External Authentication Content

In this article Dropbox Microsoft OneDrive Box (Box Sync) Google Drive Microsoft Information Protection (MIP) Policy Settings

Dropbox

The Dropbox admin account credentials required to access your Dropbox cloud storage locations are specified here. The user accounts to search are specified on the Cloud Storage section in the Search Locations section of the Policy View.

To add or edit the credentials for a Dropbox account click the Manage button and the Manage Dropbox dialog displays.

Authenticating Dropbox

1. Enter your admin user account name and click the Authenticate button.

2. A browser window opens on the Dropbox site. Enter your admin user account credentials, click Sign in.

3. Click Allow.

4. The dialog box display the authentication code.

5. Copy the indicated code and paste it into the Authentication Code field, and click the Confirm button.

When your Dropbox credentials have been successfully authenticated you see the following dialog.

6. Click OK and the authorization is complete, and the Dropbox now displays (Authenticated).

If your authentication code was entered incorrectly the following dialog box displays after clicking the Confirm button.

You then need to go through the authentication process again to retrieve a new authentication code.

Microsoft OneDrive

The Microsoft OneDrive admin account credentials required to access your Microsoft OneDrive personal cloud storage locations are specified here. OneDrive for Business is expected to be fully supported with the release of v10.6.

The user accounts to search are specified on the Cloud Storage section in the Search Locations section of the Policy View.

The FIRST time that OneDrive for Business is authorized from the Console the account used must be a Global Administrator in order to authorize the Spirion application in the O365 tenant. Once Spirion is successfully authorized, the Global Admin access can be removed, and subsequent re-authorization from the Console can utilize another (non admin) account without issue. The account authorized in the Console is the account that is used to search all OneDrive storage and requires delegation to the target user account. The knowledge base article titled Configuring Microsoft OneDrive fully explains how to delegate access to the Spirion service account.

To add or edit the credentials for a Microsoft OneDrive account click the Manage button and the Manage Microsoft OneDrive dialog displays.

Authenticating OneDrive

1. Enter your admin user account name and click the Authenticate button.

2. A browser window opens on the Microsoft OneDrive site. Enter your admin user account credentials and click Authorize

Once your credentials have been authorized a browser window opens:

3. Copy the URL from the browser window and paste it into the Authentication Code field and click the Confirm button.

When your Microsoft OneDrive credentials have been successfully authenticated you see the following dialog box.

4. Click OK and the authorization is complete and Microsoft OneDrive now displays (Authenticated).

If your authentication code was entered incorrectly you see the following dialog after clicking the Confirm button.

Box (Box Sync)

The Box (Box Sync) account credentials required to access your Box (Box Sync) cloud storage locations are specified here. The user accounts to search are specified on the Cloud Storage section in the Search Locations section of the Policy View.

To add or edit the credentials for a Box (Box Sync) account click the Manage button and the Manage Box (Box Sync) dialog displays.

Authenticating Box

1. Enter your admin user account name and click the Authenticate button.

When your Box (Box Sync) credentials have been successfully authenticated you see the following dialog box:

2. Follow the instructions and then click OK and the authorization is complete and Box (Box Sync) now displays (Authenticated).

Note: Box (Box Sync) does not use access tokens like Dropbox. For Box (Box Sync), all the Agent needs is the admin account.

Google Drive

The Google Drive admin account credentials required to access your Google Drive cloud storage locations are specified here. The user accounts to search are specified on the Cloud Storage section in the Search Locations section of the Policy View.

Note: We have made updates to the Cloud Authentication process for Google Drive and Gmail Admin Accounts. To access the Google drive and Gmail cloud storage locations, install Console version 11.3.2 or higher, then reauthorize Console for G-suite and then reconfigure the search policies. For detailed information, see this Knowledgebase article link.

To add or edit the credentials for a Google Drive account click the Manage button and the Manage Google Drive dialog box displays.

Authenticating Google Drive

1. Enter your admin user account name and click the Authenticate button. When your Google Drive credentials have been successfully authenticated the following dialog box displays:

Follow the instructions and then click OK and the authorization is complete and Google Drive now displays (Authenticated).

Note: Google Drive does not use access tokens like Dropbox. For Google Apps, all the Agent needs is the admin account.

Microsoft Information Protection (MIP)

The credentials required to apply Microsoft Information Protection (MIP) labels and protections are specified here.

The FIRST time Microsoft Information Protection is authorized from the Console, the account used must be a Global Administrator in order to authorize the SPIRION application in the O365 tenant. Once SPIRION is successfully authorized, the Global Admin access can be removed, and subsequent re-authorization from the Console can utilize another (non-admin) account without issue. The account authorized in the Console is the account that is used to apply Microsoft Information Protection labels and protections.

