How to Add a Cloud Target

How to Add a Cloud Target

Use the following steps to add a new cloud Target:

1. From the left side navigation menu select Data Asset Inventory > Data Assets and Targets.
2. The "Data Assets and Targets" page opens.
3. Select the TARGETS tab at the top of the page.
4. In the upper right corner of the page, click the blue Actions button and select "Add Target" from the sub-menu that appears.
   
   
5. The "Add New Target" pop-up window opens.
6. 1. Enter the name of the Target in the "Target Name" field. Make the name descriptive by including identifiers such as the Cloud source name, location, department, status, and/or date.
      
      
   2. Click the Cloud Sources tile to proceed or Cancel to discard.
6. The "Select a Cloud Source to Configure" pop-up window appears.
7. 1. Click the tile of the Cloud source you wish to add as a Target:
   2. 1. Dropbox
      2. OneDrive for Business
      3. Google Drive
      4. Box
      5. Amazon S3

How to Add a Dropbox Target

Use the following steps to add a Dropbox Target:

1. In the "Add New Dropbox Target" pop-up window enter the following information:
2. 1. Target Name: Type the Target name
   2. Admin User Account Name: Type the admin user account name and click Authenticate
   3. Authentication Code: Enter the code
2. At the bottom of the window click the Save button to save your changes, the Cancel button to discard, or the Back button to return to the previous screen.
   
   

How to Add a OneDrive for Business Target

The following high-level steps must be performed to add a OneDrive for Business Target:

• Create the Necessary User Accounts
• Configure either of the following:
• • Spirion Hosted Authentication
  • Self Hosted Authentication
• Adjust the Service Account
• Create an Azure App (Optional)

Note: For OneDrive Targets, archTIS Spirion added the ability to authenticate using an (user configured) Azure app. Note this requires Agents version 13.5 or later. If you attempt to use this method with Agents earlier than v13.5, an EPS failure occurs requiring the reboot of the machine or manual intervention.

When creating a new scan, you are notified of the agent v13.5 requirement if you are attempting to scan a OneDrive Target:



If you assign agents to a scan that are pre-13.5, you receive the following message which prevents the scan from being run:

Note: Sensitive Data Platform cannot scan shared user folders in Microsoft OneDrive. This is due to limitations of the Microsoft Graph API.

Create the Necessary User Accounts

To authenticate Cloud Storage scans for OneDrive for Business, archTIS Spirion recommends you create the following accounts and user roles:

• A service account with the SharePoint Admin role
• The Global Admin role (temporarily)*

*The reason for temporary Global Admin role is the initial authorization process creates a “Spirion Azure App” our system uses to connect to the tenant. Once this App is created, the Global Admin role can be removed.

Use the following steps to add a OneDrive for Business Target:

1. In the "Add New OneDrive Target" pop-up window enter the following information:
2. 1. Target Name: Enter a descriptive Target name in the "Target Name" field.
   2. Admin User Account Name: Enter the admin user account name and click the blue Authenticate button.
      
      
   3. Spirion Hosted Authentication
   4. 1. Select (check) the "Use Spirion Hosted Authentication" radio button.
         Note: Depending on how your tenant is configured in Azure Active Directory, it’s possible this step needs either:
      2. 1. A higher-level permissioned user (Global Admin, Cloud Application Admin)
         2. Consent requests which may need to be approved by a specified user within the tenant
      2. This takes you to the Microsoft (Office 365) login page where you enter the same Admin user account from the previous step and complete the login process.
         
         
      3. You are asked to authorize claims to create the “Spirion Azure App”.
      4. Accept the claims. The Spirion Azure App is created. The browser page is redirected to a loopback page with the URL “127.0.0.1/code=xxxx”
      5. Select and copy the entire URL.
      6. Paste the URL into the Authentication Code field. See the image below.
         
