Cloud App Security uses a single SharePoint Online Delegate Account for both SharePoint Online and OneDrive. If you want to protect both services, grant Cloud App Security access to SharePoint Online and OneDrive respectively with the same Delegate Account to add required data about both services to the Delegate Account.
During access grant, Cloud App Security allows you to synchronize:
  • All SharePoint site collections and/or OneDrive users and groups of your organization
  • Certain SharePoint site collections and/or OneDrive users of your organization for testing purposes
Important
Important
You need to use the same option when granting access to Exchange Online, SharePoint Online, and OneDrive, that is, to either synchronize all targets or synchronize certain targets.
For access grant with certain targets synchronized, Cloud App Security does not support manual synchronization and scheduled synchronization.
The steps outlined below detail how to grant access to SharePoint Online first and then OneDrive with a Delegate Account from Dashboard.

Procedure

  1. Perform the following steps to grant access to SharePoint Online.
    1. On the Dashboard screen, hover over SharePoint Online and click Grant access.
      The Grant Access to SharePoint Online screen appears.
    2. Click the Delegate Account tab.
    3. Specify the Global Administrator credentials (email address and password) and click Verify.
      Important
      Important
      Trend Micro does not save the Global Administrator credentials. They are used only once to create the necessary Delegate Accounts.
    4. Optionally select the Promote all Delegate Accounts to the Global Administrator admin role check box.
      Note
      Note
      Selecting this check box promotes Delegate Accounts to Global Administrator privileges. This automatically synchronizes changes.
      Clearing this check box leaves Delegate Accounts with Service Administrator privileges. This requires Global Administrator credentials every time you want to synchronize changes.
    5. Select to synchronize all or selected SharePoint site collections of your organization.
      • Select Synchronize all targets and go to Step f.
      • Select Synchronize selected targets and click Next.
        1. Sign in to Microsoft 365 admin center with your Global Administrator account, and go to Admin centersSharePointsite collections from the left navigation.
        2. Verify and add the URLs to protect one by one by copying a URL, pasting it into the text box, and clicking Add.
          Note
          Note
          You can add a maximum of 100 site collection URLs.
        3. Optionally select the URLs one by one to remove them.
        4. Go to Step f.
    6. Click Submit.
    7. Hover over the notification icon in the upper-right corner of the management console.
      If the message "SharePoint Online protected." appears on the Notifications screen, the access grant is successful.
  2. Perform the following steps to grant access to OneDrive.
    1. On the Dashboard screen, hover over OneDrive and click Grant access.
      The Grant Access to OneDrive screen appears.
    2. Click the Delegate Account tab.
    3. Specify the Global Administrator credentials (email address and password) and click Verify.
    4. Optionally select the Promote all Delegate Accounts to the Global Administrator admin role check box.
    5. Select to synchronize all or selected OneDrive users of your organization that have OneDrive sites.
      If the Delegate Account is already created for SharePoint Online, this option is dimmed and unavailable because it follows what is selected during access grant for SharePoint Online in Step 2.
      If the Delegate Account is not created for SharePoint Online yet,
      • Select Synchronize all targets and go to Step f.
      • Select Synchronize selected targets and click Next.
        1. In the Available Targets area that appears, specify individual users or select users from groups.
          • By User: specify the exact user principal name of a user having OneDrive sites and press Enter to verify and display the user name.
          • By Group: specify at least the first three characters of the group name and press Enter to search for and display the group(s).
        2. Select the user(s) and click the arrow button to add them to the Selected Targets area.
          Note
          Note
          You can synchronize a maximum of 100 users.
        3. Optionally select one or multiple users in the Selected Targets area and click the arrow button to remove them.
        4. Go to Step f.
    6. Click Submit.
    7. Hover over the notification icon in the upper-right corner of the management console.
      If the message "OneDrive protected." appears on the Notifications screen, the access grant is successful.

What to do next

If only some targets were selected to synchronize during access grant, Cloud App Security is also able to extend its protection to all targets under the corresponding service by enabling you to manually synchronize all targets:
  1. On the Notifications screen, click Extend to protect all your Office 365 service targets..
  2. On the screen that appears, view the instructions and click Submit.
  3. Go to Advanced Threat Protection or Data Loss Prevention, and open an ATP or DLP policy of each service you want to extend the protection to, that is, Exchange Online, SharePoint Online, or OneDrive.
  4. Select the General tab and click Click here to manually synchronize all your targets.
Note
Note
After clicking Submit, you can also wait until the next day because Cloud App Security automatically synchronizes with your Microsoft 365 environment once per day.