Microsoft 365 - OneDrive data source

This topic provides details on how to capture Microsoft 365 OneDrive with Collect.

Considerations

Relativity cannot collect inactive employee mailboxes. The Graph API does not support access to inactive mailboxes.

Accessing Microsoft 365 tenants

Register the Collect application to access Microsoft 365. When registering the application, the Microsoft 365 administrator creates a Microsoft Application ID and secret. You will use this ID and secret to configure data sources in Collect and provides access to the Office 365 tenants. You can register the application through Azure Portal or by registering the application permissions through the Microsoft App Registration Portal. After registering the application, request administrator consent. From there, it is possible to revoke application access.

Use this information to create a Microsoft integration point. For more information, see Importing from Microsoft Entra ID.

Give Relativity access by first registering the application in Microsoft 365. Register the application permissions through Azure Portal.

Depending on your RelativityOne license, commercial or government, and your Microsoft tenant, Microsoft 365 or Microsoft 365 Government, you will be able to collect from either Microsoft 365 or both Microsoft 365 and Microsoft 365 Government data sources. Commercial users can only collect from Microsoft 365 tenants. Government users can collect from Microsoft 365 and Government 365 tenants. These data sources act the same, but have different icons within Collect.

Registering the Collect application and setting permissions

Register your application permissions through Azure Portal to access tenants.

Start with registering your app by following the steps below:

Note: The person completing the application registration process needs to be an Azure Administrator with sufficient privileges.

  1. Open your Azure Portal.

  2. Navigate to the App registrations page.

  3. Click New Registration to display the Register an application page.

  4. Enter an application name in the Name field.

  5. Select Accounts in this organizational directory only as the supported account type.

  6. Click Register.

For more information on registering an application in Azure, see Microsoft's documentation or Microsoft's authentication documentation.

From the app's page, add permissions to the web API. To add correct permissions based on your selected Microsoft 365 data source, follow the steps below:

Note: Most steps and some permissions are the same for each data source. We recommend running through all steps for each data source.

  1. Click API Permissions.
  2. Click Add a permission.
  3. Click Microsoft Graph.
  4. Select Application Permissions.
  5. Select the following options from the Application Permissions section: 
    • Calendars.Read
    • Contacts.Read
    • Files.Read.All
    • Mail.Read
    • Sites.Read.All
    • User.Read.All
      A list of the required Microsoft Graph application permissions.
  6. Click Add permissions.
  7. Click Grant Permission.

Make a note of the application ID that Microsoft assigned to the app registration. This ID is also required for setup of data sources in Collect.

    Notes: If you do not have the ability to grant Admin consent for application permissions, you will need to find an Admin that can consent.

Once clicked, the window will show all permissions granted.

  1. Verify that you granted all permissions.
  2. Click Accept to grant the permissions.
  3. In the left navigation menu, click Certificates & secrets.
  4. Click New client secret.

    Click the "New device secret" link on the Client secrets page.
  5. Enter a description in the Description text box.
  6. Set the expiration time frame to the maximum time - 24 months.

      Notes: After the time entered expires, the client secret expires. Once the client secret expires, you will need to create a new secret and update your Collect data sources.
  7. Click Add.
  8. Click on the clipboard and copy the secret value to the clipboard and paste it in your text document.

      Notes: In this step you should copy the secret and save it as you will need it to set up your data sources in Collect. Microsoft will only show this secret this one time, there is no way to recover a forgotten or lost secret.

Provide your Relativity Admin the Application ID and the Client Secret for setup of Collect. This application secret is also needed for setting up an Entra ID integration point. For more information, see Importing from Microsoft Entra ID.

Finding Azure credentials

If an application is already created and you need to find the application information to complete the Source Connection step, follow the steps below in the Azure Portal:

  1. Click Azure Active Directory.
  2. In the left-navigation menu, click Enterprise applications.
  3. In the list of applications, locate your application by filtering or sorting.
  4. Click your application.
    This will open the application page.
  5. In the left-navigation menu, click Properties.
  6. Click the copy icon next to the Application ID.