         
   4. Self Hosted Authentication
   5. 1. Select (check) the "Use Self Hosted Authentication" radio button.
         
         
      2. Enter the following information from your Azure App. If you do not have an Azure App, see "How to Create an Azure App (Optional)" below:
      3. 1. Client ID – Enter your Microsoft Client ID
         2. Client Secret – Enter your Microsoft Client Secret
         3. Tenant ID – Enter your Microsoft Tenant ID
      3. To confirm your Azure App has the necessary permissions, see "How to Add API Permissions to Your Azure App" below.
      4. Click the Save button at the bottom of the window to create the Target, the Cancel button to discard your changes, or the Back button to return to the previous screen.
   5. This completes the authentication process.
   6. Your OneDrive Target is now successfully created.
   7. To access the Target, from the left side navigation menu, select Data Asset Inventory > Data Assets and Targets, and select the TARGETS tab at the top of the page. Search for your Target by its name.
   8. Proceed to "Adjust the Service Account" below.

How to Adjust the Service Account

1. The Spirion Azure App is now created (if you selected Spirion Hosted Authentication).
2. Remove the Global Admin role from the service account

How to Create an Azure App (Optional)

If you do not have an Azure App, use the following instructions to create the app and record the information you need to create your OneDrive for Business Target.

How to Create a New App Registration

Procedure:

1. Log in to the Azure Portal
2. Search for and select Microsoft Entra ID
   
   
3. Select App Registrations under Manage on the left side menu. (Alternatively, click "Add application registration" under Quick Actions at the bottom of the page)
4. Click New registration
5. Select one of the first two radio buttons based on your needs:
6. • Accounts in this organizational directory only (YourDev only - Single tenant)
   • Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant)
     
     
     Note: Redirect URI is not required
6. Click Register at the bottom of the page.

Note the IDs

Record the following information:

• Application (client) ID
• Directory (tenant) ID

How to Create Client Secret Value and ID

Procedure:

1. From the left side menu, under Manage, click Certificates & secrets
2. Click New client secret.
   
   
3. Enter an appropriate name and record the name.
4. Record your Client Secret Value and Secret ID.
   NOTE: You will not have access to your client secret again.

How to Add API Permissions to Your Azure App

Use the following procedure to add the required API permissions to your Azure App (see "Required Azure App API Permissions" below):

1. One the left side menu, under Manage, select API Permissions
2. Click Add a permission
3. Select Microsoft Graph at the top of the collection of APIs.
4. Select Application Permissions
5. In the Select permissions search field type the name of each permission to find it in the list and then select it. See below.
6. Click the Add permissions button at the bottom of the pane.
7. Repeat this process for each required permission.
8. Grant Admin consent to the permission, if necessary.
   
   

Required Azure App API Permissions

Ensure the following Microsoft Graph permissions are enabled for your new Azure App.

• Directory.ReadWrite.All
• • Type: Application
  • Admin consent required: Yes
  • Description: Enables the app to read and write data in the organization directory accessible to the service account. Does not permit user or group deletion.
• Files.ReadWrite.All
• • Type: Application
  • Admin consent required: Yes
  • Description: Enables the app to read, create, update, and delete all files the service account user can access.
• Sites.ReadWrite.All
• • Type: Application
  • Admin consent required: Yes
  • Description: Enables the app to edit or delete documents and list items in all site collections accessible to the service account.
• Sites.Selected
• • Type: Application
  • Admin consent required: Yes
  • Description: Enables app-only access to specific SharePoint Online sites, rather than the entire tenant.
• User.Read
• • Type: Delegated
  • Admin consent required: No
  • Description: Enables the app to read basic company information of users.
• User.ReadWrite.All
• • Type: Application
  • Admin consent required: Yes
  • Description: Enables the app to read and write all properties of user profiles.
• User.ReadWrite.CrossCloud
• • Type: Application
  • Admin consent required: Yes
  • Description: Enables the app to read and update external cloud user profiles without a signed-in user.
• UserAuthenticationMethod.ReadWrite.All
• • Type: Application
  • Admin consent required: Yes
  • Description: Enables an app to read and write authentication methods like phone numbers and Authenticator settings, but not passwords or sign-in.

How to Add a Google Drive Target

To add a Google Drive Target:

1. First, configure Google Drive
2. Second, configure a Google Drive Target to scan in Sensitive Data Platform

How to Set Up Google Drive

• Create a Project in Google Cloud Platform
• Create a Service Account
• Generate a P12 Key
• Record OAuth 2 Client ID
• Enable Domain-Wide Delegation in Google Admin Console
• Enable Required APIs
• Configure OAuth Consent Screen
• Add Scopes to the OAuth Consent Screen
• Verify Configuration

Create a Project in Google Cloud Platform

Procedure:

1. Go to the Google Cloud Console and sign in.
2. Select the Google domain you want to scan.
3. Click New Project.
4. Enter a project name and confirm that the organization is correct.
5. Click Create.
6. Once the project is created, click Select Project.

