Permissions Required for OneDrive User

  • Create a proprietary File Access Manager service account in Azure / Office365 administration portal (e.g. fam-srv@example.com).

  • Assign the "SharePoint administrator" role and “Tenant Admin” privilege / "Global Administrator" Role to the new service account.This will allow the service account to enumerate the existing OneDrive accounts and query for audit information.

    The Tenant Admin privilege / "Global Administrator" Role is necessary for this service account in the initial stage of configuring the application and for granting the consent. 
    After the initial configuration, and once the application is configured in File Access Manager, this privilege can be revoked from the service account. During the creation of the Application in the File Access Manager website – log in with the newly created service account and grant Consent to the File Access Manager Azure App.

  • Owner access for the proprietary File Access Manager user is required to crawl, gather permissions and perform classification of documents stored on OneDrive accounts.
  • The built-in “SharePoint Service Administrator” group automatically contains any user that was assigned the "SharePoint administrator" role in Azure.
  • To grant the required access, “SharePoint Service Administrator” must be defined as a Secondary Owner of each OneDrive account.
  • If a user is wanting to share something, the user can either right-click and Share or you can grant permission through adding direct permissions or adding them as collaborators.

  • In the installation package, you can find a script called SIQUpdateOneDriveSecondaryOwners.ps1. This script can be used to automatically update the Secondary Owners list of all existing OneDrive accounts so they to include “SharePoint Service Administrator”. To run the script:

    • Open the folder Scripts in the Collectors.zip installation package
    • Open the SharePoint Online Management Shell (install from here https://www.microsoft.com/en-us/download/details.aspx?id=35588 )
    • Run the script, you will be prompted to provide Credentials for Office365 Global Administrator, and The tenant name of your Office365 subscription.
  • File Access Manager will not be able to crawl, collect permissions or classify content on OneDrive accounts that are not assigned with the ‘Site Collection Administrator’ permissions for the File Access Manager user.
  • SharePoint Online administration portal allows configuration of default members of the Secondary Owners list for newly created OneDrive accounts.
  • Browse to the admin portal (e.g. https://my-company-admin.sharepoint.com).

  • Go to the “User Profiles” section, then click “Setup My Sites” under “My Site Settings”.

  • Scroll down to “My Site Secondary Admin”

  • Click the “Enable My Site secondary admin” checkbox
  • Type “SharePoint Service Administrator” in the text box, and click the resolve button (once successfully resolved, the text should be underlined).
  • Scroll to the bottom of the page and click “OK”.