Office 365 OneDrive

Overview

Office 365 OneDrive is a cloud storage system that allows sharing files and collaboration. Harmony Email & Collaboration adds security, privacy, and compliance to Office 365 OneDrive by scanning files shared in OneDrive for malicious content and data loss prevention (DLP) and generates actionable events on malicious content.

Note - Harmony Email & Collaboration scans only the organization's Office 365 OneDrive and does not scan files and folders outside the organization, even if the user has access to them.

How it works

Harmony Email & Collaboration adds a layer of security that provides these security features for Office 365 OneDrive:

  • Data Leak Prevention (DLP): Protecting sensitive text messages and files

  • Anti-Malware: Scanning of files for malicious content

  • Remediation: Quarantine malicious files and send files containing sensitive data to the vault

Required Permissions

Harmony Email & Collaboration requires these permissions to protect Office 365 OneDrive.

Note - All these permissions are required to access your data in the Harmony Email & Collaboration Administrator Portal.

Permissions required from Microsoft

Functions performed by Harmony Email & Collaboration

Manage all access reviews

Allows the app to read, update, delete and perform actions on access reviews, reviewers, decisions, and settings in the organization without a signed-in user.

Read and write all applications

Allows the app to create, read, update and delete applications and service principals without a signed-in user. Does not allow management of consent grants.

Read and write contacts in all mail boxes

Allows the app to create, read, update, and delete all contacts in all mailboxes without a signed-in user.

Read and write directory data

Allows the app to read and write data in your organization's directory, such as users, and groups, without a signed-in user. Does not allow user or group deletion.

Read and write domains

Allows the app to read and write all domain properties without a signed-in user. Also allows the app to add, verify and remove domains.

Read and write files in all site connections

Allows the app to read, create, update and delete all files in all site collections without a signed-in user.

Read and write all groups

Allows the app to create groups, read all group properties and memberships, update group properties and memberships, and delete groups. Also allows the app to read and write group calendar and conversations. All of these operations can be performed by the app without a signed-in user.

Read and write all user mailbox settings

Allows the app to create, read, update, and delete user's mailbox settings without a signed-in user. Does not include permission to send mail.

Read and write mail in all mailboxes

Allows the app to create, read, update, and delete mail in all mailboxes without a signed-in user. Does not include permission to send mail.

Send mail as any user

Allows the app to send mail as any user without a signed-in user.

Read all usage reports

Allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Microsoft 365 and Microsoft Entra ID (formerly Azure AD).

Read and update your organization’s security events

Allows the app to read your organization’s security events without a signed-in user. Also allows the app to update editable properties in security events.

Read and write items in all site collections

Allows the app to create, read, update, and delete documents and list items in all site collections without a signed-in user.

Read and write all users' full profiles

Allows the app to read and update user profiles without a signed-in user.

Sign in and read user profile

Allows users to sign in to the app, and allows the app to read the profile of signed-in users. It also allows the app to read basic company information of signed-in users.

Activating Office 365 OneDrive

For details about the procedure to activate Office 365 OneDrive, see Activating Office 365 OneDrive.

Deactivating Office 365 OneDrive

To deactivate Office 365 OneDrive:

  1. Navigate to Security Settings > SaaS Applications.

  2. Click Stop for Office 365 OneDrive.

Office 365 OneDrive Security Settings

Customizing Quarantine and Vault

Administrators can customize the Quarantine and Vault folders (folder names, quarantine/vault messages, etc.)

Quarantine Folder

The Quarantine folder is used to quarantine malware-infected or sensitive files related to OneDrive. Infected or sensitive files of all the users gets quarantined and is placed in a single predefined Quarantine folder for your complete organization.

You can configure the Threat Detection policy and DLP policy to quarantine only malware and not sensitive files (which can be placed in end-user's Vault).

Notes:

  • The Quarantine folder can be stored in your organization's OneDrive or in the Check Point cloud in the region associated with your organization's Infinity Portal account.

  • End users do not have access to this folder.