Create a Service Account

1. Under your project (for example, “Spirion”), go to APIs & Services → Credentials.
2. Click Create Credentials → Service Account.
3. Enter a name for the service account and an optional description.
4. • Example: user@mycompany.iam.gserviceaccount.com
4. Click Done (no additional access setup is required on the next two screens).

Generate a P12 Key

Procedure:

1. From the Credentials page, click your newly created service account.
2. Select the Keys tab at the top.
3. Click Add Key → Create New Key.
4. Choose P12 as the key type.
5. Download the P12 key file and note the private key password.
6. You will use both later when configuring your Google Drive target in the Sensitive Data Platform console. See P12 Key Download

Record OAuth 2 Client ID

Procedure:

1. Back in Credentials, click Manage Service Accounts.
2. Locate your service account and make note of the OAuth 2 Client ID.
3. You’ll use this ID later when setting up API access.

Enable Domain-Wide Delegation in Google Admin Console

Procedure:

1. Log in to the Google Workspace Admin Console.
2. Go to Access and Data Control → API Controls (under Security).
3. Select Manage Domain-Wide Delegation.
4. Click Add New to create a new API client.
5. Enter the OAuth Client ID you recorded earlier.
6. In the OAuth Scopes section, add the following scopes (one per line):
7. • https://www.googleapis.com/auth/userinfo.email
   • https://mail.google.com
   • https://www.googleapis.com/auth/admin.directory.user.readonly
   • https://www.googleapis.com/auth/drive
   • https://www.googleapis.com/auth/userinfo.profile
7. Save your changes.
8. Click Edit on the new API client to verify that the scopes were added correctly.

Enable Required APIs

Procedure:

1. In Google Console Platform, go to APIs & Services → Library.
2. Search for and enable the following APIs:
3. • Admin SDK API
   • Google Drive API
   • Gmail API
3. Each API should show a status of Enabled once complete.

Configure OAuth Consent Screen

Procedure:

1. Go back to APIs & Services → OAuth consent screen. Note: If you have not set up the Google Auth Platform you will be redirected to set it up.
2. Select Internal as the user type.
3. Fill in the following fields:
4. • App Name
   • Support Email
4. Ensure the correct Authorized Domain is listed.
5. Add Developer Contact Information.
6. Click Save and Continue.

Add Scopes to the OAuth Consent Screen

Procedure

1. Click Add or Remove Scopes and add the following (you will want to enter these into the manual field):
2. • https://www.googleapis.com/auth/userinfo.email
   • https://www.googleapis.com/auth/userinfo.profile
   • https://www.googleapis.com/auth/admin.directory.user.readonly
   • https://www.googleapis.com/auth/drive
   • https://mail.google.com
2. Save your changes.

Verify Configuration

1. Your configuration should now display all added scopes and enabled APIs.
2. Once verified, your setup is complete — you can now configure Spirion to connect to your Google Drive or Gmail target.

Configure a Google Drive Target

1. Target Name: Enter a Target name.
2. Admin User Account Name: Enter the admin user account name.
3. Service Account Email or Unique ID: Enter the service account email address.
4. Key Data File: Click the upload icon () to locate the key data file on your local computer.
5. Key Data File Password: Enter the password associated with your key data file.
6. Private Key Id: Enter the private key identification number.
7. Project Id: Enter the Google project ID.
8. Click Save to save, Cancel to discard, or Back to return to the previous screen.
   
   

Note: You must authorize Spirion to access your Google domain.

Box

To add a box Target:

1. Target Name: Enter the Target name.
2. Admin User Account Name: Enter the admin user account name and click Authenticate.
3. Authentication Code: Enter the code.
4. Click Save to save, Cancel to discard, or Back to return to the previous screen.
   
   

Amazon S3

To add an Amazon S3 Target:

1. Target Name: Type the Target name.
2. Account Name: Type the Account name.
3. Access Key ID: Type your Access Key ID.
4. Secret Access Key: Type your Secret Access Key.
5. Click Save to authenticate and save, Cancel to discard, or Back to return to the previous screen.