Your suggested change has been received. Thank you.

close
Thales Logo

All

  • All
  • CipherTrust Manager
  • CipherTrust Application Data Protection (CADP)
  • CipherTrust Application Key Management (CAKM)
  • CipherTrust Batch Data Transformation (BDT)
  • CipherTrust Cloud Key Management (CCKM)
  • CipherTrust Data Discovery and Classification (DDC)
  • CipherTrust Data Protection Gateway (DPG)
  • CipherTrust Database Protection (CDP)
  • CipherTrust Intelligent Protection (CIP)
  • CipherTrust Integrations
  • CipherTrust Migrations
  • CipherTrust RESTful Data Protection (CRDP)
  • CipherTrust Transparent Encryption (CTE)
  • CipherTrust Transparent Encryption Userspace (CTE-U)
  • CipherTrust Secrets Management (CSM)
  • CipherTrust Vaulted Tokenization (CT-V)
  • CipherTrust Vaultless Tokenization (CT-VL)
  • CTE-Linux
  • CTE-Windows
  • CTE-AIX
  • CTE-K8s
  • CTE-U
  • Crypto Command Center
  • Data Protection on Demand
  • Luna Cloud HSM
  • Luna Network HSM
  • Luna PCIe HSM
  • Luna USB HSM
  • OneWelcome Identity Platform
  • ProtectApp LUKS
  • ProtectServer 2 HSM
  • ProtectServer 3 HSM
  • SafeNet Trusted Access (STA)
  • SafeNet MobilePASS+
  • SafeNet MobilePASS+ for Android
  • SafeNet MobilePASS+ for Chrome
  • SafeNet MobilePASS+ for macOS
  • SafeNet MobilePASS+ for iOS
  • SafeNet MobilePASS+ for WatchOS
  • SafeNet MobilePASS+ for Windows
  • SafeNet Synchronization Agent
  • SafeNet Logging Agent
  • SafeNet Agent for FreeRADIUS
  • SafeNet Agent for NPS
  • SafeNet Agent for Windows Logon
  • SafeNet Authentication Service Private Cloud Edition (SAS PCE)
  • SafeNet Remote Logging Agent
  • SafeNet Keycloak Agent
  • SafeNet IDPrime Virtual (IDPV)
  • SafeNet FIDO Key Manager
  • SafeNet FIDO Key Manager for Android
  • SafeNet FIDO Key Manager for iOS
  • SafeNet FIDO Key Manager for Windows
back

Clouds

Office 365: SharePoint Online

search

Please Note:

printsuggest an editpdf paneldownload

Office 365: SharePoint Online

This section covers the following topics:

copy link to clipboardPrerequisites

ComponentDescription
Proxy AgentRecommended Proxy Agents:
• Windows Agent
• Linux Agent
• FreeBSD Agent
TCP Allowed ConnectionsPort 443

copy link to clipboardConfigure SharePoint Online

These steps need to be performed on Microsoft SharePoint Online.

Before you can add SharePoint Online as a target, you need to register and configure it for use with DDC. Also, grant the necessary permissions to the SharePoint Add-in to authenticate and access (scan) resources within your SharePoint Online environment.

  1. Register the SharePoint Add-in

  2. Grant Permissions to the SharePoint Add-in

copy link to clipboardRegister the SharePoint Add-in

To register the SharePoint Add-in:

  1. Log on to SharePoint Online.

  2. Go to the AppRegNew form at <site collection url>/_layouts/15/AppRegNew.aspx. For example, https://mycompany.sharepoint.com/_layouts/15/AppRegNew.aspx.

  3. In the AppRegNew form, specify the following:

    FieldDescription
    Client IdEnter a unique lowercase string. For example, 1234abcd-56ef-78gh-90ij-1234clientid.
    Alternatively, you can click Generate to generate a client ID.
    Client SecretClick Generate to generate a client secret. For example, abcdefghij0123456789klmnopqrst0clientsecret.
    TitleEnter a descriptive name for the add-in. For example, DDC SPO add-in.
    App DomainThe hostname of the remote component of the SharePoint Add-in. For example, www.example.com.
    This field is mandatory when registering the SharePoint Add-in. However, this field is not required for scanning the SharePoint Online Targets.
    Redirect URIThe endpoint in the remote application or service to which Azure Access Control service (ACS) sends an authentication code. For example, https://www.example.com/default.aspx.
    This field is mandatory when registering the SharePoint Add-in. However, this field is not required for scanning the SharePoint Online Targets.

