OneDrive / SharePoint

License: PRO+ (Professional Edition or higher)
Module Type: Alternate Scanner
Author: Diskover Data, Inc.

Overview / Use Cases

The Diskover OneDrive/SharePoint Scanner brings your Microsoft 365 cloud storage into Diskover, giving you the same powerful search, analysis, and reporting capabilities you rely on for on-premises storage — but for OneDrive user drives and SharePoint site document libraries.

The scanner connects to the Microsoft Graph API to enumerate files and folders across your entire Microsoft 365 tenant (or targeted subsets of users and sites), then indexes all that metadata into Elasticsearch. Once indexed, the data appears in the Diskover Web UI alongside any other indexed storage, letting you search, filter, tag, and report on cloud-stored content just like local files.

Who Is This For?

IT Administrators & Storage Engineers

Cloud storage governance: Get a unified view of storage consumption across all OneDrive user drives and SharePoint sites in your tenant. Identify who's consuming the most storage, find oversized files, and understand growth patterns — without logging into the Microsoft 365 Admin Center and checking accounts one by one.
SharePoint site sprawl management: Microsoft 365 tenants tend to accumulate SharePoint sites over time. Many go dormant or are abandoned entirely. Use this scanner to inventory every site, see which ones contain stale or minimal data, and make informed decisions about decommissioning or consolidating sites.

Data Managers & Compliance Officers

Data migration and archive planning: Planning a migration away from Microsoft 365 or archiving older content? This scanner provides the detailed inventory you need — file counts, sizes, ages, and ownership — so you can scope the effort accurately and prioritize what moves first.
Hybrid cloud storage analysis: If your organization stores data across both on-premises filesystems and Microsoft 365, running this scanner alongside Diskover's filesystem scanners gives you a single view of storage everywhere, enabling consistent reporting and cost analysis.

Sample scan data from a SharePoint Site.

Here we can see the SharePoint Site Name ID, this can be used to map back to the SharePoint site these files belong to!

Understanding Microsoft Graph API

The OneDrive/SharePoint scanner communicates with Microsoft 365 through the Microsoft Graph API — Microsoft's unified REST API for accessing data across their cloud services. Understanding a few key concepts will help you configure and operate the scanner effectively.

Authentication: OAuth 2.0 Client Credentials

The scanner uses the OAuth 2.0 client credentials flow, which is designed for server-to-server communication without user interaction. Instead of signing in as a specific user, the scanner authenticates as an application registered in your Azure Active Directory (Azure AD) tenant. This means:

No user needs to be logged in for the scanner to run
The scanner accesses data based on application-level permissions, not a specific user's access
A client secret (essentially a password for the application) is used to authenticate

Application Permissions vs. Delegated Permissions

Microsoft Graph supports two permission models:

Permission Type	How It Works	Used By This Scanner?
Application	Grants access to all resources of a given type (e.g., all users' files) without a signed-in user	Yes
Delegated	Grants access on behalf of a specific signed-in user, limited to what that user can see	No

The scanner requires Application permissions because it needs to read files across all users and sites in the tenant without requiring anyone to be signed in.

API Throttling

Microsoft enforces rate limits on Graph API requests to protect service stability. If you send too many requests too quickly, the API will respond with 429 Too Many Requests and ask you to slow down. The scanner handles this automatically with built-in rate limiting and exponential backoff retry logic, but you should be aware of it — especially in large tenants with thousands of users. The Configuration section covers how to tune these settings.

OneDrive vs. SharePoint: What Gets Scanned

Scan Mode	Command	What It Covers
Users (`users`)	`diskover.py --altscanner scandir_onedrive od:///users`	Each user's personal OneDrive drive — the "My Files" content tied to their Microsoft 365 account
Sites (`sites`)	`diskover.py --altscanner scandir_onedrive od:///sharepoint`	SharePoint site document libraries — shared team content, project sites, communication sites

You can run both scan modes to get a complete picture, indexing them into separate Elasticsearch indices or combining them as needed.

Microsoft Graph OData Filters

The user_filter and site_filter configuration fields in Diskover Admin support Graph API OData filter syntax, which lets you target specific subsets of users or sites without scanning the entire tenant. Some common examples:

Filter	What It Does
`startswith(userPrincipalName,'j')`	Users whose email starts with "j"
`department eq 'Engineering'`	Users in the Engineering department
`webUrl eq 'https://contoso.sharepoint.com/sites/Marketing'`	A specific SharePoint site by URL

These filters are passed directly to the Microsoft Graph API, so any valid OData filter syntax that Graph supports will work.