Limiting application registration access to accounts

Limit the access of Collect to specific Microsoft user accounts and mailboxes by using the New-ApplicationAccessPolicy Powershell cmdlet. For more information, see Microsoft documentation.

Revoking application access

You can revoke the application from https://portal.azure.com or by using a PowerShell script. For more information, see Microsoft's documentation.

To revoke access from https://portal.azure.com:

  1. Navigate to Enterprise Application.
  2. Click All applications.
  3. Locate your application.
  4. Click the application link.
  5. Click Delete. Collect no longer has access.

Revoking access via Powershell

Use the Remove-MsolServicePrincipal script to revoke access through Powershell. See below for an example of retrieving and deleting an application registration using Powershell.

Get-MsolServicePrincipal -AppPrincipalId 19ab8a2e-ccce-4fa8-a9ee-eb16e220d602



    ExtensionData : System.Runtime.Serialization.ExtensionDataObject

AccountEnabled : True

Addresses : {}

AppPrincipalId : 19ab8a2e-ccce-4fa8-a9ee-eb16e220d602

DisplayName : Relativity-Development-Application

ObjectId : 51798fb3-e72c-4373-8c63-6e7d0dd63ad7

ServicePrincipalNames : {19ab8a2e-ccce-4fa8-a9ee-eb16e220d602}

TrustedForDelegation : False    



Remove-MsolServicePrincipal -AppPrincipalId 19ab8a2e-ccce-4fa8-a9ee-eb16e220d602

Creating the data source

The Collection Admin tab is where you create, edit, and remove data sources from your workspace. Setup only needs to be done once for each data source. You must create your data sources prior to setting up your custodian targets.

  1. Click the New Collection Source Instance button.
  2. Enter a unique name for the data source.
  3. Select Microsoft 365 OneDrive

    Note: Collect automatically collects any preserved data that has an in-place hold or litigation hold. Microsoft stored data on a hold in a preservation library and separate folders. For more information, see Microsoft Retention Policies.

  4. Enter the required information in Settings. For more information, see Settings fields.
  5. Click Save.

After clicking Save, Relativity verifies the parameters and connectivity to the Microsoft 365 data source. If successful, Relativity saves the data source. If the connection fails, a message appears in the UI indicating that the connection failed. If verification fails, verify that the values are correct. Relativity will save the data source when you correct it and it's verified.

Once you complete the data source setup, you will see the data source information on the Collect Admin page.

Settings fields

To connect Relativity to a Microsoft OneDrive data source, you need to gather and enter the information for the following fields:

  • Domain—enter the Domain name of the Microsoft 365 tenant you intend to collect from.

  • Application Id—enter the Application ID created during registering the Collect application in Microsoft 365.

  • Application secret—enter the Application Secret created during registering the Collect application in Microsoft 365.

After clicking Save, Collect verifies the parameters and verifies them with Microsoft 365. The parameters will be saved when verified. If the Relativity cannot verify the parameters, you will get an error message. If the connection failed, confirm the parameters, re-enter them, and click Save. Relativity does not save the parameters until there is a successful verification.

Depending on your RelativityOne license, commercial or government, and your Microsoft tenant, Microsoft 365 or Microsoft 365 Government, you will be able to collect from either Microsoft 365 or both Microsoft 365 and Microsoft 365 Government data sources. Commercial users can only collect from Microsoft 365 tenants. Government users can collect from Microsoft 365 and Government 365 tenants. These data sources act the same, but have different icons within Collect.

Data source details

Each data source details page includes an Action console. Each data source has different actions.

On the SharePoint data source page, you should see an Actions console. In the console, you can Validate Connection. Click to validate the client ID, certificate, and other credentials with Microsoft 365.

Configure data source

Configure the data sources chosen in the Collection Details step. If you select multiple data sources in the first step, you will configure all sources in the step. Switch between each source by clicking the name of the data source in the left navigation menu. Clicking Next and Previous also moves you through the data sources. Select individual data sources by clicking on the checkbox and then using the right arrows to select them. After selecting the data sources to configure, fill out the criteria. Each data source has different criteria to enter.

Data source criteria

Add criteria to collect specific data. To configure the data sources, complete the following fields:

  • Select and unselected tabs—choose the data sources to collect from by moving unselected data sources to the selected list.

