Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

Clouds

Office 365: SharePoint Online

search

Please Note:

Office 365: SharePoint Online

This section covers the following topics:

Overview

The SharePoint Online (Graph API) connector enhances integration between Data Discovery and Classification and Microsoft SharePoint Online using the modern Microsoft Graph API, improving security, scalability, and compatibility.

It supports two authentication methods for accessing SharePoint Online resources:

  • Client secret authentication: This method requires a new Azure App registration for Microsoft Graph API; secrets from older SharePoint or non-Graph apps won’t work. Generate a fresh client secret under the new app.

    Note

    Client secret authentication does not support scanning SharePoint list attachments.

  • Certificate-based authentication (Recommended): This method is more secure and allows scanning of list attachments, providing the same data coverage as the legacy SharePoint connector. Certificate-based authentication uses a set of specific certificate credentials.

    • x5t#S256: A base64url-encoded SHA-256 thumbprint.

    • Passphrase: The password for the private key, if it is encrypted.

    • Private Key: The uploaded private key (.pem).

Prerequisites

Component Description
Proxy Agent 2.14.0
Recommended Proxy Agents
  • Windows Agent with database runtime components
  • Windows Agent
  • Linux Agent with database runtime components
  • Linux Agent
  • FreeBSD Agent
TCP Allowed Connections Port 443 for cloud services

Configuration parameters for SharePoint Online

To configure SharePoint Online data store in the Data Discovery and Classification application, you require:

  • Tenant ID

  • Client ID

  • Client secret or client certificate (x5t#S256, private key, and optional pass phrase).

Generate Client ID and Tenant ID

  1. Log in to the Azure App registration portal as admin.

  2. Navigate to App registrations > New registration.

  3. Provide the following details:

    • Name: CipherTrust DDC.

    • Supported account types: Accounts in this organizational directory only.

  4. Click Register.

  5. Go to the Overview page and save Application (client) ID and Directory (tenant) ID.

Generate Client Secret Key

  1. Open Azure App.

  2. Go to Certificates & secrets.

  3. In Client secrets, click New client secret.

  4. Provide a description and expiration period.

  5. Click Add.

  6. Copy the value and store it securely. The Client Secret Key value cannot be retrieved later.

This Client Secret Key will be required when configuring the SharePoint Online data store.

Generate client certificate

Warning

Avoid using self-signed certificates in production environment.

Create private key and certificate

Command to generate private key with passphrase.

openssl genrsa -aes256 -out private-key.pem 2048

Command to generate private key without passphrase.

openssl genrsa -out private-key.pem 2048

Command to generate client certificate using the private key.

openssl req -new -x509 -sha256 -days 365 -key private-key.pem -out public-cert.pem

Note

Both certificate and private key should be in PEM format.

Upload certificate to Azure

  1. Open the Azure App registration portal.

  2. Go to Certificates & secrets.

  3. In Certificates, click Upload certificate.

  4. Upload the public-cert.pem file.

  5. Add description and then click Add.

Retrieve x5t#S256 thumbprint

Run this command inside the certificate’s folder to get its thumbprint.

printf 'x5t#S256: %s\n' "$(openssl x509 -in public-cert.pem -inform PEM -outform DER | openssl dgst -sha256 -binary | openssl base64 -e | tr -d '\n' | tr '/+' '_-' | tr -d '=')"

Example output:

x5t#S256: bwcK0esc3ACC3DB2Y5_lESsXE8o9ltc05O89jdN-dg2

Save the x5t#S256 value and private key PEM file. They will be required for certificate-based authentication.

Grant API permissions

Grant the Azure App the correct permissions to allow scanning and remediation. Go to SharePoint > Application permissions and add the following permissions.

  • Sites.Read.All

  • Sites.ReadWrite.All

  • Sites.Manage.All

  • (Optional) Sites.FullControl.All (Only if certain paths remain inaccessible)

Grant admin consent after adding.

Add SharePoint Online data store

To add the SharePoint Online data store:

  1. Log on to the CipherTrust Manager GUI.

  2. Open the Data Discovery & Classification application.

  3. Click Data Stores > Data Stores > Add Data Store. The Add Data Store screen is displayed.

  4. Complete the following steps:

    1. Select Type & Category

    2. General Info

    3. Configure Connection

    4. Add Access Control & Tags

Select Type & Category

  1. Under Select Data Store Category, select Cloud.

  2. From Select Cloud Type, select Office 365: Sharepoint Online.

  3. Click Next.

General Info

  1. Specify the following details:

    • Data Store Name: Name for the data store.

    • Description (Optional): Description for the data store.

    • Location Name: Location of the data store.

    • Add Location: Click Add Location to add new locations to the Location Name drop-down. Refer to Adding Locations for detailed steps.

    • Sensitivity Level (Optional): Sensitivity level for the data store. Refer to Sensitivity Levels for details.

    • Enable Data Store: Whether to enable the newly added data store. Select the check box to enable the data store.