Requirements

System Requirements

Component	Requirement
Python	3.11+ (included with Diskover installation)
Diskover	Core installation with alternate scanner support and Elasticsearch cluster
Network	HTTPS access to `graph.microsoft.com` (Microsoft Graph API) and your Elasticsearch cluster
Operating System	Linux or Windows

Python Dependencies

Package	Version	Purpose
`aiohttp`	3.9+	Async HTTP client for Microsoft Graph API requests
`python-dateutil`	2.9+	Date/time parsing for file timestamps

Microsoft Azure Requirements

Requirement	Description
Azure AD Tenant	An active Microsoft 365 tenant with Azure Active Directory
App Registration	An Azure AD application registered with client credentials
API Permissions	`Files.Read.All`, `User.Read.All`, `Sites.Read.All` — all as Application permissions with Admin Consent granted
Client Credentials	Application (client) ID and a client secret

Important: All three API permissions must be granted as Application permissions (not Delegated), and an Azure AD administrator must click "Grant admin consent" for them to take effect.

Installation

Step 1: Install the Scanner Package

Linux (RPM-based):

dnf install diskover-scanner-onedrive

Windows:
The scanner files are included with the Diskover Windows installation. No separate installation step is required.

Install Locations:

Platform	Path
Linux	`/opt/diskover/scanners/scandir_onedrive/`
Windows	`C:\Program Files\Diskover\scanners\scandir_onedrive\`

Step 2: Install Python Dependencies

Linux:

cd /opt/diskover/scanners/scandir_onedrive
python3 -m pip install -r requirements.txt

Windows:

cd "C:\Program Files\Diskover\scanners\scandir_onedrive"
python -m pip install -r requirements.txt

Step 3: Create an Azure AD App Registration

This step registers an application identity in your Azure AD tenant that the scanner will use to authenticate.

Sign in to the Azure Portal
Navigate to Azure Active Directory → App registrations → New registration
Fill in the registration form:
- Name: Diskover OneDrive Scanner (or your preferred name)
- Supported account types: "Accounts in this organizational directory only"
- Redirect URI: Leave blank (not needed for client credentials flow)
Click Register

Step 4: Configure API Permissions

In your new app registration, go to API permissions → Add a permission

Select Microsoft Graph → Application permissions
Search for and add each of the following:
- Files.Read.All — Read all files in all site collections
- User.Read.All — Read all users' full profiles
- Sites.Read.All — Read items in all site collections
Click Grant admin consent for [Your Tenant]
Verify that all three permissions display a green checkmark with "Granted" status

Note: Admin consent is required because these are Application-level permissions that access data across the entire tenant. A Global Administrator or Privileged Role Administrator must grant this consent.

Step 5: Create a Client Secret

In your app registration, go to Certificates & secrets → Client secrets → New client secret
Add a description (e.g., "Diskover Scanner") and choose an expiration period
Click Add
Immediately copy the secret value — it will not be displayed again after you leave this page

Tip: Set a calendar reminder before the secret expires. An expired secret will cause authentication failures that can be confusing to troubleshoot. You can always create a new secret and update your scanner configuration before the old one expires.

Step 6: Gather Your Azure Credentials

You'll need four values from your Azure portal to configure the scanner:

Value	Where to Find It
Tenant ID	Azure AD → App registrations → [Your App] → Overview
Client ID (Application ID)	Azure AD → App registrations → [Your App] → Overview
Client Secret	The value you copied in Step 5
Tenant Name	Your Microsoft 365 domain (e.g., `contoso.onmicrosoft.com`)

Step 7: Configure Scanner Settings

The scanner configurations are done inside Diskover Admin under Settings → Alternate Scanners → OneDrive.

Edit the Diskover Admin UI with your Azure connection details:

Step 8: Verify Connectivity

You can verify that your app registration credentials work by testing the Microsoft Graph API directly. From the Diskover server, run:

curl -X POST \
  "https://login.microsoftonline.com/{your-tenant-id}/oauth2/v2.0/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id={your-client-id}&scope=https://graph.microsoft.com/.default&client_secret={your-client-secret}&grant_type=client_credentials"

A successful response returns a JSON object with an access_token. If you receive an error, the issue is with your Azure credentials — not the scanner.

Configuration

Configuration Approach

All configuration for the OneDrive/SharePoint scanner is managed through Diskover Admin under Settings → Alternate Scanners → OneDrive. There are no configuration files to edit on the server.

Here is the beginning of our default configuration.There are many other configuraitons for the OneDrive/SharePoint Scanner - covered in detail below!

Azure Configuration Parameters

Parameter	Type	Default	Description
`tenant_id`	string	Required	Azure AD tenant ID (GUID format)
`client_id`	string	Required	Azure AD application (client) ID
`client_secret`	string	Required	Azure AD client secret value
`tenant_name`	string	(empty)	Your Microsoft 365 tenant domain name (e.g., `mycompany.onmicrosoft.com`). Used in the User-Agent header.
`scopes`	string	`https://graph.microsoft.com/.default`	OAuth 2.0 scopes for Graph API access. Normally leave as default.

