Enabling the Microsoft SharePoint and OneDrive Connector

To enable the Microsoft SharePoint and OneDrive Connector, follow the steps below.

To complete the steps below, your operator account must be assigned the Global Administrator or Administrator access type.

Prerequisites

You must complete the following prerequisites before setting up the connector in FortiDLP.

Microsoft SharePoint and OneDrive Connector prerequisites

Prerequisite	Description
How to ensure FortiDLP users can be mapped to SharePoint and OneDrive events	Ensure that SharePoint and OneDrive events can be mapped to existing users that have been synced to FortiDLP.
How to ensure auditing is enabled in your Microsoft 365 org	Ensure that auditing is enabled in your Microsoft 365 org so that FortiDLP can successfully connect to your tenant.
How to retrieve Microsoft credentials	Create an Entra ID app registration, retrieve it's credentials, and add the credentials to FortiDLP. This will allow FortiDLP to access SharePoint and OneDrive events.

How to ensure FortiDLP users can be mapped to SharePoint and OneDrive events

In order for a FortiDLP user to be mapped to a cloud event, the primary email address of the user who generated an event in must match an email address URI assigned to an existing user in FortiDLP. For information on user-event mappings, see User-event mapping, and for information on syncing users, see Users.

How to ensure auditing is enabled in your Microsoft 365 org

To receive SharePoint and OneDrive events, auditing must be turned on in your Microsoft 365 org. Follow the instructions below to check whether this is the case and to turn it on if it is off. You can either use the Microsoft Purview compliance portal UI or run PowerShell commands to do this.

• Compliance portal method: Refer to the "Compliance portal" instructions 1-2 in Microsoft's documentation here, and check whether a banner is displayed. If no banner is displayed, auditing is turned on, and no further action is required. If a banner is displayed, proceed to step 3 of the "Compliance portal" instructions to turn it on.
• PowerShell method: Refer to the "Verify the auditing status for your organization" section in Microsoft's documentation here, and run the PowerShell command. If the value returned is True, auditing is turned on, and no further action is required. If the value returned is False, proceed to the instructions in the "Use PowerShell to turn on auditing" section here to turn on auditing.

How to retrieve Microsoft credentials

To receive SharePoint and OneDrive events, you must create an Entra ID app registration, retrieve the app's credentials, and then add the credentials to FortiDLP. See steps 1-3 in Microsoft credentials to do this.

Setup

Once you have completed the prerequisites above, follow the steps below to enable the connector in FortiDLP.

How to enable the Microsoft SharePoint and OneDrive Connector

1. In the FortiDLP Console, on the left-hand sidebar, click .
2. Under Integrations > Microsoft, select Connectors.
3. On the top-right corner of the page, click Add new connector.
4. In the Name field, type a name to identify the connector.
   
5. Under Authentication > Credentials, select a set of credentials (see Microsoft credentials).
6. Optionally, in the Monitored users section, do one of the following:
   • To receive events for all users:
     1. In the Include section, leave the All entities radio button selected.
     2. In the Exclude section, leave the No entities radio button selected.
   • To receive events for a subset of users by only selecting labels to include:
     1. In the Include section, select the Specific users (by label) radio button.
     2. In the labels list, select one or more labels for the users you want to monitor.
     3. Do one of the following:
        • To include users that have all of the selected labels, select the Require all radio button.
        • To include users that have any of the selected labels, select the Require any radio button.

        For example, to receive events for all users with a "Sales" label or a "Finance" label: In the Include section: Select the Specific users (by label) radio button. In the labels list, select the Sales and Finance labels. Select the Require any radio button.

   • To receive events for a subset of users by selecting labels to include and exclude:
   1. In the Include section, follow the steps above.
   2. In the Exclude section, select the Specific users (by label) radio button.
   3. In the labels list, select one or more labels for the users you do not want to monitor.
   4. Do one of the following:
      • To exclude users that have all of the selected labels, select the Require all radio button.
   • To exclude users that have any of the selected labels, select the Require any radio button.

   For example, to receive events for users with a "Manager" label and a "Product" label, but not a "Windows" label: In the Include section: Select the Specific users (by label) radio button. In the labels list, select the Manager and Product labels. Select the Require all radio button. In the Exclude section: Select the Specific users (by label) radio button. In the labels list, select the Windows label. Select either the Require all or Require any radio button.

Click Create.