Creating Policy Alerts for Office 365 SharePoint and OneDrive
Create custom policies to generate alerts for actions on resources that are specific to your Office 365 SharePoint and OneDrive environment.
Prerequisite: Ensure that you have followed the instructions in Getting Started with Policies to review available managed policies, and any custom policies that already exist, before creating a new custom policy.
You can create policies for actions and resources in SharePoint and OneDrive.
Note:
If you registered your Office 365 instance before April 2016, to enable the features for SharePoint and OneDrive and for Azure AD, you must re-enter the Oracle CASB Cloud Service user's credentials for your registered application instance in the credentials update page: select Applications, click the icon for the instance to display the Health Summary, and then Modify, Update Credentials.Creating Alerts for SharePoint and OneDrive User and Group Management
Create a policy that generates an alert for actions taken on users and groups.
For instructions about how to create a policy alert for Office 365, see the topics for Creating Policy Alerts for Office 365 Exchange Online.
Here are the resources and actions for user and group management. Except where noted otherwise, these resource types and actions apply to both SharePoint and OneDrive.
| Resource | Action/Event Name | Trigger for Policies with This Resource and Action |
|---|---|---|
|
List of user agents exempted from indexing |
Modify (CustomizeExemptUsers) |
A global administrator customizes the list of exempt user agents in the SharePoint administrator center. When exempt user agents encounter an InfoPath form, the form is returned as an XML file instead of an entire web page. This speeds up indexing of InfoPath forms. |
|
Add to list (ExemptUserAgentSet) |
A global administrator adds a user agent to the list of exempt user agents in the SharePoint administrator center. |
|
|
Group |
Add group (GroupAdded) |
A site administrator or owner creates a group for a site, or performs another task that results in a group being created. (For example, when a user creates a link with edit permissions to a shared file, a system group is added to the user's site.) |
|
Remove group (GroupRemoved) |
A user deletes a group from a site. |
|
|
Modify (GroupUpdated) |
A site administrator or owner changes the settings for a group (for example, the group name or who can edit the group membership). |
|
|
Grant permission to create groups (AllowGroupCreationSet) |
A site administrator or owner adds a permission level that allows users to create a group for the site. |
|
|
Add user (UserAddedToGroup) |
A site administrator or owner adds a person to a group on a site. This grants the group's permissions to the user. |
|
|
Remove user (UserRemovedFromGroup) |
A site administrator or owner removes a person from a group on a site. This removes the group's permissions from the user. |
|
|
Add group SSO credentials (SSOGroupCredentialsSet) |
An administrator sets group credentials in the Secure Store service. |
|
|
User |
Add User SSO credentials (SSOUserCredentialsSet) |
An administrator sets user credentials in the Secure Store service. |
Creating Alerts for SharePoint and OneDrive Files and Folders
Create a policy that generates an alert for actions taken on files and folders.
Note:
For instructions about how to create a policy alert, see the topics for Creating Policy Alerts for Office 365 Exchange Online.
This table lists the fields on the Resource page in the policy creation wizard, with the values you would use in an alert for SharePoint and OneDrive files and folders.
Note:
TheFolder... options may only be available if you have set up targeted release options (also commonly referred to as "preview mode") for the Office 365 service account. See the Microsoft documentation, Set up the Standard or Targeted release options in Office 365.
