Go Up
You are here: DeploymentConfigure Netwrix Auditor Service AccountsData Collecting AccountFor SharePoint Online Auditing

For SharePoint Online Auditing

Before you start creating a monitoring plan to audit your SharePoint Online (and OneDrive for Business), plan for the account that will be used for data collection – it should meet the requirements listed below. Then you will provide this account in the monitoring plan wizard.

To collect Activity Records only:

  1. The account needs to be created as a Cloud-Only account.
  2. To connect to SharePoint Online, and run initial data collection, the account must be assigned any of the following roles:
    • Application Administrator & Privileged Role Administrator

      OR

    • Cloud Application Administrator & Privileged Role Administrator

      OR

    • Global Administrator (Company Administrator in Azure AD PowerShell terms)
  3. NOTE: See Assigning Azure AD Administrative Roles for more information.

  4. After the initial data collection, the privileged role can be removed from the this account. Ongoing audit data collection leverages granted Office 365 Management APIs access permission and therefore requires no tenant-level or site-level permissions.

NOTE: Accounts with multi-factor authentication are not supported.

To collect State-in-Time data:

To collect State-in-Time data from your SharePoint Online environment, Netwrix creates a dedicated cloud application. The account under which the application is created (i.e. data collecting account) requires enhanced roles assignment.

To... Required Roles

Create cloud application and run initial data collection

  • Application Administrator & Privileged Role Administrator

    OR

  • Cloud Application Administrator & Privileged Role Administrator

    OR

  • Global Administrator (Company Administrator in Azure AD PowerShell terms)

See Assigning Azure AD Administrative Roles for more information.

Collect State-in-Time data

Same as for initial data collection (see the list above).

NOTE: Accounts with multi-factor authentication are not supported.

The account needs to be created as a Cloud-Only account.

Go Up