Skip to content

Capabilities

This connector enables you to use File Access Manager to access and analyze data stored in SharePoint Online and perform the following tasks:

  • Analyze the structure of your stored data.
  • Monitor user activity in the resources.
  • Classify the data being stored.
  • Verify user permissions on the resources and compare them against requirements.
  • Manage access fulfillment — automated granting and revoking of access — according to rules set in File Access Manager.
  • Identity collector – collect IAM users, groups, and roles and the connections between them.

See the File Access Manager documentation for a full description.

Activity Monitor Operation Principles

File Access Manager Activity Monitor for SharePoint Online uses the Microsoft Office365 Management Activity API.

  • The Activity Monitor queries the API for SharePoint events, which discards OneDrive for Business related events.
  • The Microsoft Office365 Management Activity API uses the OAuth 2.0 authorization protocol to authenticate and authorize API requests.

Use of the API with the File Access Manager for SharePoint Online Connector requires a short authorization process during the definition of the SharePoint Online application.

After the initial authorization process, File Access Manager will handle OAuth token management automatically and refresh the token if needed.

Note

It might take up to two hours for events to be received by the File Access Manager for SharePoint Online Activity Monitor (This is due to a current Microsoft limitation).

Monitored Activities

Monitored events and activities are as defined in the Office365 Management Activity API specification.

Permissions Collection Operation Principles

CSOM

File Access Manager SharePoint Online permissions collection and crawling uses SharePoint Client-Side Object Model (CSOM).

Azure Identity Collector

The permissions collection task queries SharePoint Online for the existing Role Assignments to determine object permissions. An Azure Identity Collector must be configured to map the permissions to users and groups from the Azure Active Directory.

Crawl Level: Folder vs File

By default, permissions are analyzed to the folder level, but they can also be analyzed on the file level. If permissions are analyzed on the file level, the system will only display uniquely managed files in the Business Resource Tree.

Adding a SharePoint Online Application describes how to analyze file level permissions.

Note

The section on “Identity collection” in the File Access Manager Administrator Guide provides more information on how to define an Azure Identity Collector.

SharePoint Online Connector Installation Flow Overview

To install the SharePoint Online connector:

  1. Configure all the prerequisites.
  2. Add a new SharePoint Online application in the File Access Manager website.
  3. Install the relevant services:
  4. Activity Monitor

Note

SharePoint Online currently does not support the Cloud-Ready architecture for permissions collection and data classification. Permission collection and data classification tasks will run on the central engine services associated with the application, regardless of whether these services have one or more collectors associated with the central engine.

Microsoft Teams Support

The SharePoint Online connector supports gathering permissions, monitoring activities, and classifying information being stored in Teams sites and channels.

Files transferred through Teams chats are viewable under the Team site > Shared Documents > General.

Files transferred through private chats are placed under the initiating user's OneDrive for Business Personal Drive and are managed by the File Access Manager OneDrive for Business Application.