To customize the Quarantine folder:

  1. Navigate to Security Settings > SaaS Applications.

  2. Click Configure for Office 365 OneDrive.

  3. Go to Quarantined Files section.

  4. Under Store quarantined files in, select where you want to store the quarantined files:

    • Check Point - Stores the quarantined files in the Check Point cloud in the region associated with your organization’s Infinity Portal account.

    • Company’s OneDrive - Stores the quarantined files in a Quarantine folder located in your organization’s OneDrive account.

  5. If you selected Company's OneDrive in the previous step, enter these details for the quarantine folder:

    • Under Quarantine folder owner email address, enter the required email address.

      Note - OneDrive must exist for the email address you enter here.

    • Under Quarantine folder name, enter the required folder name.

      Note - A Quarantine folder gets created with the entered name in the root directory of the given email address.

  6. (Optional) If you need to configure the content of the file that replaces the quarantined malicious file in its original folder, enter the text under Text in placeholder file (Malware).

  7. (Optional) If you need to configure the content of the file that replaces the quarantined sensitive file in its original folder, enter the text under Text in placeholder file (DLP).

  8. Click Save.

Vault Folder

A Vault folder is used to remediate DLP detections related to OneDrive files. It is a non-shared folder that is created for every OneDrive user.

If a file contains sensitive information that does not comply with your organization's data-sharing policies, it is removed and placed in the Vault folder.

Notes:

  • The Vault folder gets created with the specified name in the root directory of each user.

  • The user can access the file from the Vault but cannot share it with others.

To customize the Vault folder:

  1. Click Security Settings > SaaS Applications.

  2. Click Configure for Office 365 OneDrive.

  3. Go to Vaulted Files section.

  4. Under Vault folder name, enter the required vault folder name.

    Note - The Vault folder gets created with the specified name in the root directory of each user.

  5. If you want to allow end users to manually restore files from the Vault, enable the Allow end users to manually restore files from Vault checkbox.

  6. (Optional) If you need to configure the content of the file that replaces the vaulted sensitive file in its original folder, enter the text under Text in placeholder file (DLP).

  7. Click Save.

Configuring Office 365 OneDrive Policy

Malware Policy

By default, the Office 365 OneDrive malware policy scans the uploaded files for malicious content.

Supported Actions

Office 365 OneDrive malware policy supports these actions:

  • Quarantine/removal of malware-infected files.

  • Alert owner: Sends an email notification to the user who uploaded a file that contains malicious content.

  • Alert admin(s): Sends an email notification to the admin(s) about the malicious files.

Configuring Malware Policy

To configure Malware policy:

  1. Access the Harmony Email & Collaboration Administrator Portal.

  2. From the left navigation panel, click Policy.

  3. Click Create New Policy Rule.

  4. From the Choose SaaS drop-down list, select Office 365 OneDrive.

  5. From the Choose Security drop-down list, select Malware and click Next.

  6. Select the desired protection mode:

    • Detect and Remediate

    • Detect

    (Optional) If required, you can change the Rule Name.

  7. In the Scope section, select the users and/or group of users for whom the policy is applicable:

    • To apply the policy to all users and groups in your organization, enable All Users and Groups checkbox.

    • To apply the policy to specific users or groups, select the users/ groups and click Add to Selected.

    • To exclude specific users or groups from the policy, select the required users/groups and click Add to Excluded.

  8. In the Blades section, select the required threat detection blades for the policy.

    Note - To select all the blades available for malware detection, enable All running threat detection blades checkbox.

  9. Scroll down to Attachments section and select the required workflow for the policy in the Suspected malware attachments workflow.

    • Quarantine. User is not alerted (admin can restore)

    • Do nothing

    Note - The Workflows are available only when Detect and Remediate protection mode is enabled.

  10. To quarantine malware-infected files, enable the Quarantine drive files checkbox under Alerts.

    Note - This option is available only in Detect and Remediate protection mode.