  2. Click Next.

Configure Connection

  1. Specify the Domain and Tenant ID.

    • Domain: Name of the SharePoint Online organization. For example, if you access SharePoint Online at https://mycompany.sharepoint.com, then mycompany is the domain.

    • Tenant ID: Tenant ID of the registered SharePoint Add-in. For example, 12345678-abcd-9012-efgh-ijkltenantid.

  2. Select Credential Type: Client Secret or Certificate.

    Client Secret:

    1. Enter Client ID: Client ID of the registered SharePoint Add-in. For example, 1234abcd-56ef-78gh-90ij-1234clientid.

    2. Enter Client Secret Key: Client secret key of the registered SharePoint Add-in. For example, abcdefghij0123456789klmnopqrst0clientsecret.

    Certificate:

    1. Enter Client ID.

    2. Enter x5t#S256 thumbprint in the Certificate Thumbprint field.

    3. Click Browse to upload the private key in PEM format.

    4. (Optionally) Provide the Pass Phrase.

  3. (Optional) In the Add Label field, enter a label to restrict the agents that can scan this specific data store instance. You can also remove an existing label. See Labels for more details.

    Note

    DDC doesn't support selection of multiple agents for the SharePoint Online data store.

  4. Click Next.

Add Access Control & Tags

  1. (Optional) Grant the All groups (default) access for reports. Alternatively, select a group.

  2. Click Save.

The data store is added to the Data Stores page. If the Ready to Scan column shows Ready, then data store is properly configured.

For more information on Access control and Tags, expand the section below.

Access Control & Tags

The Access Control & Tags tab on the Add Data Store screen allows you to grant access rights to your data store and add tags. More details below:

  • ACCESS CONTROL - select user groups that can access the data store. Access to a data store provides ability to see reports that include scans of that data store. The available options are:

    • All groups: All groups of users can access the data store through reports. This is the default setting.

    • Selected group/s: Specified user defined groups can access the data store through reports. When this option is selected, select a group from the drop-down list. This list shows existing user defined groups. The user defined groups must already exist on CipherTrust Manager. If no user defined groups exist, ask the administrator to create a group. If needed, you can select multiple groups. Start typing the name of the desired group and select from the suggested groups.

  • TAGS - Select a tag from the Add Tag drop-down. See the list of prebuilt tags in Predefined tags section.

    Tip

    • New tags can also be added. Start typing a new tag, and click the New: <new_tag> link that appears below the drop-down.

    • Add as many tags as needed.

    • To remove a tag, click the close icon in the tag name.

Add SharePoint Online scan

To add a scan for SharePoint Online:

  1. Open the Data Discovery & Classification application.

  2. Click Scans > Add Scan. The Add Scan screen is displayed.

  3. Complete the following steps:

    1. General Info

    2. Select Data Stores

    3. Add Targets

    4. Select Profiles

    5. Add Filters

    6. Schedule Run

    Refer to Scans for the description of sections of the Add Scan screen.

General Info

  1. Specify a Name for the scan.

  2. (optional) Add a Description for the scan.

  3. Expand Advanced Configuration and specify advanced configurations such Scan Priority, Memory Usage Limit, and Amount of Data Object Volume. Refer to Advanced Configuration for details.

  4. Click Next.

Select Data Stores

  1. Under Data Store Name, select the desired data store that is Ready for scanning. You can select multiple data stores, if required.

  2. Click Next.

Add Targets

  1. To add a scan target, do one of the following:

    • Under the Add Target field, specify the correct target path and click Apply.

      If no specific target is added, the entire data store will be scanned.

      The following table lists target paths and syntax to specify them with examples.

      Target Path to Scan Syntax Example
      All resources (Leave path blank)
      Specific site collection mycompany.sharepoint.com/sites/finance/:s
      Specific site mycompany.sharepoint.com/sites/finance/:s/my-site
      All lists in a site collection mycompany.sharepoint.com/sites/finance/:s/:l
      Specific list mycompany.sharepoint.com/sites/finance/:s/:l/expense-list
      All folders/files mycompany.sharepoint.com/sites/finance/:s/:d
      Specific file mycompany.sharepoint.com/sites/finance/:s/:d/docs/file.txt

    • Navigate and add target paths.

      1. Click Browse to navigate target paths from the root level.

        Alternatively, provide an initial path in the Add Target Path field and click Browse to navigate targets from that point onward.

      2. In the left pane, select the desired target path.

        To view subfolders within the folder hierarchy, select the desired folder and click List.

      3. Click Add Path to add the target path to the right pane. Similarly, add other target paths.

      4. Click Add.

      Tip

      Either navigate the target paths from the root level (without specifying any path in the Add Target Path field) or make sure you provide the correct path to navigate further locations within it.

  2. Click Next.

Select Profiles

  1. Under Classification Profile Name, select the desired classification profiles to search for in the data store. You can select multiple data stores, if required. Refer to Classification Profiles for details on classification profiles.

  2. Click Next.

Add Filters

This step is optional.

  1. Select the desired filter from the Select Filter drop-down list.

    To filter the locations to scan an Office365 SharePoint Online data store, consider the following syntax.

