Skip to content

OneDrive Connector Overview

The OneDrive connector allows you to access and analyze data. Of that stored data, you are able to structure and classify it. You are also able to monitor user activities on resources as well verifying user permissions on those resources.

OneDrive Connector Installation Flow Overview

To install the OneDrive connector:

  1. Configure all the prerequisites.
  2. Add a new OneDrive application.

  3. Install the relevant services:

    • Activity Monitor

Note

OneDrive does not support the Cloud-Ready architecture for permissions collection and data classification. Permission collection and data classification tasks will run on the central engine services associated with the application, regardless of whether these services have one or more collectors associated with the central engine.

Monitored Activities

Monitored events and activities are as defined in the Office365 Management Activity API specification:

https://msdn.microsoft.com/en-us/library/office/mt607130.aspx#SharePointAuditOperations

Activity Monitor Operation Principles

  • Activity Monitor for OneDrive uses the Microsoft Office365 Management Activity API.
  • The Activity Monitor queries the API for OneDrive events.
  • The Microsoft Office365 Management Activity API uses the OAuth 2.0 authorization protocol to authenticate and authorize API requests.
  • Use of the API, Data Access Security for OneDrive Connector requires a short authorization process during the definition of the OneDrive for Business application.
  • After the initial authorization process, Data Access Security will handle OAuth token management automatically and refresh the token if needed.

Note

Due to a Microsoft limitation, it might take up to two hours for events to be received by the Data Access Security for OneDrive Activity Monitor.

Permissions Collection Operation Principles

  • OneDrive for Business permissions collection task uses the Microsoft OneDrive REST API.
  • The permissions collection task queries OneDrive for Business for the existing Role Assignments to determine object permissions.
  • An Azure Identity Collector must be configured to map the permissions to users and groups from the Azure Active Directory.

Note

The section on Identity collection in the Data Access Security Account and Entitlement Aggregation Guide provides more information on how to define an Azure Identity Collector.

Comments