OneDrive for Business is a secure cloud-based solution for convenient telecommuting, remote access and private file sharing. Indeed, files stored on OneDrive are private by default: Users control access to the files they upload, so they can be seen by other employees only if they have been shared by the OneDrive owner. Even users with Global Administrator access cannot access files unless the OneDrive account holder has granted them the appropriate permissions.
This lack of access to employees’ OneDrive repositories poses issues for administrators trying to ensure data security. This document explains how you can gain access when required, as well as how data classification will enable you to improve security and regulatory compliance across the IT environment, including OneDrive.
Getting Access to OneDrive for Business
There are various reasons OneDrive for Business administration teams, security pros and managers need access to employees’ OneDrive from time to time:
- Controlling access settings to sensitive documents and files
- Allowing file retrieval when an employee leaves the organization
- Meeting data privacy regulations, such as GDPR and CCPA
- Completing eDiscovery requests related to legal proceedings
- Ensuring employee compliance with company policies around data usage
Handpicked related content: OneDrive for Business Auditing and Reporting
The good news is that there are three ways IT teams can gain access to the OneDrive files and folders of active users when necessary:
- Via the Microsoft 365 Admin Center
- Via the SharePoint Online Admin Center
- Using PowerShell
Configuring Access to One Drive Files via the Microsoft 365 Admin Center
As long as you are a licensed Microsoft 365 Global Administrator, you can take ownership of a user’s OneDrive by following these steps:
- Log into the Microsoft 365 Admin Center for your tenant.
- Select the OneDrive user whose files you need.
- Scroll down to OneDrive Settings.
- Click Access Files and grant yourself administrator privileges in the OneDrive settings.
- Click the hyperlink to open OneDrive in your browser to access the user’s OneDrive as a secondary administrator.
An administrator can use the SharePoint Online Admin Center to transfer ownership of a OneDrive or control user access to OneDrive, as follows:
- Open the “more features” page in the SharePoint Admin Center and sign in with an account that has admin permissions.
- Under User Profiles, select Open.
- Under People, select Manage User Profiles.
- Enter the user’s name and click Find.
- Right-click on the user’s name and select Manage Site Collection Owners.
- Add a secondary admin in the Site Collection Administrators
Configuring Site Collection Administrator Access to Files via PowerShell Cmdlets
Each user is the SharePoint Site Collection Administrator for their own OneDrive for Business location. However, administrators can configure site collection owners through PowerShell by using the following script:
$ssODFBSite="<ODFB_Site_Url>" $sSecondaryODFBAdmin ="<O365_User_To_Add>" Set-SPOUser -Site $sODFBSite -LoginName $sSecondaryODFBAdmin -IsSiteCollectionAdmin $true
Data Classification Adds Protection to OneDrive for Business Repositories
Of course, ensuring that you can gain access to a user’s OneDrive data when required is not sufficient for security and compliance. Any employee’s OneDrive for Business repositories may contain regulated or business-critical data that must be properly controlled by the organization at all times. One of the best ways to gain that control is to use data classification.
Data classification is the process of categorizing and tagging data so it can be easily accessed and protected. Effective data classification enables you to know exactly where sensitive data is stored, so you can apply appropriate security controls around it. For example, if you see that GDPR-regulated information is stored in a particular user’s OneDrive folder, you can raise a red flag and make sure that data is moved to an approved repository. Even better would be a data classification solution that continuously monitors for such violations and automates the remediation process.
Native Data Classification Processes
Organizations have several native options for classifying data across their networks:
- Automated processes, which include keyword-based searching and using sensitive information types
- Manual options, which include applying labels based on administration configurations
Both of these options involve multiple steps that employees must replicate across dozens or hundreds of file types and data sources. In short, they are time-consuming, repetitive and complicated processes that are highly prone to error. Moreover, busy security professionals are already stretched thin, so these critical tasks simply do not get done at all.
Additional issues with native tools include the following:
- This functionality isn’t available across all subscription plans.
- Only Office files are supported.
- Labels are not easy to customize,
- Structured data is not supported.
- Support for third-party applications and systems is very limited.
Netwrix Provides a Smart Data Classification Solution
Netwrix Data Classification offers a better approach. It all starts with built-in taxonomies for common types of sensitive data, such as GDPR and financial data, along with a flexible taxonomy manager that empowers you to easily modify those taxonomies or create your own to meet your specific business needs. Those taxonomies are used to automatically classify data across the entire IT environment — structured and unstructured data stored on premises or in the cloud, including content in users’ OneDrive for Business repositories. Compound term search and other advanced features ensure highly accurate and reliable classification results.
In addition, Netwrix Data Classification reports on where sensitive data is located and who has access to that data, so you can ensure that data is stored only in secure locations and is accessible only by authorized personnel. The platform even offers automated remediation workflows that automatically move vulnerable data to a safe quarantine area, and alerting on critical changes to your data.