint Add-in.

    Example: www.example.com

    Redirect URI

    The endpoint in the remote application or service to which Azure Access Control service (ACS) sends an authentication code.

    Example: https://www.example.com/default.aspx

  3. Click Create. The page reloads and displays the details of the newly registered SharePoint Add-in.
  4. Take down the Client ID (e.g. 1234abcd-56ef-78gh-90ij-1234clientid) and Client Secret (e.g. abcdefghij0123456789klmnopqrst0clientsecret) for the SharePoint Add-in. These will be required when you Set Up SharePoint Online as a Target.

Grant Permissions to SharePoint Add-in

  1. With your administrator account, go to the tenant administration site at <tenant>-admin.sharepoint.com/_layouts/15/appinv.aspx to grant permissions to the registered SharePoint Add-in.
    For example, https://mycompany-admin.sharepoint.com/_layouts/15/appinv.aspx.
  2. In the App Id field, enter the client ID (e.g. 1234abcd-56ef-78gh-90ij-1234clientid) for the registered SharePoint Add-in and click Lookup.
    See Generate Client ID and Client Secret - Step 4 for more information.
    Grant Permissions for SharePoint Add-in
  3. In the Permission Request XML field, enter the following permissions for the SharePoint Add-in:

    <AppPermissionRequests AllowAppOnlyPolicy="true"> <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl"/> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/> <AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/> </AppPermissionRequests>

  4. Click Create.
  5. You will be presented with a permission consent dialog. Click Trust It to grant permissions to the SharePoint Add-in.
  6. Go to the Site App Permissions page at <tenant>-admin.sharepoint.com/_layouts/15/appprincipals.aspx?Scope=Web.
    For example, https://mycompany-admin.sharepoint.com/_layouts/15/appprincipals.aspx?Scope=Web.
  7. In the App Display Name column, look for the registered SharePoint Add-in (e.g. Enterprise Recon SPO add-in).
  8. Take down the Tenant Id from the App Identifier value. This will be required when you Set Up SharePoint Online as a Target.

    # App Identifier format: i:0i.t|ms.sp.ext|<client ID>@<tenant ID> i:0i.t|ms.sp.ext|1234abcd-56ef-78gh-90ij-1234clientid@12345678-abcd-9012-efgh-ijkltenantid Where:

    • Client ID = 1234abcd-56ef-78gh-90ij-1234clientid
    • Tenant ID = 12345678-abcd-9012-efgh-ijkltenantid

Set Up SharePoint Online as a Target

To add a SharePoint Online Target:

  1. From the New Scan page, Add Targets.
  2. In the Select Target Type dialog box, select Microsoft 365 > SharePoint Online.
  3. Fill in the following fields:
    Dialog box to configure the path, credentials, and proxy agent for a SharePoint Online Target
    Field Description
    SharePoint Online Domain

    Enter your SharePoint Online organization name.

    For example, if you access SharePoint Online at https://mycompany.sharepoint.com, enter mycompany.

    New Credential Label

    Enter a descriptive label for the SharePoint Online credential set.

    Client ID

    Enter the Client ID for the registered SharePoint Add-in.

    Example: 1234abcd-56ef-78gh-90ij-1234clientid

    See Generate Client ID and Client Secret - Step 4 for more information.

    Client Secret Key

    Enter the Client Secret key for the registered SharePoint Add-in.

    Example: abcdefghij0123456789klmnopqrst0clientsecret

    See Generate Client ID and Client Secret - Step 4 for more information.

    Tenant ID

    Enter the Tenant ID key for the registered SharePoint Add-in.

    Example: 12345678-abcd-9012-efgh-ijkltenantid

    See Grant Permissions to SharePoint Add-in - Step 8 for more information.

    Agent to act as proxy host

    Select a supported Proxy Agent host with direct Internet access.

    Recommended Least Privilege User Approach

    To reduce the risk of data loss or privileged account abuse, the Target credentials provided for the intended Target should only be granted read-only access to the exact resources and data that require scanning. Never grant full user access privileges or unrestricted data access to any application if it is not required.

  4. Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
  5. Click Commit to add the Target.

Edit SharePoint Online Target Path

  1. Set Up SharePoint Online as a Target.
  2. In the Select Locations section, select your SharePoint Online Target and click Edit.
  3. In the Edit SharePoint Online dialog box, enter the site collection to scan in the Path. Use the following syntax:
    Description, Syntax and Example

    Scan all resources for the SharePoint Online web application.

    This includes all site collections, sites, lists, list items, folders and files.

    Syntax:

    Leave Path blank.

    Scan a site collection.

    This includes all sites, lists, list items, folders and files for the site collection.

    Syntax:

    <organization>.sharepoint.com/<site_collection>

    Example:

    https://example.sharepoint.com/operations

    Scan a site in a site collection.

    Syntax:

    <organization>.sharepoint.com/<site_collection>/<site>

    Example:

    https://example.sharepoint.com/operations/my-site

    Scan all lists in a site collection.

    Syntax:

    <organization>.sharepoint.com/<site_collection>/:site/:list

    Example:

    https://example.sharepoint.com/operations/:site/:list

    Scan a specific list in a site collection.

    Syntax:

    <organization>.sharepoint.com/<site_collection>/:site/:list/<list>

    Example:

    https://example.sharepoint.com/operations/:site/:list/my-list

    Scan all folders and files in a site collection.

    Syntax:

    <organization>.sharepoint.com/<site_collection>/:site/:file

    Example:

    https://example.sharepoint.com/operations/:site/:file

    Scan a specific folder in a site collection.

    Syntax:

    <organization>.sharepoint.com/<site_collection>/:site/:file/<folder>

    Example:

    https://example.sharepoint.com/operations/:site/:file/documents

    Scan a specific file in a site collection.

    Syntax:

    <organization>.sharepoint.com/<site_collection>/:site/:file/<file>

    Example:

    https://example.sharepoint.com/operations/:site/:file/my-file.txt

    Scan a specific file within a folder in a site collection.

    Syntax:

    <organization>.sharepoint.com/<site_collection>/:site/:file/<folder>/<file>

    Example:

    https://example.sharepoint.com/operations/:site/:file/documents/my-file.txt

  4. Click Test and then Commit to save the path to the Target location.

Deleted SharePoint Online Sites

In SharePoint Online, deleted sites or site collections are retained for 93 days in the site Recycle Bin, unless deleted permanently. These deleted sites or site collections in SharePoint Online Targets are still discoverable by ER2, but will result in "HTTP 404" errors when attempting to probe or scan them.