Microsoft 365: Configuring selective scanning for OneDrive, SharePoint, and Calendar/Emails

Customers can setup selective scanning for Microsoft 365 to gain visibility into data in OneDrive, SharePoint, and Calendar/Emails.

1. Navigate to Protect > Policies > Office 365.
2. Click the API Setup link to go to the selective scanning setup page.
   
   
   

   The Selective Scanning page opens.

   

   The top section allows you to configure settings for scanning OneDrive, Calendar, and Mail and the bottom section allows you to configure settings for scanning SharePoint sites.

3. On the top section:
   1. Select which parts of Microsoft 365 to include in the scan.
      • OneDrive: Scan OneDrive for data at rest based on which user/group and identify the configured sharing status or data pattern. Files scanned in OneDrive can trigger policy actions detailed below on the "Cloud Policy Setup" section.
      • Mail/Calendar: Forcepoint ONE SSE will scan calendars and mail to provide visibility into sensitive content (text within both the subject/body and/or attachments) based on user/group and matching share status/data patterns. Scans are for visibility only.
   2. Select the Modify parent folder permissions when inherited checkbox to remove the share permissions of the parent folder if a file matches a remove sharing policy and the share is inherited from a parent folder. To understand the behavior of unshared file in different situations, refer to M365 Remove Sharing Behavior.
   3. Set up the API to scan only a subset of users. Selecting Any under Users includes scanning of all users' files in your corporate account.
      You can include or exclude a specific group of users. However, those user groups should be present on the IAM > Users and Groups page. For creating users and user groups in Forcepoint ONE SSE, refer to Integrate identity.

      • When no groups are added in the included group and excluded groups are selected, all users are scanned except the ones in the excluded group.
      • When no groups are added in the excluded group and included groups are selected, all users belonging to the included group are scanned.
      • When both included and excluded groups are selected, all users belonging to the included group except the ones belonging to the excluded group are scanned.
   4. Select DLP Patterns created under Protect > Objects > DLP Objects to match on depending on the sharing status of the files.

      

      For example, selecting Match patterns if file is a Public, External, Internal and selecting DLP Patterns indicates that Forcepoint ONE SSE will scan all public, external, and internal files in your corporate account for DLP patterns matching what was selected.

      Note: Adding a DLP pattern on the API setup page or adjusting a DLP pattern that exists on the API setup page will initiate a new scan to rescan older files for the new pattern match.

      Important: You cannot configure data patterns alongside Forcepoint DLP data pattern. Refer to Configuring FSM controlled policies for CASB and SWG channels to enable the Forcepoint DLP data pattern.
4. On the bottom section:
   1. You can choose to include attachments inside of lists as part of the scan.
      
   2. Select the Modify parent folder permissions when inherited checkbox to remove the share permissions of the parent folder if a file matches a remove sharing policy and the share is inherited from a parent folder. To understand the behavior of unshared file in different situations, refer to M365 Remove Sharing Behavior.
   3. List which sites you want to include in the scan or which sites you wish to exclude from your scan.
      • Forcepoint ONE SSE can scan the listed sites as well as the subsites created underneath. However, SharePoint document libraries and folders are not supported.
      • Sharepoint scan can detect and scan multiple root sites that are associated with a single M365 account. You an either select All or select Selected and then select the specific site(s) to enable the scan on multiple root sites and underlying subsets for a specific tenant.
      • To find a list of all top level site URLs navigate to your SharePoint Admin Center and select site collections.
        Note: The admin used to authorize Forcepoint ONE SSE to access Microsoft 365 should be an admin for these sites.
   4. The DLP section allows you to configure the type of content you wish to gain visibility into such as sharing status and matching data pattern.

      For example, selecting Match patterns if file is a Public, External, Internal and selecting DLP Patterns indicates that Forcepoint ONE SSE will scan all public, external, and internal files in your corporate account for DLP patterns matching what was selected.

      Note: Adding a DLP pattern on the API setup page or adjusting a DLP pattern that exists on the API setup page will initiate a new scan to rescan older files for the new pattern match.

      Important: You cannot configure data patterns alongside Forcepoint DLP data pattern. Refer to Configuring FSM controlled policies for CASB and SWG channels to enable the Forcepoint DLP data pattern.
5. Once your settings are configured and you Save.
   The first scan will kick off to scan for the particular sensitive data.