OneDrive Sharing/Access Request Activities Test

The access request feature allows people to request access to content that they do not currently have permission to see. As a site owner, you can configure the feature to send you mail when someone requests access to a site. You can then choose whether to approve or decline their request. If you approve the request, you can also specify the specific level of permission you’d like to assign to a user.

The access request feature also works together with the Share command for sites. If someone who is not a site owner for a site (that is, someone who does not have full control for a site) uses the Share command to invite other people to view a site, then that action will generate an access request for the site owner. The site owner can then approve or decline the request, or specify the permission level to be assigned to the new user.

At some other times, instead of sending out Share invitations to other users to view the contents of OneDrive for Business, users may choose to share a link to the OneDrive with other users. These users can be members of your organization or guest users who are external to your organization.

However, regardless of how a site's contents are accessed (whether it is by requesting access, or via sharing invitations, or via sharing links), maintaining the security and integrity of the data stored in the sites at all times is of utmost importance to administrators! This is why, it is super-imperative that administrators monitor access requests, sharing invitations, and sharing links, promptly capture all activities related to these operations (eg., request creation, request acceptance, invite creation, link creation, invite withdrawal, etc.) as and when they occur, and closely scrutinize them to understand who initiated the operation, on which site, and from where. This is exactly what the OneDrive Sharing/Access Request Activities test helps administrators do!

This test tracks access and sharing operations from the time of their creation to their acceptance/withdrawal, and captures and reports the number of times every activity related to each of these operations is performed. Detailed diagnostics shed more light on these activities by revealing the users who initiated them, the clients from which the activities were initiated, and even the sites that were impacted. This will enable administrators to efficiently audit these sensitive activities and ensure that they are performed only by authorized individuals on sites that such individuals have control over. Additionally, the test also provides administrators with a measure of the workload that such operations and their related activities impose on OneDrive for Business.

Target of the test : Microsoft OneDrive for Business

Agent deploying the test : A remote agent

Outputs of the test : One set of results for the Office 365 tenant being monitored.

Configurable parameters for the test

Parameters Description

Test period

How often should the test be executed

Host

The host for which the test is to be configured. By default, this is portal.office.com

Tenant Name

This parameter applies only if you want the eG agent to use Azure AD Certificate-based Authentication for accessing and monitoring an O365 tenant and its resources.

Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in. When monitoring highly secure Office 365 environments, you can configure the eG agent to identify itself to a tenant using a valid X.509 certificate, so that it is allowed secure access to the tenant and its resources.

By default, the value of this parameter is none. This means that, by default, the eG agent does not use certificate-based authentication to connect to an O365 tenant.

On the other hand, if you want the eG agent to use this modern authentication technique to securely access a tenant's resources, you should do the following:

  1. Enable Azure AD Certificate-based authentication for the target O365 tenant; this can be achieved manually, via the Office 365 portal, or automatically, using Powershell scripts we provide. For the manual procedure, refer to Manually Enabling Certificate-based Authentication For an Office 365 Tenantunder Microsoft Office 365. For the automatic procedure, refer to Automatically Fulfilling Pre-requisites in a Modern Authentication-Enabled Environmentunder Microsoft Office 365.

    When enabling certificate-based authentication, an X.509 certificate will be generated for the target tenant.

  2. Configure the Tenant Name parameter with the name of the tenant for which certificate-based authentication is enabled. Using the tenant name, the eG agent will be able to read the details of the X.509 certificate that is generated for that tenant, and use that certificate to access that tenant's resources. To determine the tenant name, do the following:

    • Log in to the Microsoft 365 Admin Center as an administrator.

    • Under Setup, click on Domains.

    • Find a domain that ends with .onmicrosoft.com - this is your Microsoft O365 tenant name.

O365 User Name, O365 Password, and Confirm Password

These parameters need to be configured only if the Tenant Name parameter is set to none. On the other hand, if a valid Tenant Name is configured, then you should set these parameters to none .

For execution, this test requires the privileges of an O365 user who has been assigned theService support admin and SharePoint admin roles and is vested with the View-Only Audit Logs permission. Configure the credentials of such a user against O365 User Name and O365 Password text boxes. Confirm the password by retyping it in the Confirm Password text box.

While you can use the credentials of any existing O365 user with the afore-said privileges, it is recommended that you create a special user for monitoring purposes using the Office 365 portal and use the credentials of that user here. To know how to create a new user using the Office 365 portal and assign the required privileges to that user, refer to Creating a New User in the Office 365 Portalunder Microsoft Office 365. To know how to manually create a new user using the Office 365 portal and assign the required privileges to that user, refer to theCreating a New User in the Office 365 Portaltopic. You can also use eG's proprietary PowerShell script to automatically create a new user, or assign the required privileges to an existing user. To know how to use this script, refer to theAutomatically Fulfilling Pre-requisites in a Basic Authentication-Enabled Environmenttopic.

