OneDrive Site Admin Activities Test

In OneDrive for Business, administration can be separated into four primary roles: Office 365 Global Administrator, SharePoint Online Administrator, Site Collection Administrator, and Site Owner/Administrator

  • Global Administrators: Global Administrators, also known as the “Company Admin” or the “Tenant Admin”, can configure any Office 365 settings and gain access to any level of the SharePoint site. Compared to the SharePoint Admin and the Site Collection admin, the Global Admin is the only role able to manage user groups and reset user passwords. Furthermore, global admins are the only admins who can assign other admin roles, outside of Site admins. You can have more than one Global Admin.
  • SharePoint Administrators: SharePoint Online Administrators can create and manage site collections, delegate site collection administrators and allocate space between the different Site Collections. Compared to the Global Admin, SharePoint Admins will be able to view user information but, will not be able to modify existing information. In SharePoint Online, Global Administrators are also SharePoint Online Administrators.
  • Site Collection Administrators: Site Collection Administrators are responsible for creating and maintaining sites and content within a site collection. Primary functions for the Site Collection Admin include managing permissions and restricting access where necessary, and managing content types, site columns and templates for re-use in the sites and update site structure based on content requirements. Site Collection Administrators can also assign other users to be a Site Collection Administrator to their Site Collection. Compared to Global and SharePoint admins, Site Collection Admins do not have access to the Office 365 Admin portal, thus they will not be able to see any user information.
  • Site Owner/Administrator: A Site Owner/Administrator is vested with “Full control” to specific site(s) within a site collection. He/she is allowed to create and delete lists and libraries, grant other users permissions, activate site features, create new subsites, etc.

Because administrators are vested with many privileges and few restrictions, and since only a thin line separates the privileges of one administrator from another's, there is always the probability that changes made by one administrator get inadvertently overridden by another! This presents a strong case for monitoring administrative operations, capturing changes made across the SharePoint Online organization, and most importantly, identifying which administrator effected what change. This is exactly what the OneDrive Site Admin Activities test does!

This test helps in auditing administrative operations by closely monitoring administrative activities on OneDrive for Business and reporting the count of such activities. Detailed diagnostics provided by the test shed ]light on what administrative operations were performed on OneDrive for Business, who are the administrators who performed them, from which clients were such operations initiated, and which sites were impacted by them.

Target of the test : Microsoft OneDrive for Business

Agent deploying the test : Aremote agent

Outputs of the test : One set of results for the Office 365 tenant being monitored

Configurable parameters for the test

Parameters Description

Test period

How often should the test be executed

Host

The host for which the test is to be configured. By default, this is portal.office.com

Tenant Name

This parameter applies only if you want the eG agent to use Azure AD Certificate-based Authentication for accessing and monitoring an O365 tenant and its resources.

Azure AD certificate-based authentication (CBA) enables customers to allow or require users to authenticate with X.509 certificates against their Azure Active Directory (Azure AD) for applications and browser sign-in. When monitoring highly secure Office 365 environments, you can configure the eG agent to identify itself to a tenant using a valid X.509 certificate, so that it is allowed secure access to the tenant and its resources.

By default, the value of this parameter is none. This means that, by default, the eG agent does not use certificate-based authentication to connect to an O365 tenant.

On the other hand, if you want the eG agent to use this modern authentication technique to securely access a tenant's resources, you should do the following:

  1. Enable Azure AD Certificate-based authentication for the target O365 tenant; this can be achieved manually, via the Office 365 portal, or automatically, using Powershell scripts we provide. For the manual procedure, refer to Manually Enabling Certificate-based Authentication For an Office 365 Tenantunder Microsoft Office 365. For the automatic procedure, refer to Automatically Fulfilling Pre-requisites in a Modern Authentication-Enabled Environmentunder Microsoft Office 365.

    When enabling certificate-based authentication, an X.509 certificate will be generated for the target tenant.