| Resource | Action/Event Name | Trigger for Policies with This Resource and Action |
|---|---|---|
|
SharePoint/OneDrive SharingInvitation |
SharingInvitationAccepted |
A recipient of an invitation to view or edit a shared file or folder clicks the link in the invitation. |
|
SharingInvitationCreated |
A user sends an invitation to view or edit a shared file or folder on a site. The invitation goes to a person inside or outside his or her organization. |
|
|
AccessInvitationExpired |
An invitation sent to an external user expires. By default, an invitation sent to a user outside of your organization expires after 7 days if the invitation isn't accepted. |
|
|
SharingInvitationRevoked |
The site administrator or owner of a site or document withdraws an invitation that was sent to a user outside your organization. An invitation can be withdrawn only before it's accepted. |
|
|
AccessInvitationUpdated |
The sender of an invitation to view or edit a shared file or folder on a site resends the invitation. |
|
|
SharePoint/OneDrive Sharing |
SharingRevoke |
Someone removes a sharing permission. |
|
SharingSet |
Someone modifies a sharing permission. |
|
|
SharePoint/OneDrive SharedLink |
AnonymousLinkCreated |
Someone creates a link that allows external users to view documents anonymously. |
|
AnonymousLinkUsed |
Someone views documents anonymously. |
|
|
CompanyLinkCreated |
Someone creates a link that can be used company-wide. |
|
|
CompanyLinkRemoved |
Someone deletes a link that can be used company-wide. |
|
|
SharePoint/OneDrive File |
AnonymousLinkCreated |
Someone creates a link that allows external users to view documents anonymously. |
|
AnonymousLinkRemoved |
Someone deletes a link that allows external users to view documents anonymously. |
|
|
AnonymousLinkUpdated |
Someone updates a link that allows external users to view documents anonymously. |
|
|
AnonymousLinkUsed |
Someone views documents anonymously. |
|
|
CompanyLinkCreated |
Someone creates a link that can be used company-wide. |
|
|
CompanyLinkRemoved |
Someone deletes a link that can be used company-wide. |
|
|
FileAccessed |
Someone views a file on a site. |
|
|
FileCheckOutDiscarded |
A user discards (or undoes) a checked out file. This discards any changes made when it was checked out. |
|
|
FileCheckedIn |
A user checks in a document to a document library. |
|
|
FileCheckedOut |
A user checks out a document in a library. Users can check out and edit documents that were shared with them. |
|
|
FileCopied |
A user copies a document from a site. The user can save the copy to another folder on the site. |
|
|
FileDeleted |
A user deletes a document from a site. |
|
|
FileDownloaded |
A user downloads a document from a site. |
|
|
FileModified |
A user or system account modifies the content or the properties of a document on a site. |
|
|
FileMoved |
A user moves a document on a site to a new location. |
|
|
FileRenamed |
A user renames a document on a site. |
|
|
FileRestored |
A user restores a document from the recycle bin of a site. |
|
|
FileUpdated |
A user modifies a file on a site. |
|
|
FileUploaded |
A user uploads a document to a folder on a site. |
|
|
SharePoint/OneDrive Folder |
FolderCreated |
A user creates a folder on a site. |
|
FolderDeleted |
A user permanently deletes a folder on a site. |
|
|
FolderDeletedFirstStageRecycleBin |
A user deletes a folder to the first stage recycle bin on a site. |
|
|
FolderDeletedSecondStageRecycleBin |
A user deletes a folder to the second stage recycle bin on a site. |
|
|
FolderModified |
A user modifies a folder on a site. |
|
|
FolderMoved |
A user moves a folder on a site. |
|
|
FolderRenamed |
A user renames a folder on a site. |
|
|
SharePoint/OneDrive Activation (browser-enabled basic form templates) |
ActivationEnabled |
Users can browser-enable form templates that don't contain form code, require full trust, enable rendering on a mobile device, or use a data connection managed by a server administrator. |
|
SharePoint/OneDrive CollaborationType |
CollaborationTypeModified |
The type of collaboration allowed on sites (for example, intranet, extranet, or public) was modified. |
After you have finished specifying Resource and Action options, complete your policy by continuing where you left off in Creating Policy Alerts for Office 365 Exchange Online.
Creating Alerts for SharePoint Application Management
Create a policy that generates an alert for application management actions.
For instructions about how to create a policy alert for Office 365, see any of the topics for Creating Policy Alerts for Office 365 Exchange Online.
Here are the resources and actions for SharePoint-connected applications that you can make the target of a policy.
| Resource Type | Description |
|---|---|
|
SharePoint/OneDrive: AppCatalog |
Detects a new app catalog for SharePoint (Action: AppCatalogCreated), or removing or updating the audit policy for the catalog (Action: AuditPolicyRemoved, AuditPolicyUpdate). |
|
SharePoint/OneDrive: SSOApplication |
Detects when an administrator creates a single sign-on application (Action: CreateSSOApplication), deletes one (Action: DeleteSSOApplication, or updates one (Action: UpdateSSOApplication). |
Creating Alerts for SharePoint and OneDrive Site Management
Create a policy that generates an alert for site management actions.
For information about creating a policy alert for Office 365, see the topics for Creating Policy Alerts for Office 365 Exchange Online.