  4. Click Create. The page reloads and displays the details of the newly registered SharePoint Add-in.

  5. Note down the Client ID and Client Secret Key. These values will be required when configuring a connection for the data store.

copy link to clipboardGrant Permissions to the SharePoint Add-in

  1. Log on to SharePoint Online as an administrator.

  2. Go to the tenant administration site at <tenant>-admin.sharepoint.com/_layouts/15/appinv.aspx. For example, https://mycompany-admin.sharepoint.com/_layouts/15/appinv.aspx.

  3. In the App ID field, enter the Client ID of the registered SharePoint Add-in. This is the Client ID you noted down in Register the SharePoint Add-in.

  4. Click Lookup. It should fetch and populate the Title, App Domain, and Redirect URL fields.

  5. In the Permission Request XML field, enter the following permissions:

    <AppPermissionRequests AllowAppOnlyPolicy="true">
<AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="FullControl"/>
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection" Right="Read"/>
<AppPermissionRequest Scope="http://sharepoint/content/sitecollection/web" Right="Read"/>
</AppPermissionRequests>

  6. Click Create. A permission consent dialog box is displayed.

  7. Click Trust It to grant permissions to the SharePoint Add-in.

  8. Go to the Site App Permissions page at <tenant>-admin.sharepoint.com/_layouts/15/appprincipals.aspx?Scope=Web. For example, https://xyz-admin.sharepoint.com/_layouts/15/appprincipals.aspx?Scope=Web.

  9. Under the App Display Name column, look for the registered SharePoint Add-In.

  10. Note down the value of Tenant ID from Application Identifer. This value will be required when configuring SharePoint Online as a Target.

    # App Identifier format: i:0i.t|ms.sp.ext|<Client ID>@<Tenant ID>
i:0i.t|ms.sp.ext|1234abcd-56ef-78gh-90ij-1234clientid@12345678-abcd-9012-efgh-ijkltenantid

    Where:

    • Client ID = 1234abcd-56ef-78gh-90ij-1234clientid

    • Tenant ID = 12345678-abcd-9012-efgh-ijkltenantid

copy link to clipboardAdd SharePoint Online Data Store

To add the SharePoint Online data store:

  1. Log on to the CipherTrust Manager GUI.

  2. Open the Data Discovery & Classification application.

  3. Click Data Stores > Data Stores > Add Data Store. The Add Data Store wizard is displayed.

  4. Complete the following steps:

    1. Select Type & Category

    2. General Info

    3. Configure Connection

    4. Add Access Control & Tags

copy link to clipboardSelect Type & Category

  1. Under Select Data Store Category, select Cloud.

  2. From Select Cloud Type, select Office 365: Sharepoint Online.

  3. Click Next.

copy link to clipboardGeneral Info

  1. Specify the following details:

    • Data Store Name: Name for the data store.

    • Description (Optional): Description for the data store.

    • Location Name: Location of the data store.

    • Add Location: Click Add Location to add new locations to the Location Name dropdown list. Refer to Adding Locations for detailed steps.

    • Sensitivity Level (Optional): Sensitivity level for the data store. Refer to Sensitivity Levels for details.

    • Enable Data Store: Whether to enable the newly added data store. Select the check box to enable the data store.

  2. Click Next.

copy link to clipboardConfigure Connection

  1. Specify the credentials of the SharePoint Online domain:

    FieldDescription
    DomainName of the SharePoint Online organization. For example, if you access SharePoint Online at https://mycompany.sharepoint.com, then mycompany is the domain.
    Client IDClient ID of the registered SharePoint Add-in. For example, 1234abcd-56ef-78gh-90ij-1234clientid. Refer to Register the SharePoint Add-in for the client ID.
    Client Secret KeyClient Secret key of the registered SharePoint Add-in. For example, abcdefghij0123456789klmnopqrst0clientsecret. Refer to Register the SharePoint Add-in for the client secret key.
    Tenant IDTenant ID of the registered SharePoint Add-in. For example, 12345678-abcd-9012-efgh-ijkltenantid. Refer to Grant Permissions to the SharePoint Add-in for the tenant ID.

  2. (Optional) In the Add Label field, enter a label. You can also remove an existing label.

    Note

    DDC doesn't support selection of multiple agents for the SharePoint Online data store.

  3. Click Next.

copy link to clipboardAdd Access Control & Tags

  1. (Optional) Grant the All groups (default) access for reports. Alternatively, select a group.

  2. Click Save.

The data store is added to the Data stores page. If the Ready to Scan column shows Ready, then data store is properly configured.

For more information on Access control and Tags, expand the section below.

copy link to clipboardAccess Control & Tags

The Access Control & Tags screen in the Add Data Store wizard allows you to grant access rights to your data store and add tags. More details below:

  • ACCESS CONTROL - select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are:

    • All groups: All groups of users can access the data store through reports. This is the default setting.

    • Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the dropdown list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups.

  • TAGS - select a tag from the Add Tag dropdown list. Please check the list of prebuilt tags in Predefined Tags.

    Tip

    • New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down list.

    • Add as many tags as needed.

    • To remove a tag, click the close icon in the tag name.

copy link to clipboardAdd SharePoint Online Scan

To add a scan for SharePoint Online:

  1. Open the Data Discovery & Classification application.

  2. Click Scans > Add Scan. The Add Scan wizard is displayed.

  3. Complete the following steps:

    1. General Info

    2. Select Data Stores

    3. Add Targets

    4. Select Profiles

    5. Add Filters

    6. Schedule Run

    Refer to Scans for the description of screens of the Add Scan wizard.

copy link to clipboardGeneral Info

  1. Specify a Name for the scan.

  2. (optional) Add a Description for the scan.

  3. Expand Advanced Configuration and specify advanced configurations such Scan Priority, Memory Usage Limit, and Amount of Data Object Volume. Refer to Advanced Configuration for details.

  4. Click Next.

copy link to clipboardSelect Data Stores

  1. Under Data Store Name, select the desired data store that is Ready for scanning. You can select multiple data stores, if required.

  2. Click Next.

copy link to clipboardAdd Targets

  1. To add a scan target, do one of the following:

    • Under the Add Target field, specify the correct target path and click Apply.

      If no specific target is added, the entire data store will be scanned.

      The following table lists target paths and syntax to specify them with examples.

      Target Path to ScanSyntaxExample
      Scan all site collections, sites, lists, list items, folders and files.<Empty_Path>
      Scan a site collection. Includes all sites, lists, list items, folders, and files for the site collection.<organization>.sharepoint.com/sites/<site_collection>https://example.sharepoint.com/sites/operations
      Scan a site in a site collection.<organization>.sharepoint.com/sites/<site_collection>/<site>https://example.sharepoint.com/sites/operations/my-site
      Scan all lists in a site collection.<organization>.sharepoint.com/sites/<site_collection>/:site/:listhttps://example.sharepoint.com/sites/operations/:site/:list
      Scan a specific list in a site collection.<organization>.sharepoint.com/sites/<site_collection>/:site/:list/<list>https://example.sharepoint.com/sites/operations/:site/:list/my-list
      Scan all folders and files in a site collection.<organization>.sharepoint.com/sites/<site_collection>/:site/:filehttps://example.sharepoint.com/sites/operations/:site/:file
      Scan a specific folder in a site collection.<organization>.sharepoint.com/sites/<site_collection>/:site/:file/<folder>https://example.sharepoint.com/sites/operations/:site/:file/Shared Documents/documents
      Scan a specific file in a site collection.<organization>.sharepoint.com/sites/<site_collection>/:site/:file/<file>https://example.sharepoint.com/sites/operations/:site/:file/Shared Documents/my-file.txt
      Scan a specific file within a folder in a site collection.<organization>.sharepoint.com/sites/<site_collection>/:site/:file/<folder>/<file>https://example.sharepoint.com/sites/operations/:site/:file/Shared Documents/documents/my-file.txt

    • Navigate and add target paths.

      1. Click Browse to navigate target paths from the root level.

        Alternatively, provide an initial path in the Add Target Path field and click Browse to navigate targets from that point onward.

      2. In the left pane, select the desired target path.

        To view subfolders within the folder hierarchy, select the desired folder and click List.

      3. Click Add Path to add the target path to the right pane. Similarly, add other target paths.

      4. Click Add.

      Tip

      Either navigate the target paths from the root level (without specifying any path in the Add Target Path field) or make sure you provide the correct path to navigate further locations within it.

  2. Click Next.

copy link to clipboardSelect Profiles

  1. Under Classification Profile Name, select the desired classification profiles to search for in the data store. You can select multiple data stores, if required. Refer to Classification Profiles for details on classification profiles.

  2. Click Next.

copy link to clipboardAdd Filters

This step is optional.

  1. Select the desired filter from the Select Filter drop-down list.

    To filter the locations to scan an Office365 SharePoint Online data store, consider the following syntax.

    Note

    Exclude locations by prefix, suffix, and expression filters support wildcard characters. See Using Wildcard Characters to learn how wildcards work.

    • Exclude locations by prefix

      Excludes search locations and nested locations with paths that begin with a given string. It can be used to exclude entire directory trees. Specify <string>.

