Views:
Cloud Email and Collaboration Protection supports using OAuth 2.0 to access OneDrive with a service account (Authorized Account). With the OAuth 2.0 framework, Cloud Email and Collaboration Protection uses an access token to obtain limited access on the Global Administrator's behalf to run advanced threat protection and data loss prevention scanning on files in the protected OneDrive sites of your organization.
The steps outlined below detail how to grant access to OneDrive with an Authorized Account from Dashboard.

Procedure

  1. Go to DashboardService Status.
  2. Click Grant Access in the Action column for OneDrive.
    The Grant Access to OneDrive screen appears.
  3. Select the policy to enable automatically when the access grant is complete.
  4. Click Grant Permission.
  5. Specify your Office 365 Global Administrator credentials and click Sign in.
    The Microsoft authorization screen appears.
  6. Click Accept to grant Cloud Email and Collaboration Protection necessary permissions to protect OneDrive sites.
  7. Go back to the Cloud Email and Collaboration Protection management console as instructed.
    Cloud Email and Collaboration Protection assigned an App Id for OneDrive that will be used for permission request on the SharePoint admin center in the next step. Copy the App Id from the screen and paste it in step 7d as instructed.
    If you decide to perform step 7 later, you can find the App Id under the corresponding Authorized Account from AdministrationService Account.
  8. Perform the following steps to grant Cloud Email and Collaboration Protection permissions to receive notifications from Microsoft upon any change to the files on your OneDrive sites.
    1. Log on to the Microsoft 365 admin center with your Global Administrator account.
    2. Go to Admin centersSharePoint from the left navigation.
      The SharePoint admin center page appears.
    3. Change the SharePoint admin center URL to {sharepoint_admin_site}/_layouts/15/AppInv.aspx in the address bar, for example, change https://example-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/home to https://example-admin.sharepoint.com/_layouts/15/AppInv.aspx, and then open the URL.
    4. On the screen that appears, copy and paste the App Id assigned in step 6 in the App Id field and then click Lookup.
      The Title field is automatically filled.
    5. Copy and paste tmcas.trendmicro.com in the App Domain field.
    6. Enter {Trend_Vision_One_site}/ui/cas/provision.html in the Redirect URL field based on your serving site.
      For example, if the URL of your Trend Vision One console in the address bar is "https://portal.xdr.trendmicro.com" after logon, enter https://portal.xdr.trendmicro.com/ui/cas/provision.html in the Redirect URL field.
    7. Copy and paste the following information in the Permission Request XML field:
      <AppPermissionRequests AllowAppOnlyPolicy="true">
      <AppPermissionRequest Scope="http://sharepoint/content/tenant" Right="Manage" />
      </AppPermissionRequests>
    8. Click Create, and on the screen that appears, click Trust It.
      The SharePoint admin center page appears.
    9. Change the SharePoint admin center URL to {sharepoint_admin_site}/_layouts/15/TA_AllAppPrincipals.aspx and then open the URL to verify the permission.
      If an item named Trend Micro Cloud App Security for OneDrive appears, the permission is successfully granted.
  9. Wait until the process is completed.
    If the message "Successfully created a service account and synced data." appears on the screen, the access grant is successful.

What to do next

If for some reason the access token becomes invalid, go to AdministrationService Account to create a new access token for the service account. For more information, see Service account.