  2. Configure the Tenant Name parameter with the name of the tenant for which certificate-based authentication is enabled. Using the tenant name, the eG agent will be able to read the details of the X.509 certificate that is generated for that tenant, and use that certificate to access that tenant's resources. To determine the tenant name, do the following:

    • Log in to the Microsoft 365 Admin Center as an administrator.

    • Under Setup, click on Domains.

    • Find a domain that ends with .onmicrosoft.com - this is your Microsoft O365 tenant name.

O365 User Name, O365 Password, and Confirm Password

These parameters need to be configured only if the Tenant Name parameter is set to none. On the other hand, if a valid Tenant Name is configured, then you should set these parameters to none .

For execution, this test requires the privileges of an O365 user who has been assigned theService support admin and SharePoint admin roles and is vested with the View-Only Audit Logs permission. Configure the credentials of such a user against O365 User Name and O365 Password text boxes. Confirm the password by retyping it in the Confirm Password text box.

While you can use the credentials of any existing O365 user with the afore-said privileges, it is recommended that you create a special user for monitoring purposes using the Office 365 portal and use the credentials of that user here. To know how to create a new user using the Office 365 portal and assign the required privileges to that user, refer to Creating a New User in the Office 365 Portalunder Microsoft Office 365. To know how to manually create a new user using the Office 365 portal and assign the required privileges to that user, refer to theCreating a New User in the Office 365 Portaltopic. You can also use eG's proprietary PowerShell script to automatically create a new user, or assign the required privileges to an existing user. To know how to use this script, refer to theAutomatically Fulfilling Pre-requisites in a Basic Authentication-Enabled Environmenttopic.

Domain, Domain User Name, Domain Password, and Confirm Password

These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.

In this case, in the Domain text box, specify the name of the Windows domain to which the eG agent host belongs. In the Domain User Name text box, mention the name of a valid domain user with login rights to the eG agent host. Provide the password of that user in the Domain Password text box and confirm that password by retyping it in the Confirm Password text box.

On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of these parameters. By default, these parameters are set to none.

Proxy Host, Proxy Port, Proxy User Name, and Proxy Password

These parameters are applicable only if the eG agent needs to communicate with the Office 365 portal via a Proxy server.

In this case, provide the IP/host name and port number of the Proxy server that the eG agent should use in the Proxy Host and Proxy Port parameters, respectively.

If the Proxy server requires authentication, then specify the credentials of a valid Proxy user against the Proxy User Name and Proxy Password text boxes. Confirm that password by retyping it in the Confirm Password text box. If the Proxy server does not require authentication, then specify none against the Proxy User Name, Proxy Password, and Confirm Password text boxes.

On the other hand, if the eG agent is not behind a Proxy server, then you need not disturb the default setting of any of the Proxy-related parameters. By default, these parameters are set to none.

Report System Account Log Entries

By default, this flag is set to No. This means that, by default, the test ignores all operations performed by Windows System Accounts. A System Account in Windows is used by the operating system and by services that run under Windows. There are many services and processes within Windows that need the capability to log on internally (for example during a Windows installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account..

If you want the test to monitor and report on operations performed by Windows System Accounts as well, set this flag to Yes.

Note:

By default, this test does not monitor the operations of the NT AUTHORITY\SYSTEM and SHAREPOINT\system accounts. This is governed by the System_Account_Names parameter in the [ODB_Audited_Activities] section of the eg_tests.ini file (in the <EG_INSTALL_DIR>\manager\config directory). If required, you can exclude more Windows system accounts from monitoring. For that, do the following:

  1. Edit the eg_tests.ini file (in the <EG_INSTALL_DIR>\manager\config directory).
  2. Look for the System_Account_Names parameter in the [ODB_Audited_Activities] section of the file. You will find that this parameter is by default set as follows:

    System_Account_Names=NT AUTHORITY\SYSTEM,SHAREPOINT\system

  3. To exclude more Windows system accounts from monitoring, you need to modify the System_Account_Names parameter by appending more system accounts to the comma-separated list.
  4. Finally, save the file.