To add or edit the credentials for a Microsoft Information Protection account, complete the following steps for both Protection and Labels:

1. Click the Manage button and the Manage Microsoft Information Protection dialog displays. Enter your admin user account name and click the Authenticate button. A browser window opens to the Microsoft Information Protection site.
2. Enter your admin user account credentials to use for creating labels and click Authorize.

Once your credentials are authorized, a browser window opens as below:



3. Copy the URL from the browser window and paste it into the Authentication Code field and click the Confirm button.

Once your Microsoft Information Protection credentials are successfully authenticated, the following dialog box displays:



4. Click OK and the authorization is complete and Microsoft Information Protection now shows (Authenticated).

If your authentication code was entered incorrectly you see the following dialog after clicking Confirm.

Configuration

To create a label:

1. Visit Protection.office.com.
2. Click Classification on the left side of the menu.
3. Click Labels under Classification to edit or create new Information Protection labels. These labels are available for inclusion in workflow rules set in the Console.
4. Click Create a Label at the top of the Labels page. Complete the wizard for creating the label. The new label should display in the list of available labels.
5. Select the correct label and click Publish. Complete the Publishing wizard. This is required to pull the label into Console Workflow Configuration.

Console Configuration

1. Open Console.
2. From the Admin tab, click Service Tasks in the left navigation.
3. If the Run Workflow Rules task type does not exist in the list:
   1. Click Add.
   2. Select Run Workflow Rules in the Task Type drop-down.
4. If the Run Workflow Rules task type does exist:
   1. Click Edit. The Edit Service Task box displays for Run Workflow Rules task type.
   2. Select the checkbox for Synchronize MIP Labels and click OK.
5. Select the Run Workflow Rules task that was created or edited.
6. Click Execute Now.
7. Verify the task was successful by refreshing the page and monitoring the status column for the task.

Once this action executes correctly, access the Workflow page to define the workflow.

1. Select a workflow for which Microsoft Information Protection labels should be applied for the workflow rule.
2. Click the Actions tab on the Workflow page.
3. Click the checkbox to Apply MIP label and select the appropriate label from the drop-down. The list contents are derived from the list created on Protection.office.com via the process of running the Run Workflow Rules task.

Note: Only one label can be specified in a location or a file.

Set up your workflow to trigger on your selected criteria. When the next search runs, matches are identified. A new column appears next to the Classification column displaying the name of the label.

1.  

Policy Settings

Cloud Discovery can be enabled and configured using the following policy settings in a policy applied to the endpoint:

• Settings\Locations\CloudDiscovery\DeletePreviousVersionAfterAction: When a file is changed on Dropbox or Box, a backup file of the previous version is created. For Box, if this setting is enabled, the backup file is deleted. If this setting is disabled, the backup file remains. This setting applies to Box only. The default value is "Delete previous version."
• Settings\Locations\CloudDiscovery\EnableCloudDiscovery: To enable searching of remote cloud storage locations, specify which providers should be enabled. The available selections are Dropbox, Box and Google Drive. The default for each is disabled.
• Settings\Locations\CloudDiscovery\LogLevel: The level of logging performed by Cloud Discovery, used for configuration or troubleshooting.
• Settings\Locations\CloudDiscovery\TokenRequestTimeout: The number of minutes to wait when requesting a new access token before timing out and moving on to the next location to search. Certain cloud storage providers expire their access tokens. The Sensitive Data Manger tries to ensure that the tokens are appropriately refreshed and valid; endpoints request the tokens from the Console at the start of each search. The default value is 5.
• Settings\Locations\CloudDiscovery\ErrorHandling\MaxLocationProcessTime:
• Settings\Actions\Quarantine\FolderLocation_Default_BoxSync: Specify the default folder to use for quarantining files located in Box. This can be a single location or a list of locations, entered on per line. Each item in the line must be formatted as <path>, <admin acct> where <path> is any valid path and <admin acct> (optional) is an administrative account on Box Sync defined in the cloud storage configuration. Please refer to the Explain tab in the policy setting for details and examples of the valid configuration options for this setting.
• Settings\Actions\Quarantine\FolderLocation_Default_Dropbox: Specify the default folder to use for quarantining files located in Dropbox. This can be a single location or a list of locations, entered on per line. Each item in the line must be formatted as <path>, <admin acct> where <path> is any valid path and <admin acct> (optional) is an administrative account on Dropbox defined in the cloud storage configuration. Please refer to the Explain tab in the policy setting for details and examples of the valid configuration options for this setting.
• Settings\Actions\Quarantine\FolderLocation_Default_GoogleDrive: Specify the default folder to use for quarantining files located in Google Drive. This can be a single location or a list of locations, entered on per line. Each item in the line must be formatted as <path>, <admin acct> where <path> is any valid path and <admin acct> (optional) is an administrative account on Google Drive defined in the cloud storage configuration.

Please refer to the Explain tab in the policy setting for details and examples of the valid configuration options for this setting.