SharePoint Online

Registering an Azure App

• Login to Azure Portal

• If there are multiple tenants to choose from, use the Settings icon in the top menu to switch to the tenant in which needs to be registered to the application from the Directories + subscriptions menu.

• Browse to App Registration and select New registration

• On the App Registration page enter below information and click Register button

  • Name: (Enter a meaningful application name that will be displayed to users of the app)

  • Supported account types:

    • Select which accounts the application will support. The options should be similar to those below. Select “Accounts in this organizational directory only”:
    • Leave the Redirect URI as empty and Click Register
• Note the Application (client) ID, Directory (tenant) ID values

• Navigate to Manage -> Certificates and secrets on the left menu, to create a new client secret

• Provide a meaningful description and expiry to the secret, and click on Add

• Once a client secret is created, note its Value and store it somewhere safe. NOTE: this value cannot be viewed once the page is closed.

• Navigate to Manage -> API permissions on the left menu, and Add a permission

• Select Microsoft APIs -> Microsoft Graph

• Select Application permissions

• For UnifiedPolicy.Tenant.Read

  • Navigate to Manage -> API permissions on the left menu, and Add a permission

  • Select APIs my organization uses tab

  • Search for Microsoft Information Protection Sync Service

  • Select Application permissions > UnifiedPolicy.Tenant.Read
• Permissions required

  • For scanning

    • Microsoft Graph > Application permissions > Sites > Sites.Read.All

  • For reading Sensitivity labels

    • Microsoft Graph > Application permissions > InformationProtectionPolicy > InformationProtectionPolicy.Read.All

    • APIs my organization uses > Microsoft Information Protection Sync Service > Application permissions > UnifiedPolicy.Tenant.Read

  • For revoke permissions

    • Microsoft Graph > Application permissions > Files > Files.ReadWrite.All

  • For tagging

    • Microsoft Graph > Application permissions > Sites > Sites.Manage.All

• Once all the required permissions are added, click "Grant admin consent"

Configuring SharePoint Online connector in Dashboard

• Navigate to Administration -> Data Sources -> SharePoint Online -> New scan

• Provide the Directory (tenant) ID, Application (client) ID and Client Secret value generated in the above steps from the azure application

• Click on the Folder icon in Site and path to select a particular site to scan, or leave the path as empty to scan all sites

• Save the configuration

• Once the configuration is saved, click on the icon on the right and select Start file scan to begin the scanning

• The results can be viewed under Dashboard -> Enterprise Search

File tagging

Prerequisites

• First create the default Getvisibility tags as a new column in SharePoint. This process is described below:

  • In SharePoint, navigate to Documents

  • In the files view, select + Add column

  • Select Choice and then Next

  • Set the name to Classification and the choices as: Public, Internal, Confidential, Highly-Confidential. Select.

  • Then click Save

  • Similary create Compliance and Distribution columns (if required)

  • Getvisibility and SharePoint's tags are now aligned

• When tags are written to SharePoint files automatically over the API, as the tags are added by Getvisibility, Modified By changes to System Account.

  • Getvisibility preserves the Modified date where applicable.