In order to use Spirion's Cloud Storage feature to scan Microsoft's OneDrive for user accounts, you must create a new Spirion service account with administrative privileges and then assign that account SharePoint Site Collection Administrator privileges.
Step #1 is creating a new Spirion service account that will be used by the Spirion agents.
Step #2 is updating the permissions on existing users manually or via a script (preferred method).
Step #3 is for new users created after we perform Step 2.
Download and install the SharePoint Online Management Shell from the Microsoft Windows Download Center to a Windows computer that has PowerShell installed, and download the AdminRights.ps1 script to the same Windows computer where you installed SharePoint Online Management Shell.
Step 1. Create a New Spirion Service Account
- Log in to your Office 365 Management Panel using an account with administrative privileges, and click Users on the left pane (or Home screen).
- Click Add A User to create a new account.
- In the details page, enter the details for the new Spirion service account.
- Under Roles, select Global administrator.
NOTE - The FIRST time that OneDrive for Business is authorized from the Spirion console the account used must be a Global Administrator in order to authorize the Spirion application in the O365 tenant. Once Spirion is successfully authorized, the Global Admin access can be removed, and subsequent re authorization from the Spirion console can utilize another (non admin) account without issue. The account authorized in Spirion console is the account that will be used to search all OneDrive storage.
- In the assign licenses section, select Create user.
- In the send results in email page, click Create. The new Spirion service account details are sent to the admin.
- To activate the account, log in to your Office 365 Management Panel using the new Spirion service account, and update the password.
NOTE - Due to recent changes in MS Security & Compliance, it may also be required to add the eDiscovery Manager role to the designated service account.
Step 2. Configure Permissions
Use this step to configure permissions for current users.
There are two options you can use to give the new Spirion service account access to your user accounts:
- Option 1 – Run a SharePoint Online Management Shell script to automatically apply the proper permissions to each user account; this is the preferred and fastest method. If you have multiple users, this is also the easiest method.
- Option 2 – Manually configure each user account from within the Microsoft SharePoint Admin Center. If you have only a few users, this is the easiest method.
Option 1. Configure Permissions Using a SharePoint Online Management Shell Script
- Download and open the AdminRights.ps1 script using a text editor such as Notepad.
- Navigate to and edit the followng four variables:
- $o365login – Replace with your Office 365 Spirion service account username (created in step 1).
- $o365pw – Replace with your Office 365 Spirion service account password.
- $spAdminURL – Replace with the same URL used in your organization's OneDrive URL, but suffixed with -admin (see example above)
- $spMyURL – Replace with the same URL used in your organizations’ OneDrive URL, but suffixed with -my (see example above)
- Save and close the script.
- Locate the SharePoint Online Management Shell you installed in Prerequisites and then right-click select Run as administrator.
- Change your working directory with the SharePoint Online Management Shell to the location where you saved the AdminRights.ps1 script.
- Run the Following command: Set-ExecutionPolicy Unrestricted
- Run the following command to run the AdminRights.ps1 script: .\AdminRights.ps1
- When the script has completed, press Enter to exit the script.
- Exit the SharePoint Online Management Shell.
Option 2. Configure Permissions from the Microsoft SharePoint Admin Center.
- Log in to your Office 365 Management Panel using the new service account in Step 1.
- In the left pane, click Admin centers > SharePoint, and click user profiles.
- Click Manage User Profiles:
- In the Find Profiles Field, type the name of a user and then click Find:
- Click the user's Account name and then click Manage site collection owners:
- The site collection owners dialog box will display. In the Site Collection Administrators field add the new Spirion service account:
- Type the Spirion service account name and then click the Verify User icon(), or
- Click the Directory icon () and then navigate to and select the Spirion service account from the directory:
- Click OK. The new Spirion service account has now been added as the user's Site Collection Administrator and can now view the user's entire OneDrive account.
- Repeat steps 3 through 7 for each user whose OneDrive for account is to be searched.
Step 3. Configure OneDrive for Future Users
Use this step for all future users added to OneDrive.
Complete the following steps to set up permissions for the new Spirion service account on all future new OneDrive users:
- Log in to your Office 365 Management panel using the service account created in Step 1.
- In the left pane, click Admin Centers > SharePoint, and then click user profiles.
- In the My Site Settings section, click Setup My Sites.
- In the My Site Secondary Admin section, click Enable My Site secondary admin.
- In the Secondary admin field, type the Spirion service account username.
- Click OK.