Configure Microsoft Office 365 OneDrive for API Data Protection
To configure Microsoft Office 365 OneDrive for API Data Protection, you need to install the Netskope Introspection v2 app to access your Microsoft Office 365 account, and then create a Microsoft Office 365 OneDrive app instance in the Netskope UI.
There are three parts to this procedure:
Remove the Netskope Introspection v1 app.
Important
This procedure is applicable to customers who have installed the Netskope Introspection v1 app. Skip this procedure if you have not installed the v1 app.
Add the Netskope Introspection v2 app in your Office 365 SharePoint admin account.
Configure Netskope to access your Microsoft Office 365 OneDrive app.
Important
Throughout this article, you will be prompted to enter your Office 365 credentials. Netskope does not store your Office 365 credentials. The credentials are used for creating OAuth tokens. Netskope only stores these tokens and not the actual credentials.
Prerequisites
To grant Office 365 access for audit logs, the following prerequisites must be met:
A global administrator account is required to grant access to Netskope. Post-grant, this account is not required.
Note
The way permissions work in Azure/Office 365 is that Netskope requires an administrator to grant enough privileges for Netskope to perform specific actions. Note that the Netskope app does not receive global admin permissions. It only receives permissions for the scope Netskope requests.
In particular, the global admin is the only user that can delegate access for application-level permission (as opposed to user level permissions). You can find additional Microsoft documentation on how all these work here. Furthermore, global admin credential is required for Graph and Office 365 Management APIs. Post-grant, Netskope is independent of the granting account for policy processing.
You must turn on audit logging in Microsoft 365 admin center. To enable audit logging, log in to https://compliance.microsoft.com/, then on the left navigation, click Audit. If auditing is not turned on for your organization, a banner is displayed prompting you start recording user and admin activity. Click the Start recording user and admin activity banner. It may take up to 60 minutes for the change to take effect.
Note
If you do not see this link, auditing has already been turned on for your organization. After you turn it on, a message is displayed that says the audit log is being prepared and that you can run a search in a couple of hours after the preparation is complete. You only have to do this once. For additional information, read this support article on the Microsoft site.
Adding the Netskope Introspection v2 app to your SharePoint admin account has these requirements:
Installation of the Netskope Introspection v2 app in your Office 365 SharePoint admin account requires the global administrator role in Office 365. For additional details, to assign admin roles in Office 365, refer to this Microsoft Office 365 document.
The admin account used to upload the Netskope Introspection v2 app must be added to the Site Collection Administrator.
It is important to note that although the Netskope Introspection v2 app is installed through the SharePoint store, the Netskope Introspection v2 app instructions apply to OneDrive and SharePoint apps.
In a multi-geo setup, if you intend to monitor a single location, you should install the Netskope Introspection v2 app in that location.
The Netskope Introspection v2.0 app requires the following scopes for it to be installed in the Office 365 account:
Scope
Description
Permission
Social
To retrieve user profiles.
Full control
Tenancy
The tenancy where the add-in is installed. Includes all children of this scope.
Full control
Site collection
The site collection where the add-in is installed. Includes all children of this scope.
Full control
Website
The website where the add-in is installed. Includes all children of this scope.
Manage
List
List on the website where the add-in is installed.
Manage
The Netskope Introspection v2.0 app requires the following permission privileges:
Permission Request
Description
Permission Included
Read-only
Enables apps to view pages, list items, and download documents.
View items
Open items
View versions
Create alerts
Use self-service site creation
View pages
Write
Enables apps to view, add, update, and delete items in existing lists and document libraries.
Read-only permissions, and:
Add items
Edit items
Delete items
Delete versions
Browse directories
Edit personal user information
Manage personal views
Add/remove personal web parts
Update personal web parts
Manage
Enables apps to view, add, update, delete, approve, and customize items or pages within a web site.
Write permissions, and:
Manage lists
Apply themes and borders
Apply style sheets
Full control
Enables apps to have full control within the specified scope.
All permissions