      Filter ItemSyntax
      Site collection<organization>.sharepoint.com/sites/<site_collection>
      Site<organization>.sharepoint.com/sites/<site_collection>/<site>
      List<organization>.sharepoint.com/sites/<site_collection>/<site>/<list>
      File<organization>.sharepoint.com/sites/<site_collection>/<site>/<list>/<file>
      Folder<organization>.sharepoint.com/sites/<site_collection>/<site>/<list>/<folder>

    • Exclude locations by suffix

      Excludes search locations and nested locations with paths that end with a given string. Specify <string>.

    • Exclude locations by expression

      This filter is majorly used with wildcard characters.

      Excludes search locations and nested locations that matches the given expression. Specify <string>.

      For example, to exclude locations that contain 'blob' in their path, use expression *blob*.

      Filter ItemSyntax
      Site collection<organization>.sharepoint.com/<site_collection>* or *<site_collection>*
      Site<organization>.sharepoint.com/<site_collection>/<site>* or *<site>*
      List<organization>.sharepoint.com/<site_collection>/<site>/<list>* or *<list>*
      File<organization>.sharepoint.com/<site_collection>/<site>/<list>/<file>* or *<file>*
      Folder<organization>.sharepoint.com/<site_collection>/<site>/<list>/<folder>* or *<folder>*

    • Include locations modified recently

      Includes search locations modified within N number of days from the current date, where the value of N ranges from 1 to 99 days. After selecting this filter, specify Days from current date.

    • Exclude locations greater than file size

      Excludes files that are larger than a given file size (in MB). After selecting this filter, specify the file size in MB.

    • Include locations within modification date

      Includes search locations modified within a given range of dates. After selecting this filter, specify Start and End dates.

  2. Click Apply.

  3. Repeat the above steps to apply multiple filters. Click Remove to remove any applied filter.

  4. Click Next.

copy link to clipboardSchedule Run

  1. Specify the scan run frequency. The two options are:

    • Manual: This is the default option. Select this option to run the scan manually. Select the Run Now check box to start the scan run after you save the changes.

    • Scheduled: Select this option to configure the scan to run automatically at the specified time.

    Refer to Schedule Scan for more details on scheduling scan runs.

  2. Click Save.

Note

API request default quota for SharePoint Online is 600 per minute. If this limit is exceeded, API request will fail and scan run may encounter different issues.

copy link to clipboardDeleted SharePoint Online Sites

In SharePoint Online, deleted sites or site collections are retained for 93 days in the site Recycle Bin, unless deleted permanently. However, if you try to scan a deleted site, it will result in following error when attempting to scan them:

The target <targetname> for Data Store Sharepoint Online has not been found

copy link to clipboardTroubleshooting

While adding the SharePoint Online data store to DDC, you might encounter the following error:

The target for Data Store SharePoint scan for sites does not have access permissions

Cause

This error occurs because the grant app permission is disabled by default on SharePoint Online.

Solution

For the SharePoint Add-In to work, the DisableCustomAuthenticationApp setting for the tenants needs to be set to false, as described below:

  1. Open PowerShell.

  2. Run Install-Module -Name Microsoft.Online.SharePoint.PowerShell.

  3. Run $adminUPN="<full email address of a SharePoint administrator account>".

    For example:

    $adminUPN="example@democompany.onmicrosoft.com"

  4. Run $orgName="<name of your Office 365 organization>”.

    For example:

    $orgName="democompany"

  5. Run $userCredential = Get-Credential -UserName $adminUPN -Message "<password>".

    For example:

    $userCredential = Get-Credential -UserName $adminUPN -Message "demopassword@123"

  6. Run Connect-SPOService -Url https://$<orgName>-admin.sharepoint.com -Credential $userCredential.

    For example:

    Connect-SPOService -Url https://$democompany-admin.sharepoint.com -Credential $userCredential

    Note

    The Connect-SPOService -Url https://$<orgName>-admin.sharepoint.com -Credential $userCredential command might return the following error. This error occurs when Multifactor Authentication (MFA) is enabled.

    Connect-SPOService : Identity Client Runtime Library (IDCRL) did not get a response from the Login server.
At line:1 char:1
 + Connect-SPOService -Url https://trial8349-admin.sharepoint.com -Crede ...
 + CategoryInfo : NotSpecified: ([Connect-SPOService], IdcrlException
 + FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,Microsoft.Online.SharePoint.PowerShell.ConnectSPOService

    To work around this issue:

    1. Rerun Connect-SPOService -Url https://$<orgName>-admin.sharepoint.com (without -Credential $userCredential). You will be prompted for the Office 365 authentication.

    2. Enter the Office 365 credentials.

  7. Run set-spotenant -DisableCustomAppAuthentication $false.

On this page