Domain, Domain User Name, Domain Password, and Confirm Password

These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.

In this case, in the Domain text box, specify the name of the Windows domain to which the eG agent host belongs. In the Domain User Name text box, mention the name of a valid domain user with login rights to the eG agent host. Provide the password of that user in the Domain Password text box and confirm that password by retyping it in the Confirm Password text box.

On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of these parameters. By default, these parameters are set to none.

Proxy Host, Proxy Port, Proxy User Name, and Proxy Password

These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.

In this case, provide the IP/host name and port number of the Proxy server that the eG agent should use in the Proxy Host and Proxy Port parameters, respectively.

If the Proxy server requires authentication, then specify the credentials of a valid Proxy user against the Proxy User Name and Proxy Password text boxes. Confirm that password by retyping it in the Confirm Password text box. If the Proxy server does not require authentication, then specify none against the Proxy User Name, Proxy Password, and Confirm Password text boxes.

On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of any of the Proxy-related parameters. By default, these parameters are set to none.

Report System Account Log Entries

By default, this flag is set to No. This means that, by default, the test ignores all operations performed by Windows System Accounts. A System Account in Windows is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account.

If you want the test to monitor and report on operations performed by Windows System Accounts as well, set this flag to Yes.

Note:

By default, this test does not monitor the operations of the NT AUTHORITY\SYSTEM and SHAREPOINT\system accounts. This is governed by the System_Account_Names parameter in the [ODB_Audited_Activities] section of the eg_tests.ini file (in the <EG_INSTALL_DIR>\manager\config directory). If required, you can exclude more Windows system accounts from monitoring. For that, do the following:

  1. Edit the eg_tests.ini file (in the <EG_INSTALL_DIR>\manager\config directory).
  2. Look for the System_Account_Names parameter in the [ODB_Audited_Activities] section of the file. You will find that this parameter is by default set as follows:

    System_Account_Names=NT AUTHORITY\SYSTEM,SHAREPOINT\system

  3. To exclude more Windows system accounts from monitoring, you need to modify the System_Account_Names parameter by appending more system accounts to the comma-separated list.
  4. Finally, save the file.

Report Top N DD

By default, this parameter is set to 10, indicating that the detailed diagnostics will report the details of top-10 file operations. You can change the 'N' in Top N by specifying any number of your choice in this text box.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 2:1. This indicates that, by default, detailed measures will be generated every second time the test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD Frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enabled/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Total operations

Indicates the total number of access request and sharing-related operations that were performed by users of OneDrive for Business.

Number

The value of this measure is the sum of the values of all measures reported under the section Sharing and access request Operations, in the Layers tab page of the eG monitoring console

Unique operations

Indicates the count of unique access request and sharing-related operations that were performed on OneDrive for Business.

Number

To know which operations were performed, use the detailed diagnosis of this measure.

Unique users

Indicates the count of unique users who performed operations related to access requests and sharing.

Number

To know which are the users who performed access request and sharing-related operations, use the detailed diagnosis of this measure.

Unique client IPs

Indicates the number of unique clients from which the users initiated the access requests and operations.

Number

Use the detailed diagnosis of this measure to determine the IP addresses of the clients from which users performed an access request or sharing-related operation.

Unique sites

Indicates the number of unique sites on which the access request and sharing-related operations were performed.

Number

Use the detailed diagnosis of this measure to know the unique OneDrive sites on which access request and sharing-related operations were performed.

Affected item types

Indicates the number of types (file/folder/site) of items that were affected by access request and sharing-related operations.

Number

To know what type of items were affected by the access request and sharing-related operations, use the detailed diagnosis of this measure.

Unique destinations

Indicates the destination URLs of the access request and sharing-related operations that were performed.

Number

To know the unique destination URLs, use the detailed diagnosis of this measure.

Unique user agents

Indicates the unique user agents of browsers used for performing access request and sharing-related operations.

Number

To know the unique user-agent strings of the browsers used in access request and sharing-related operations, use the detailed diagnosis of this measure.

Access requests acceptances

Indicates the number of access requests that were accepted.

Number

A non-zero value for this measure implies that an access request to a site, folder, or document was accepted and the requesting user has been granted access.

Sharing invitations acceptances

Indicates the number of sharing invitations that were accepted.

Number

If this measure reports a non-zero value, it means that one/more users have accepted sharing invitations, thus obtaining access to that resources that are shared.

Sharing invitations blocked

Indicates the number of sharing invitations that were blocked.

Number

A sharing invitation sent by a user in your organization is blocked because of an external sharing policy that either allows or denies external sharing based on the domain of the target user. In this case, the sharing invitation was blocked because:

  • The target user's domain isn't included in the list of allowed domains; (Or)
  • The target user's domain is included in the list of blocked domains.

