Enterprise Recon 2.3
OneDrive
This section covers the following topics:
- Scanning a OneDrive Business Target
- Licensing
- Requirements
- Preparing to Add Target Location
- Set OneDrive Business as a Target Location
- Add a Path for OneDrive Business
- User Account in Multiple Groups
Scanning a OneDrive Business Target
To scan OneDrive Business, you must add your Microsoft 365 organization as a Target. Each user's OneDrive Business account is represented internally by Microsoft as a "My Site" Site Collection. For ER2 to scan the OneDrive Business user account, we have to be granted permissions to scan these Site Collections.
On the Web Console, browsing an added OneDrive Business Target lists all Office 365 user accounts within the domain. Select only user accounts that have OneDrive Business enabled to add them as scan locations. Scanning a user account that does not have OneDrive Business enabled will result in ER2 reporting it as an inaccessible location.
Licensing
For Sitewide Licenses, all scanned OneDrive Business Targets consume data from the Sitewide License data allowance limit.
For Non-Sitewide Licenses, OneDrive Business Targets require Client Licenses, and consume data from the Client License data allowance limit.
See Target Licenses for more information.
Requirements
| Requirements | Description | 
|---|---|
| Proxy Agent | 
 | 
| TCP Allowed Connections | Port 443 | 
Preparing to Add Target Location
Before adding OneDrive Business as a Target, you have to perform the following on your Microsoft 365 organization:
- Add OneDrive Business User Accounts to a Group
- Add Secondary Site Collection Administrator to All OneDrive Business User Accounts
Once done, see Set OneDrive Business as a Target Location.
Add OneDrive Business User Accounts to a Group
- Create a new Microsoft 365 group. This group will be used to hold all Microsoft 365 users with OneDrive Business enabled. Name it "ER2OneDrive" or similar. See Microsoft: Create a group in the Microsoft 365 admin center for more information.
- Connect to SharePoint Online using the SharePoint Online Management Shell. Using the Management Shell, get a list of all Microsoft 365 users with OneDrive Business enabled. See Microsoft: Get a list of all user OneDrive URLs in your organization for more information.
- Add the list of Microsoft 365 users with OneDrive Business enabled to the "ER2OneDrive" group.
Add Secondary Site Collection Administrator to All OneDrive Business User Accounts
- 
    Create a service account to scan OneDrive Business, or use an existing service account. This service account should be assigned Global Administrator permissions. A service account is a user account created only for use with a specific service or application to interact with a system.
- 
    Add the service account as a secondary administrator for the "My Site" Site Collection on all target OneDrive Business accounts. Please refer to Microsoft documentation for the most updated instructions.- Connect to the SharePoint Online Admin Center.
- Navigate to user profiles > Manage User Profiles.
- Search for a specific user profile and click on Manage site collection owners.
- In the site collection owners window, add the service account as the secondary site collection administrator.
- Repeat this for all OneDrive for Business accounts.
 
Set OneDrive Business as a Target Location
- From the New Scan page, Add Targets.
- In the Select Target Type dialog box, select Microsoft 365 > OneDrive Business.
- 
    In the OneDrive Details section, fill in the following fields: 
  Field Description OneDrive Domain Enter your OneDrive Business domain name. For example, example.onmicrosoft.com. OneDrive Account Authorization Obtain the OneDrive access code: - In OneDrive Details, click on OneDrive Account Authorization. This opens the OneDrive account authorization page in a new browser tab.
- Log into your Microsoft service account. See Add Secondary Site Collection Administrator to all OneDrive Business user accounts for more information.
- Click Yes.
- Copy the Access Code.
   Access Code Enter the Access Code obtained during OneDrive Account Authorization. Agent to act as proxy host Select a Proxy Agent host with direct Internet access. 
- Click Test. If ER2 can connect to the Target, the button changes to a Commit button.
- Click Commit to add the Target.
- Click on the arrow next to the newly added OneDrive Business Target to display a list of groups.
- 
    Select the "ER2OneDrive" group. Selecting a user account that does not have OneDrive Business enabled will result in ER2 reporting it as an inaccessible location.
- Click Next to continue configuring your scan.
Add a Path for OneDrive Business
- Set OneDrive Business as a Target Location.
- In the Select Locations section, select your OneDrive Business Target and click + Add New Location.
- In the Select Type dialog box, select Microsoft 365 > OneDrive Business and click Customise.
- 
    In the OneDrive Details section, enter the Path to scan. Use the following syntax: Folder to Scan Path All user accounts in a specific group Syntax: <Group Display Name> Example: Engineering (SG) Specific user account in group Syntax: <Group Display Name>/<User Principal Name> Example: Engineering (SG)/user1@example.com Specific folder for user account in group Syntax: <Group Display Name>/<User Principal Name>/<Folder> Example: Engineering (SG)/user1@example.com/ProjectA Specific file for user account in group Syntax: <Group Display Name>/<User Principal Name>/<Folder>/<File> Example: Engineering (SG)/user1@example.com/ProjectA/example.html A service account is a user account created only for use with a specific service or application to interact with a system.
- 
    Click on OneDrive Account Authorization and follow the on-screen instructions. Enter the Access Code obtained into the Access Code field. Each additional location requires you to generate a new Access Code for use with ER2.
- Click Test and then Commit to save the path to the Target location.
User Account in Multiple Groups
A OneDrive Business-enabled user account that belongs to multiple groups
- is scanned each time a group the user belongs to is scanned.
- consumes only 1x data allowance usage regardless of how many times it is scanned as part of different groups.