Report Top N DD

By default, this parameter is set to 10, indicating that the detailed diagnostics will report the details of top-10 file operations. You can change the 'N' in Top N by specifying any number of your choice in this text box.

DD Frequency

Refers to the frequency with which detailed diagnosis measures are to be generated for this test. The default is 2:1. This indicates that, by default, detailed measures will be generated every second time the test runs, and also every time the test detects a problem. You can modify this frequency, if you so desire. Also, if you intend to disable the detailed diagnosis capability for this test, you can do so by specifying none against DD Frequency.

Detailed Diagnosis

To make diagnosis more efficient and accurate, the eG Enterprise embeds an optional detailed diagnostic capability. With this capability, the eG agents can be configured to run detailed, more elaborate tests as and when specific problems are detected. To enable the detailed diagnosis capability of this test for a particular server, choose the On option. To disable the capability, click on the Off option. The option to selectively enabled/disable the detailed diagnosis capability will be available only if the following conditions are fulfilled:

  • The eG manager license should allow the detailed diagnosis capability
  • Both the normal and abnormal frequencies configured for the detailed diagnosis measures should not be 0.
Measurements made by the test
Measurement Description Measurement Unit Interpretation

Total operations

Indicates the total number of operations performed by administrators.

Number

The value of this measure is the sum of the values of all measures reported under the section Site Administration Operations, in the Layers tab page of the eG monitoring console

Unique operations

Indicates the count of unique administrative operations that were performed on OneDrive for Business.

Number

To know which operations were performed, use the detailed diagnosis of this measure.

Unique users

Indicates the count of unique administrative users who performed the operations.

Number

To know which are the administrators who performed the administrative operations, use the detailed diagnosis of this measure.

Unique client IPs

Indicates the number of unique clients from which the administrators initiated their administrative operations.

Number

Use the detailed diagnosis of this measure to determine the IP addresses of the clients from which the administrators performed administrative operations.

Unique sites

Indicates the number of unique sites on which the administrative operations were performed.

Number

Use the detailed diagnosis of the OneDrive for Business sites on which the administrative operations were performed.

Affected item types

Indicates the number of types of items that were affected by the administrative operations.

Number

To know what type of items were affected by the administrative operations, use the detailed diagnosis of this measure.

Unique destinations

Indicates the destination URLs of the administrative operations that were performed.

Number

To know the unique destination URLs, use the detailed diagnosis of this measure.

Unique user agents

Indicates the unique user agents of browsers used for performing administrative operations.

Number

To know the unique user-agent strings of the browsers used in administrative tasks, use the detailed diagnosis of this measure.

User agent exempt additions

Indicates the number of times additions were made to the list of exempt user agents in the SharePoint admin center.

Number

InfoPath Forms Services in SharePoint Online lets you deploy your organization's forms to your sites, enabling users fill out these forms in a web browser.

To make indexing InfoPath forms faster and easier, you can specify which user agents to exempt from receiving an entire webpage to index. This means that when a user agent you have specified as exempt encounters an InfoPath form, the form will be returned as an XML file (which looks like a hierarchical text file) instead of an entire webpage.

This measure reports a non-zero value if a SharePoint administrator or Global administrator adds one/more user agents to the list of exempt user agents, so that InfoPath forms are indexed quickly.

User agent exempt modifications

Indicates the number of times administrators have modified the list of exempt user agents in the SharePoint admin center.

Number

This measure reports a non-zero value if a SharePoint administrator or Global administrator customized the list of exempt user agents.

Site collection admin additions

Indicates the number of site collection administrators added.

Number

Site collection administrators have full control permissions for the site collection and all subsites.

A Site Collection administrator can also add a person as a site collection administrator for a site. If this happens, then the value of this measure will get incremented.

User/group additions

Indicates the number of times new members or guests were added to OneDrive groups.

