Permissions Required for OneDrive User

Granting Access to Office365

  • Create a proprietary File Access Manager service account in Azure / Office365 administration portal (e.g. fam-srv@example.com).

  • Assign the "SharePoint administrator" role and “Tenant Admin” privilege / "Global Administrator" Role to thenew service account.This will allow the service account to enumerate the existing OneDrive accounts andquery for audit information.

    The Tenant Admin privilege / "Global Administrator" Role is necessary for this service account in theinitial stage of configuring the application and for granting the consent.After the initial configuration, and once the application is configured in File Access Manager, this priv-ilege can be revoked from the service account. During the creation of the Application in the FileAccess Manager website – log in with the newly created service account and grant Consent to the FileAccess Manager Azure App.

Granting Access to All Existing OneDrive Accounts

  • Owner access for the proprietary File Access Manager user is required to crawl, gather permissions and per-form classification of documents stored on OneDrive accounts.

  • The built-in “SharePoint Service Administrator” group automatically contains any user that was assigned the"SharePoint administrator" role in Azure.

  • To grant the required access, “SharePoint Service Administrator” must be defined as a Secondary Owner ofeach OneDrive account.

  • If a user is wanting to share something, the user can either right-click and Share or you can grant permissionthrough adding direct permissions or adding them as collaborators.

  • In the installation package, you can find a script called SIQUpdateOneDriveSecondaryOwners.ps1. Thisscript can be used to automatically update the Secondary Owners list of all existing OneDrive accounts so theyto include “SharePoint Service Administrator”. To run the script:

    • Open the folder Scripts in the Collectors.zip installation package

    • Open the SharePoint Online Management Shell (install from here https://www.microsoft.com/en-us/-download/details.aspx?id=35588 )

    • Run the script, you will be prompted to provide Credentials for Office365 Global Administrator, and Thetenant name of your Office365 subscription.

    • File Access Manager will not be able to crawl, collect permissions or classify content on OneDrive accounts thatare not assigned with the ‘Site Collection Administrator’ permissions for the File Access Manager user.

Granting Access to Future OneDrive Accounts

  • SharePoint Online administration portal allows configuration of default members of the Secondary Owners listfor newly created OneDrive accounts.

  • Browse to the admin portal (e.g. https://my-company-admin.sharepoint.com).

  • Go to the “User Profiles” section, then click “Setup My Sites” under “My Site Settings”.

  • Scroll down to “My Site Secondary Admin”.

  • Click the “Enable My Site secondary admin” checkbox.

  • Type “SharePoint Service Administrator” in the text box, and click the resolve button (once successfullyresolved, the text should be underlined).

  • Scroll to the bottom of the page and click “OK”.