Company link creations

Indicates the number of company links created.

Number

Company-wide links can only be used by members in your organization. They cannot be used by guests.

Access request creations

Indicates the number of access requests created.

Number

A non-zero value for this measure implies that one/more users have access to one/more sites, documents, or folders they do not have permissions to access.

Anonymous link creations

Indicates the number of anonymous links that have been created.

Number

Documents and folders (but not sites) can be shared via an anonymous link where anyone with the link can view or edit the document, or upload to the folder. Though this is the least restrictive of sharing options, administrators must exercise caution when granting an external user an anonymous link to edit a resource

Sharing invitations creations

Indicates the number of sharing invitations created.

Number

A non-zero value for this measure indicates that one/more users invited other users who are not in your organization's directory to share a resource in SharePoint Online or OneDrive for Business.

Access request denials

Indicates the count of access requests that were declined.

Number

A non-zero value denotes that access requests to one/more sites, folders, or documents were denied.

Company link removals

Indicates the count of company-wide links that were removed.

Number

Once a company-wide link or anonymous link is removed, that link can no longer be used to access the resource.

Anonymous link removals

Indicates the count of anonymous links that were removed.

Number

File/folder/site shares

Indicates the number of files/folders/sites that were shared with other users.

Number

Anonymous link updates

Indicates the number of anonymous link updates that occurred.

Number

Anonymous link usage

Indicates the number of times resources were accessed by anonymous users using one/more anonymous links.

Number

If this measure reports a non-zero value, then use the detailed diagnosis of the Unique users measure to identify the IP address of the clients from which the anonymous accesses happened.

Sharing revokes

Indicates the number of shares that were revoked.

Number

A non-zero value for this measure indicates that users have unshared one/more files, folders, or sites that were previously shared with other users.

Company link usage

Indicates the number of times company-wide links were used by users to access resources.

Number

If this measure reports a non-zero value, then use the detailed diagnosis of the Unique users measure to identify the users who revoked sharing invitations.

Sharing invitation withdrawals

Indicates the count of sharing invitations withdrawn.

Number

A non-zero value for this measure is indicative of one/more sharing invitations that were withdrawn. To withdraw a sharing invitation that has already been sent to an external user, you need to revoke the invitation before it is accepted.

The detailed diagnosis of the Unique operations measure lists the unique access request and sharing-related operations that were performed on OneDrive for Business, and the number of times each operation was performed. This way, administrators can quickly identify which operation was most common and imposed maximum load on OneDrive for Business.

Figure 1 : The detailed diagnosis of the Unique operations measure reported by the OneDrive Sharing/Access Request Activities test

The detailed diagnosis of the Unique users measure lists the users who performed access request and/or sharing-related operations on OneDrive for Business. For each user, the operations performed by that user, the number of times the operations were performed, and the client from which that user initiated the operations are revealed. This way, administrators can quickly figure out if any user has performed any unauthorized operation.

Figure 2 : The detailed diagnosis of the Unique users measure reported by the OneDrive Sharing/Access Request Activities test

The detailed diagnosis of the Unique client IPs measure reveals which access request and/or sharing-related operations were performed from which clients. The number of times the operations were performed from each client is also reported.

Figure 3 : The detailed diagnosis of the Unique client IPs measure reported by the OneDrive Sharing/Access Request Activities test

The detailed diagnosis of the Unique sites measure reveals the GUID and URL of each of the SharePoint sites on which access request and/or sharing-related operations were performed. The type of operation that was performed and the number of times these operations were performed is also reported, so that administrators can accurately identify the site that experienced a high level of activity of this type.

Figure 4 : The detailed diagnosis of the Unique sites measure reported by the OneDrive Sharing/Access Request Activities test

To know which type of items - i.e., whether a file/folder/site - was the target of the maximum number of access request and/or sharing-related operations, use the detailed diagnosis of the Affected item types measure. For each item type, the detailed metrics reveal the specific operations performed on that type and the number of times the operations were performed.

Figure 5 : The detailed diagnosis of the Affected item types measure reported by the OneDrive Sharing/Access Request Activities test

The detailed diagnosis of the Unique destinations measure lists the destination URLs of the access request and sharing-related operations. For each URL, the specific operations that resulted in that URL and the number of times the operations were performed are reported.

Figure 6 : The detailed diagnosis of the Unique destinations measure reported by the OneDrive Sharing/Access Request Activities test

The detailed diagnosis of the Unique user agents measure lists the user-agent strings of browsers used by users for performing the access request and/or sharing-related operations. For each user-agent string, the detailed metrics further reveals the number of operations performed using that browser. This will help administrators to identify the browser that was used most often to perform such operations.

Figure 7 : The detailed diagnosis of the Unique user agents measure reported by the OneDrive Sharing/Access Request Activities test