  11. To remove malware-infected files, enable the Remove malicious files checkbox under Alerts.

    Notes:

    • If you enable the Remove malicious files checkbox, malicious files will be removed permanently, and you cannot restore them.

    • For a policy, you can only enable Quarantine drive files or Remove malicious files.

  12. Configure Alerts for the policy.

    1. To quarantine malware-infected files, enable the Quarantine malicious files checkbox in the Alerts section.

      Note -This option is available only in Detect and Remediate protection mode.

    2. To clean malicious files, enable the Clean Files (Threat Extraction) checkbox. See File Cleaning (Threat Extraction) for Office 365 OneDrive and Office 365 SharePoint.

      Note - If the Clean files (Threat Extraction) checkbox is not available in your Infinity Portal account (tenant), contact Check Point Support .

    3. To send email alerts to the file owner of malware, enable the Alert file owner of malware checkbox.

    4. To send email alerts to admins about malware, enable the Alert admin(s) checkbox.

      To configure alerts to the specific users, click Select Users next to the Alert admin(s).

    5. To remove malware-infected files, enable the Remove malicious files checkbox in the Alerts section.

      Note - If you enable this option, malicious files will be removed permanently, and you cannot restore them.

    Notes:

    • For a policy, you can only enable Quarantine malicious files or Remove malicious files.

    • Even when the alerts are enabled here in the policy, the administrator only receives email alerts for security events when Receive Alerts role is enabled in the Specific Service Role. For more details about managing roles and permissions in the Infinity Portal, refer to Global Settings > Users in Infinity Portal Administration Guide.

  13. Click Save and Apply.

DLP Policy

By default, the DLP policy scans the uploaded files to OneDrive for potentially leaked information, such as credit card number and Social Security Number (SSN).

Supported Actions

Office 365 OneDrive DLP policy supports these actions:

  • Send files with sensitive data to the vault.

  • Alert owner: Sends an email notification to the user who uploaded a file that contains sensitive information.

  • Alert admin(s): Sends an email notification to the admin(s) about the files that contain sensitive information.

Configuring DLP Policy for OneDrive

To configure DLP policy:

  1. Click Policy on the left panel of the Harmony Email & Collaboration Administrator Portal.

  2. Click Add a New Policy Rule.

  3. From the Choose SaaS drop-down list, select Office 365 OneDrive.

  4. From the Choose Security drop-down list, select DLP and click Next.

  5. Select the desired protection mode (Detect and Remediate or Detect).

    If required, you can change the Rule Name.

  6. Choose Scope for the policy.

    • To apply the policy to specific users or groups, select the users and groups and click Add to Selected.

    • To apply the policy to all users and groups in your organization, enable All Users and Groups checkbox.

    • To exclude specific users or groups from the policy, select the users/groups and click Add to Excluded.

  7. Under DLP Criteria, select the DLP categories required for the policy.

    For more information about the DLP Data Types and categories, see Appendix C: DLP Built-in Data Types and Categories.

  8. Select the sensitivity level required for the policy.

    1. Very high (hit count > 0)

    2. High (hit count > 2)

    3. Medium (hit count > 5)

    4. Low (hit count > 10)

    5. Very Low (hit count > 20)

  9. To exclude DLP policy for the files shared only with the internal users, enable the Skip Internal items checkbox.

  10. Configure Actions for the policy.

    1. To send a detected file with sensitive data to its owner’s vault, enable the Send files with sensitive data to vault checkbox.

      Note - This option will be available only in Detect and Remediate protection mode.

    2. To send email alerts to admins about DLP, enable the Alert admin(s) checkbox.

    3. To send email alerts to the file owner about DLP, enable the Alert file owner(s) checkbox.

    4. To quarantine drive files, enable the Quarantine drive files checkbox.

    Notes:

    • For a policy, you can only enable Send file with sensitive data to vault or Quarantine drive files.

    • Even when the alerts are enabled here in the policy, the administrator only receives email alerts for security events when Receive Alerts role is enabled in the Specific Service Role. For more details about managing roles and permissions in the Infinity Portal, refer to Global Settings > Users in Infinity Portal Administration Guide.