  • Field—choose the field to filter on within the data source.

    Note: This field is only required when you select a calendar source.

  • Operator—choose an operator such as equals, contains, greater than, or less than.

  • Value—enter a value to find in the selected field.

After selecting field options, you must click Add Criteria. Things to know about criteria:

  • Each criteria is then separated by an AND operator.
  • Leave the data source criteria empty to collect all data from the sources.

Criteria

Filter a data source's data that you want to collect by adding criteria. This section covers the different criteria for each data source. It also includes what you can search within each data source. The criteria options change based on the Microsoft 365 Archived mailbox data source.

The following table lists the filter criteria support for OneDrive collections.

Note: You must register Relativity in Microsoft 365 before using this data source. For information on registering Relativity in Microsoft 365, see Accessing Microsoft 365 tenants.

When using search criteria to filter for Microsoft 365 OneDrive, different operators can return different results. Knowing the search operators is crucial.

The keyword search criteria uses the Search In operator. When using the Search In operator:

  • Search for a phrase by entering the phrase without any OR operators into the Value text box.
    Example: acme corp contract
  • Search for individual keywords by entering the keywords and separating them with an OR in the Value text box.
    Example: cat OR dog OR mouse
      Notes: Enter the OR operator with all capital letters. You should add keywords and phrases in lower case only.
  • Keywords hit on matches and if a word is prefixed with a keyword.
    Example: "Work" will return "workday" and "workplace"
Criteria Operators Description Example
File Extension Equal, Does Not Equal, Contains When you use the File Extension property in a query, the search returns all files that contain the entered file extension. If you search “Contains docx,” your results include all Microsoft Word files saved with that extension.
File Path Equal, Does Not Equal, Contains

When you use the File Path property in a query, the search returns all messages equals/does not equal or contain the folder path entered.

 If you search “Contains C:/documents/Relativity,” your results include all files within the listed folder and any folder beyond the file path entered.
File Name Equal, Does Not Equal, Contains When you use the File Name property in a query, the search returns all files that equals/does not equal or contain the value entered. If you search “Equals Important_Document,” your results include all files with that text in the filename.
Creation Date Equals, Does Not Equal, Greater Than, Greater Than or Equals, Less Than, Less Than or Equals When you use the Creation Date property in a query, the search returns all messages that equal/doesn’t equal, greater/less than the date entered. If you search “Greater Than 1/1/2001,” your results include all messages created after January 1, 2001.
Modification Date Equals, Does Not Equal, Greater Than, Greater Than or Equals, Less Than, Less Than or Equals When you use the Modification Date property in a query, the search returns all updated files that equal/doesn’t equal, greater/less than the date entered. If you search “Less Than 1/1/2020,” your results include all files modified before January 1, 2020.
Keyword Search Search In When you use the Keyword Search property in a query, the search returns all files containing the searched text. If you search “Relativity,” your results include all files that contain the searched text in the file.

Note: For email, the date a recipient receives message or sent by the sender. For documents, the date a document was last modified.

Collecting preserved files

When running a collection with Microsoft data sources, Relativity collects all available files, including preserved files. You do not need to take extra steps to collect preserved files as they are automatically included in the collection.For more information on preserving data, see Preservation hold (Legacy).

When a Microsoft places a data source on a preservation hold, Microsoft creates a preservation hold library, a Recoverable Items folder. The addition of the Recoverable Items folder to Microsoft Exchange is another folder that can be collected. Collect can collect this folder because the Removable Items folder is an additional folder within a Microsoft data source.

When emails and files are on a preservation hold in Microsoft 365, Microsoft preserves original copies of any deleted or modified items. Microsoft stores preserved emails in the Recoverable Items folder and preserved files in the Preservation Library. Collect automatically collects from these file locations.

Relativity collects all versions of the document available in the preservation library. Collecting all versions of a document means that Relativity collects multiple versions of the same file with the corresponding SHA-256 hashes for each version of the data. If there were changes in the file version, the hash should be unique. For more information on hash identifiers, see Microsoft 365 - OneDrive data source.