Number

Sometimes, intentionally or as a result of another activity (eg., sharing), a user may add a member or guest to a SharePoint group. When this happens, the value of this measure will increase.

Add user/group permits

Indicates the number of times administrators allowed other users to create groups.

Number

A Site administrator can add a permission level to a site hat allows a user assigned that permission to create a group for that site. When this happens, the value of this measure will increase.

Sharing policy modifications

Indicates the number of times sharing policies were modified by administrators.

Number

A SharePoint administrator or Global administrator changed a SharePoint sharing policy by using the Office 365 admin portal, SharePoint admin portal, or SharePoint Online Management Shell. Whenever a SharePoint sharing policy is so changed, the value of this measure gets incremented.

Group additions

Indicates the number of times administrators added groups to sites.

Number

Site administrator or owner creates a group for a site, or performs a task that results in a group being created. For example, the first time a user creates a link to share a file, a system group is added to the user's OneDrive for Business site. This event can also be a result of a user creating a link with edit permissions to a shared file.

Whenever a group is so created for a site, the value of this measure gets incremented.

Sent to connection creations

Indicates the number of Send To connections that were created by administrators.

Number

A SharePoint or Global administrator can create a new Send To connection on the Records management page in the SharePoint admin center. A Send To connection specifies settings for a document repository or a records center. When you create a Send To connection, a Content Organizer can submit documents to the specified location.

When a Send To connection is so created, the value of this measure increased.

Site collection creations

Indicates the number of times administrators created site collections in the OneDrive for Business organization.

Number

A SharePoint or global administratorcan create a new site collection in your SharePoint Online organization or a user can provision their OneDrive for Business site. Whenever one of these events occur, the value of this measure gets incremented.

Group deletes

Indicates the number of groups deleted by users/administrators.

Number

Whenever a user/administrator deletes a group from site, the value of this measure gets incremented.

Send to connection deletes

Indicates the number of Send To connections deleted by administrators.

Number

A SharePoint or global administrator deletes a Send To connection on the Records management page in the SharePoint admin center. A Send To connection specifies settings for a document repository or a records center. When you create a Send To connection, a Content Organizer can submit documents to the specified location.

When a Send To connection is deleted, the value of this measure is incremented.

Site deletes

Indicates the number of sites deleted by administrators.

Number

Whenever a site administrator deletes a site, the value of this measure is incremented.

Document preview permits

Indicates the number of times site administrators enabled document preview.

Number

Document Preview, when enabled, extends and leverages SharePoint document management capabilities by embedding pure HTML viewers for dozens of file formats into SharePoint document libraries and SharePoint Search centers. These viewers facilitate graphical preview of document content.

The value of this measure increases whenever a Site administrator enables document preview for a site.

Workflow task content type additions

Indicates the number of Workflow task content types added by site administrators to their sites.

Number

OneDrive workflows are pre-programmed mini-applications that streamline and automate a wide variety of business processes. Workflows can range from collecting signatures, feedback, or approvals for a plan or document, to tracking the current status of a routine procedure.

For example, take a document approval process. Running this process manually can mean a lot of checking up and keeping track, forwarding documents and sending reminders - and each of those tasks has to be performed by you or by one or more of your colleagues. That means a lot of extra work and (maybe even worse) a constant stream of interruptions. But when you use the SharePoint Document Approval workflow to run the process, all of that checking and tracking and reminding and forwarding is done by the workflow, automatically. If someone is late in completing a task, or if some other hitch arises, most of the included workflows generate a notification to let you know about it. Nobody in the group has to proactively monitor the process because with a SharePoint workflow, the process is always proactively monitoring itself.

When a task is added to a Workflow, the value of this measure increases.

Office on demand permits

Indicates the number of times the Office on Demand feature was enabled.

Number

Office on Demand is a feature that provides online access to full rich Office desktop applications, including Word, Excel, and PowerPoint, when you are using a PC that doesn’t have the latest version of Office installed locally.

