Skip to content

Office 365 File Storage Prerequisites

Make sure your system fits the descriptions below before starting the installation.

Note

Some prerequisites differ for Exchange Online. Refer to Exchange Online Prerequisites.

When you have confirmed your system meets the requirements, you will create an Azure application for your OneDrive, SharePoint Online, or Exchange Online connector.

Permissions

Activity Monitor

To perform Activity Monitoring, the Azure AD application for SharePoint Online requires the ActivityFeed.Read permission to access the Office 365 Management APIs.

You must also ensure auditing is enabled for your tenant. Refer to Microsoft auditing documentation for details. To verify auditing was enabled correctly, go to the compliance portal and see if activities are displaying.

Note

According to Microsoft, it may take some time before auditing is fully enabled on your tenant.

Permissions Collection

To perform crawl and permissions collection, the Azure AD application for SharePoint Online requires the Sites.FullControl.All permission to access the SharePoint APIs.

OneDrive Azure Application Permissions

Feature Permission in Azure App Registration
Crawl Microsoft Graph
  • Sites.Read.All
  • Files.Read.All
  • Users.Read.All
  • (optional) Domain.Read.All
    		•
    Permission Collection Microsoft Graph
  • Files.Read.All
    SharePoint
  • Sites.FullControl.All
    		•
    Data Classification Microsoft Graph
  • Files.Read.All
    		•
    Activity Monitoring Office 365 Management APIs
  • ActivityFeed.Read
    		•
    Data Access Revocation Microsoft Graph
  • Files.ReadWrite.All
    		•

    SharePoint Online Azure Application Permissions

    Feature Permission in Azure App Registration
    Crawl Microsoft Graph
  • Sites.Read.All
    		•
    Permission Collection SharePoint
  • FSites.FullControl.All
    		•
    Data Classification SharePoint
  • Full.Control.All
    		•
    Activity Monitoring Office 365 Management APIs
  • ActivityFeed.Read
    		•
    Data Access Revocation Microsoft Graph
  • Files.ReadWrite.All
    		•

    Communication Requirements

    Requirement Source Destination Port
    Permissions Collection / Data Classification Permissions Collector/Data Classification SharePoint Online https
    Activity Monitoring Activity Monitor Office365 Activity API https
    OAuth Access Token Acquisition Permission Collector/Data Classification Collector/Activity Monitor Microsoft Token Endpoint https

    Access to the following over HTTPS:

    • https://{tenant-name}.sharepoint.com/*

    • https://{tenant-name}-admin.sharepoint.com/*

    • https://{tenant-name}-my.sharepoint.com/*

    • https://manage.office.com/* - to monitor and collect event data, using the Microsoft Management API

    • https://login.microsoftonline.com/* - for OAuth access token acquisition.

    Azure Active Directory Connectivity Requirements

    The OneDrive and SharePoint Online Connectors require an AzureAD Identity Collector.

    The following attributes are required:

    Accounts (Identities)

    • userPrincipalName
    • objectId
    • domain
    • mail
    • displayName

    Groups (Entitlements)

    • displayName

    Data Access Security uses the Microsoft Graph REST API, which works exclusively in HTTPs.

    The API base path is: https://graph.microsoft.com/v1.0/, where the tenant domain name is the customer assigned domain name on Microsoft cloud. It is usually in the format of domain_name.onmicrosoft.com, but might be different in your configuration.

    A list of resources that are accessed by Data Access Security using the REST graph API include:

    Documentation Feedback

    Feedback is provided as an informational resource only and does not form part of SailPoint’s official product documentation. SailPoint does not warrant or make any guarantees about the feedback (including without limitation as to its accuracy, relevance, or reliability). All feedback is subject to the terms set forth at https://developer.sailpoint.com/discuss/tos.