How do I see what's in my employees' OneDrive for Business sites?
I was recently tasked by a client who, concerned about sensitive documents being accessed by those who were not privileged, to enable them to be notified when a document on an employee's OneDrive was accessed.
This sounds like it'd be easy, and perhaps it is if you only have one or two to monitor, but watching a company of 2,000 people in this way is not such a simple task. To learn why, as IT people, we need to understand how OneDrive for Business works in Microsoft Office 365.
A basic primer on OneDrive for Business
Each employee with the appropriate license will have a OneDrive for Business site that they can access. These are essentially specialized SharePoint sites on the back end, and each individual is the site collection administrator for their own OneDrive for Business site. However, other administrators -- including the global admin -- are not automatically granted access to what's in each employee's site, only what is shared across the organization.
This means that there is no easy way to grant administrators access to every OneDrive for Business site -- changing the settings from the top level only changes the top level and is not inherited to each individual site.
So, how do I see what's going on in my employees' OneDrive for Business sites? I really need to know.
Ok, ok, I get it, you want to see what they're storing in their little hidey-holes. Professionally, I would only recommend doing this if absolutely necessary. There is an element of trust when giving employees access, and breaching that trust (if they were to find out) could jeopardize morale -- and it's not likely that every employee is using their OneDrives for illegal or otherwise unsavory activities.
That being said, let's say we know that Allie Bellew is being a bad OneDrive for Business user. An IT employee walked past her desk and saw her streaming music from her sweet collection of 90's techno, she saw it, she swears! In some companies, this might be OK or even encouraged, but not in this fictional case. No music for Allie.
(Alan Steiner is also reputed to be squirreling away his salacious photo collection in his OneDrive, but we'll leave that for another post.)
An IT admin decides then to snoop on Allie's OneDrive, but is met with this:
Not very revealing, eh?
In short, since there's no simple or straightforward way to grant your IT employees access to Allie's OneDrive to see what she's up to, you have to use PowerShell to make them the site collection administrator.
TechNet has a handy guide and PowerShell scripts available to accomplish this task. The scripts will grab a list of all OneDrive for Business sites in your organization, then assign a user as site collection administrator for those sites. If IT only needs to see an individual site, the list that the first script outputs can be modified to include just that one site location.
This procedure also comes in handy if you need to enable eDiscovery for your company's OneDrive for Business sites on a global scale. If there's a legal issue, it's almost certain that this will need to be done to ensure compliance and discovery of all appropriate documents.
More entries on Peter Redmer’s blog at peterredmer.info