    Note

    Exclude Path/DO by prefix, suffix, and expression filters support wildcard characters. See Using Wildcard Characters to learn how wildcards work.

    • Exclude Path/DO by prefix

      Excludes paths or data objects that begin with a given string. It can be used to exclude entire directory trees. Specify <string>.

      Filter Item Syntax
      Site collection <organization>.sharepoint.com/sites/<site_collection>
      Site <organization>.sharepoint.com/sites/<site_collection>/<site>
      List <organization>.sharepoint.com/sites/<site_collection>/<site>/<list>
      File <organization>.sharepoint.com/sites/<site_collection>/<site>/<list>/<file>
      Folder <organization>.sharepoint.com/sites/<site_collection>/<site>/<list>/<folder>

    • Exclude Path/DO by suffix

      Excludes paths or data objects that end with a given string. Specify <string>.

    • Exclude Path/DO by expression

      This filter is majorly used with wildcard characters.

      Excludes search locations and nested locations that matches the given expression. Specify <string>.

      For example, to exclude locations that contain 'blob' in their path, use expression *blob*.

      Filter Item Syntax
      Site collection <organization>.sharepoint.com/<site_collection>* or *<site_collection>*
      Site <organization>.sharepoint.com/<site_collection>/<site>* or *<site>*
      List <organization>.sharepoint.com/<site_collection>/<site>/<list>* or *<list>*
      File <organization>.sharepoint.com/<site_collection>/<site>/<list>/<file>* or *<file>*
      Folder <organization>.sharepoint.com/<site_collection>/<site>/<list>/<folder>* or *<folder>*

    • Include DO modified recently

      Includes data objects modified within N number of days from the current date, where the value of N ranges from 1 to 99 days. After selecting this filter, specify Days from current date.

    • Exclude DO greater than size

      Excludes data objects that are larger than a given file size (in MB). After selecting this filter, specify the file size in MB.

    • Include DO's within modification date

      Includes data objects modified within a given range of dates. After selecting this filter, specify Start and End dates.

  2. Click Apply.

  3. Repeat the above steps to apply multiple filters. Click Remove to remove any applied filter.

  4. Click Next.

Schedule Run

  1. Specify the scan run frequency. The two options are:

    • Manual: This is the default option. Select this option to run the scan manually. Select the Run Now check box to start the scan run after you save the changes.

    • Scheduled: Select this option to configure the scan to run automatically at the specified time.

    Refer to Schedule Scan for more details on scheduling scan runs.

  2. Click Save.

Note

API request default quota for SharePoint Online is 600 per minute. If this limit is exceeded, API request will fail and scan run may encounter different issues.

Deleted SharePoint Online sites

In SharePoint Online, deleted sites or site collections are retained for 93 days in the site Recycle Bin, unless deleted permanently. However, if you try to scan a deleted site, it will result in following error when attempting to scan them:

The target for Data Store Sharepoint Online has not been found.

Troubleshooting

While adding the SharePoint Online data store to DDC, you might encounter the following error:

The target for Data Store SharePoint scan for sites does not have access permissions.

Cause

This error occurs because the grant app permission is disabled by default on SharePoint Online.

Solution

For the SharePoint Add-in to work, the DisableCustomAuthenticationApp setting for the tenants needs to be set to false, as described below:

  1. Open PowerShell.

  2. Run Install-Module -Name Microsoft.Online.SharePoint.PowerShell.

  3. Run $adminUPN="<full email address of a SharePoint administrator account>".

    For example:

    $adminUPN="example@democompany.onmicrosoft.com"

  4. Run $orgName="<name of your Office 365 organization>”.

    For example:

    $orgName="democompany"

  5. Run $userCredential = Get-Credential -UserName $adminUPN -Message "<password>".

    For example:

    $userCredential = Get-Credential -UserName $adminUPN -Message "demopassword@123"

  6. Run Connect-SPOService -Url https://$<orgName>-admin.sharepoint.com -Credential $userCredential.

    For example:

    Connect-SPOService -Url https://$democompany-admin.sharepoint.com -Credential $userCredential

    Note

    The Connect-SPOService -Url https://$<orgName>-admin.sharepoint.com -Credential $userCredential command might return the following error. This error occurs when Multifactor Authentication (MFA) is enabled.

    Connect-SPOService : Identity Client Runtime Library (IDCRL) did not get a response from the Login server.
At line:1 char:1
 + Connect-SPOService -Url https://trial8349-admin.sharepoint.com -Crede ...
 + CategoryInfo : NotSpecified: ([Connect-SPOService], IdcrlException
 + FullyQualifiedErrorId : Microsoft.SharePoint.Client.IdcrlException,Microsoft.Online.SharePoint.PowerShell.ConnectSPOService

    To work around this issue:

    1. Rerun Connect-SPOService -Url https://$<orgName>-admin.sharepoint.com (without -Credential $userCredential). You will be prompted for the Office 365 authentication.

    2. Enter the Office 365 credentials.

  7. Run set-spotenant -DisableCustomAppAuthentication $false.

On this page