Whenever a Site administrator/owner enables Office on Demand, the value of this measure gets incremented.

News feed permits

Indicates the number of times RSS feeds were allowed.

Number

Really Simple Syndication (RSS) is a way for you to make news, blogs, and other content on a site available to subscribers. When RSS is turned on, it can be managed for site collections, sites, lists, and libraries. Your permissions on the site determine at what level you can manage RSS.

Whenever a Site administrator/Site owner enables RSS feeds for a site, or a Global administrator enables RSS feeds for an entire organization, the value of this measure increases.

Site permissions modifications

Indicates the number of times administrators modified site permissions.

Number

Site administrator or owner (or system account) can change the permission level that are assigned to a group on a site.

Whenever this happens, the value of this measure increases.

Removals from group

Indicates the number of times members/guests were removed from OneDrive groups.

Number

Whenever a user removes a member/guest from an OneDrive group, the value of this measure increases.

Site renames

Indicates the number of times sites were renamed.

Number

Whenever a Site administrator/owner renames a site, the value of this measure increases.

Site admin requests

Indicates the number of times users requested to be added as site collection administrators to a site collection.

Number

Whenever a Site collection administrator receives a request from a user to add him/her as a site collection administrators, the value of this measure gets incremented.

Host site changes

Indicates the number of times the sites hosted by the desginated site were changed.

Number

A SharePoint or global administrator can change the designated site to host personal or OneDrive for Business sites. When this happens, the value of this measure changes.

Group settings changes

Indicates the number of times the settings of groups were changed.

Number

A Site administrator or owner can change the settings of a group for a site. This can include changing the group's name, who can view or edit the group membership, and how membership requests are handled. Whenever such a change is made, the value of this measure increases.

The detailed diagnosis of the Unique operations measure lists the unique administrative operations that were performed on OneDrive for Business, and the number of times each operation was performed. This will point to those administrative activities that were most common.

Figure 1 : The detailed diagnosis of the Unique operations measure reported by the OneDrive Site Admin Activities test

The detailed diagnosis of the Unique users measure lists the administrators who performed different administrative operations on OneDrive for Business. For each administrator, the operations performed by that admin, the number of times the operations were performed, and the client from which that operation was initialized are revealed. This may reveal if two/more administrators made conflicting changes. This will also reveal performance- or UX-impacting changes that were made and the administrator who made them. Changes made with malicious intent may also surface in the process.

Figure 2 : The detailed diagnosis of the Unique users measure reported by the OneDrive Site Admin Activities test

The detailed diagnosis of the Unique client IPs measure reveals which administrative operations were performed from which clients. The number of times the operations were performed from each client is also reported.

Figure 3 : The detailed diagnosis of the Unique client IPs measure reported by the OneDrive Site Admin Activities test

The detailed diagnosis of the Unique sites measure reveals the GUID and URL of each of the SharePoint sites on which administrative operations were performed. The type of operation that was performed and the number of times these operations were performed is also reported, so as to highlight those sites where the maximum number of administrative operations were performed.

Figure 4 : The detailed diagnosis of the Unique sites measure reported by the OneDrive Site Admin Activities test

To know which type of items - i.e., whether a file/folder/web/site/tenant/document library- was the target of the maximum number of administrative operations, use the detailed diagnosis of the Affected item types measure. For each item type, the detailed metrics reveal the specific operations performed on that type and the number of times the operations were performed.

Figure 5 : The detailed diagnosis of the Affected item types measure reported by the OneDrive Site Admin Activities test

The detailed diagnosis of the Unique user agents measure lists the user-agent strings of browsers used by users for performing the administrative operations. For each user-agent string, the detailed metrics further reveals the number of operations performed using that browser. This will help administrators to identify the browser that was used most often to perform such operations.

Figure 6 : The detailed diagnosis of the Unique user agents measure reported by the OneDrive Site Admin Activities test