Note:
The SharePoint/OneDrive Site options may only be available if you have set up targeted release options (also commonly referred to as "preview mode") for the Office 365 service account. See the Microsoft documentation, Set up the Standard or Targeted release options in Office 365.-
Select Configuration, Policy Management from the Navigation menu. If the Navigation Menu is not displayed, click the Navigation Menu icon
to display it. -
Click New Policy.
-
In the Name page, enter a name for the policy, enter a description, select a Priority, select Include in user risk score if you want policy violations included in user risk score computations, and then click Next.
-
In the Resource page, select Office365 as the application type, select an application instance, and then set the resource:
| Resource | Action/Event Name | Trigger for Policies with This Resource and Action |
|---|---|---|
|
SharePoint/OneDrive LegacyWorkflowEnabled |
LegacyWorkflowEnabledSet |
A site administrator or owner adds the SharePoint Workflow Task content type to the site. |
|
SharePoint/OneDrive OfficeOnDemand |
OfficeOnDemandSet |
A site administrator enables Office on Demand, which lets users access the latest version of Office desktop applications. Office on Demand is enabled in the SharePoint administrator center and requires an Office 365 subscription that includes full, installed Office applications. |
|
SharePoint/OneDrive MaxQuota |
MaxQuotaModified |
The maximum quota for a site is modified. |
|
SharePoint/OneDrive MaxResourceUsage |
MaxResourceUsageModified |
The maximum allowable resource usage for a site is modified. |
|
SharePoint/OneDrive NewsFeedEnabled |
NewsFeedEnabledSet |
A site administrator or owner enables RSS feeds for a SharePoint or OneDrive for Business site. |
|
SharePoint/OneDrive ResourceWarningEnabled |
ResourceWarningEnabledModified |
An administrator modifies the resource quota warning. |
|
SharePoint/OneDrive SearchCenterURL |
SearchCenterUrlSet |
An administrator sets a search center URL. A Search Center lets users to submit search queries and view search results. A Search Center site is the top-level site of a site collection that a farm administrator creates. |
|
SharePoint/OneDrive SecondaryMySiteOwner |
SecondaryMySiteOwnerSet |
A user modifies the secondary owners of their MySite site. |
|
SharePoint/OneDrive SendToConnection |
SendToConnectionAdded |
A global administrator creates a new Send To connection on the Records management page in the SharePoint admin center. |
|
SendToConnectionRemoved |
A global administrator deletes a Send To connection from the Records management page in the SharePoint admin center. |
|
|
SharePoint/OneDrive Site |
SiteCollectionAdminAdded |
A site administrator or owner adds a SharePoint or OneDrive for Business collection administrator. |
|
SiteCollectionAdminRemoved |
A site administrator or owner removes a SharePoint or OneDrive for Business collection administrator. |
|
|
SiteCollectionCreated |
A site administrator or owner creates a SharePoint or OneDrive for Business collection administrator. |
|
|
SiteRenamed |
A site administrator or owner renames a SharePoint or OneDrive for Business site. |
|
|
SharePoint/OneDrive SiteAdminChange |
SiteAdminChangeRequest |
Someone submits a request to change the site administrator. |
|
SharePoint/OneDrive SiteCollection |
SiteCollectionAdminAdded |
Someone adds a site collection administrator. |
|
SiteCollectionCreated |
Someone creates a site collection. |
|
|
SharePoint/OneDrive SitePermissions |
SitePermissionsModified |
Someone modifies site permissions. |
Creating Alerts for SharePoint Evidence Management
Create a policy that generates an alert for unwarranted actions related to evidence management.
You can create policies for unwarranted actions related to evidence management in SharePoint. For example, a policy can alert you when someone performs an eDiscovery hold. The hold maintains a copy of the content, while letting users continue to work with their content.
For instructions about how to create a policy alert for Office 365, see any of the topics for Creating Policy Alerts for Office 365 Exchange Online.
Here are the resources and actions for SharePoint eDiscovery that you can make the target of a policy.
| Resource type | Description |
|---|---|
|
SharePoint/OneDrive: eDiscovery |
Detects when a new In-Place Hold was placed on a content source (Action: eDiscoveryHoldApplied, or removed (Action: eDiscoveryHoldRemoved), or someone performed an eDiscovery search of an eDiscovery site collection (Action:eDiscoverySearchPerformed). |