    • To customize the email alert templates, click on the gear icon to the right of the alert.

  11. Click Save and Apply.

Viewing Office 365 OneDrive Security Events

Harmony Email & Collaboration records the OneDrive detections as security events. The event type depends on the type of policy that created the event. You can handle the security events in different ways, whether they are detected/prevented automatically or discovered by the administrators after not being prevented.

The Events screen shows a detailed view of all the security events.

Note - For files marked as malware by Microsoft, scan results are unavailable and access to these files is prevented by Microsoft.

File Cleaning (Threat Extraction) for Office 365 OneDrive and Office 365 SharePoint

File cleaning (Threat Extraction) uses a Content Disarm and Reconstruction (CDR) engine as an additional layer of security alongside the Anti-Malware engine to prevent malware attacks and their spread among internal users.

The system scans every file uploaded to or edited in Office 365 OneDrive or SharePoint.

  • If malware is detected, Harmony Email & Collaboration applies the malware workflow.

  • If no malware is found, it sanitizes the file by removing active components that may conceal undetected threats.

If required, administrators can restore the original file to ensure business continuity.

For more information about file cleaning, see Attachment Cleaning (Threat Extraction).

Configuring File Cleaning (Threat Extraction) for Office 365 OneDrive or Office 365 SharePoint

To configure file cleaning for Office 365 OneDrive or Office 365 Sharepoint:

  1. Access the Harmony Email & Collaboration Administrator Portal.

  2. From the left navigation panel, click Policy.

  3. Open the existing malware policy for the required SaaS application (Office 365 OneDrive or Office 365 SharePoint).

  4. Select the policy protection mode as Detect and Remediate.

  5. Scroll-down to the Alerts section, and select the Clean Files (Threat Extraction) checkbox.

    Note - If the Clean files (Threat Extraction) checkbox is not available in your Infinity Portal account (tenant), contact Check Point SupportAvanan Support .

  6. Click Save and Apply.

Cleaned Office 365 OneDrive / Office 365 SharePoint Files

When Harmony Email & Collaboration cleans files in Office 365 OneDrive or Office 365 SharePoint, it makes the following changes to the files:

  • Adds the string .cleaned to the file name (For example, file.doc becomes file.cleaned.doc).

  • Removes all active content from the file.

For more information about supported file types and details of the components removed from the files, see Supported file types for Attachment Cleaning (Threat Extraction).

Restoring the Original File

Administrators can restore the original file through the Harmony Email & Collaboration Administrator Portal. To do that:

  1. Go to User Interaction > Quarantined Items.

  2. From the drop-down list next to the Quarantined Items, select Office 365 OneDrive or Office 365 SharePoint.

  3. Open the relevant File Info page, and click the Restore Original File option to restore the original file.

    Note - If an end user needs access to the original file (without cleaning), they must contact an administrator, as there is no option available for them to restore it on their own.

If multiple versions of the same file exist, only the first (original) version can be restored. See Restoring Files that are Cleaned Multiple Times.

Restoring Files that are Cleaned Multiple Times

When you restore a file, Harmony Email & Collaboration always restores the first version it scanned, regardless of how many times the file was edited or cleaned later.

Since the file is cleaned every time it’s modified, the version restored may be older than the one the end user last saw.

For example, if you restore a file, the system will restore the original version of the file—potentially older than the version they last accessed. The file is cleaned each time it is modified, ensuring security at every stage.

Viewing Cleaned Files for Office 365 OneDrive and Office 365 SharePoint

To view Office 365 OneDrive or Office 365 SharePoint files that are cleaned by Harmony Email & Collaboration:

  1. Go to Analytics > Custom Queries.

  2. Click Create New Query at the to right corner.

  3. In the Select Template for New Query page that appears, select Office 365 OneDrive or Office 365 SharePoint, then click All Files.

  4. In the All Files page that appears, click Add Filters in the left top corner.

  5. Select Is Cleaned is Yes, and click Add.