Scan Target Parameters

Parameter	Type	Default	Description
`scan_mode`	select	`Users`	What to scan: `Users` (OneDrive accounts) or `Sites` (SharePoint document libraries).
`user_filter`	string	(empty)	Optional Graph API `$filter` expression for users. Only applies when `scan_mode` is `Users`. Example: `startswith(surname,'T')`
`user_list`	list	(empty)	Specific `userPrincipalName` values to scan. If set, overrides `user_filter`. Empty means all users (subject to `user_filter`).
`site_filter`	string	(empty)	Optional Graph API `$filter` expression for sites. Only applies when `scan_mode` is `Sites`.
`site_list`	list	(empty)	Specific site names to scan. If set, overrides `site_filter`. Empty means all sites (subject to `site_filter`).

Rate Limiting Parameters

These settings control how aggressively the scanner calls the Microsoft Graph API. The defaults work well for small-to-medium tenants. For large tenants or environments where you encounter throttling, reduce these values.

Parameter	Type	Default	Description
`request_limit_per_minute`	integer	`1200`	Maximum Graph API requests per minute
`token_refresh_interval`	integer	`2700`	OAuth token refresh interval in seconds (default 45 min, tokens expire at 60 min)

Prefetch Parameters

The scanner uses a background prefetch worker to concurrently fetch directory listings from the Microsoft Graph API, providing significant speedup for large filesystems.

Parameter	Type	Default	Description
`prefetch_concurrency`	integer	`10`	Maximum parallel prefetch requests to Graph API. Higher values speed up scanning but use more connections.
`prefetch_cache_size`	integer	`1000`	Maximum directory listings to cache in memory. Controls memory usage on large filesystems.

Graph API Retry Parameters

When the Microsoft Graph API returns errors (429 throttling, 5xx server errors), the scanner retries with exponential backoff. These parameters control that behavior.

Parameter	Type	Default	Description
`max_retries`	integer	`20`	Maximum retry attempts for a failed Graph API request
`base_wait`	integer	`10`	Initial wait time in seconds before the first retry
`max_wait`	integer	`3600`	Maximum wait time in seconds between retries (1 hour ceiling)
`backoff_factor`	integer	`5`	Multiplier for exponential backoff between retries

Configuration Examples

Standard Configuration (Small Tenant, Under ~100 Users)

The default settings work well for most small tenants. No changes needed beyond filling in your Azure credentials and selecting the appropriate scan_mode.

Conservative Configuration (Large Tenant, 1,000+ Users)

For large tenants, reduce the rate limit to avoid triggering Microsoft Graph throttling. The scan will take longer, but it will complete reliably without repeated 429 errors.

Set request_limit_per_minute to 600, max_retries to 30, base_wait to 30, and backoff_factor to 10.

Usage / Execution

The OneDrive/SharePoint scanner uses the standard --altscanner flag with diskover.py.

Scanning OneDrive User Drives

Scan All Users

Set scan_mode to Users in Diskover Admin, then run:

# Linux
cd /opt/diskover
python3 diskover.py -i <INDEX-NAME> --altscanner scandir_onedrive od:///users

# Windows
cd "C:\Program Files\Diskover"
python diskover.py -i <INDEX-NAME> --altscanner scandir_onedrive od:///users

Scan Specific Users

To target one or more users by their UserPrincipalName (email address), add them to the user_list field in Diskover Admin, then run the scan as above.

Filter Users with a Graph API Query

Use OData filter syntax to select users by attribute. Enter the filter in the user_filter field in Diskover Admin:

Users whose email starts with "s": startswith(userPrincipalName,'s')
Users in the Engineering department: department eq 'Engineering'

Note: You cannot combine user_list (specific users) and user_filter (query filter) — if user_list is populated, it takes precedence.

Scanning SharePoint Sites

Scan All Sites

Set scan_mode to Sites in Diskover Admin, then run:

# Linux
cd /opt/diskover
python3 diskover.py -i <INDEX-NAME> --altscanner scandir_onedrive od:///sharepoint

# Windows
cd "C:\Program Files\Diskover"
python diskover.py -i <INDEX-NAME> --altscanner scandir_onedrive od:///sharepoint

Scan Specific Sites by Name

Add site names to the site_list field in Diskover Admin (e.g., "Marketing", "Engineering"), then run the scan as above.

Filter Sites with a Graph API Query

Enter a filter expression in the site_filter field in Diskover Admin:

webUrl eq 'https://contoso.sharepoint.com/sites/ProjectAlpha'

Path Format Reference

Path Format	Description	Example
`od:///users`	Virtual root for all OneDrive user drives	Files appear as `/jdoe/Documents/report.xlsx`
`od:///sharepoint`	Virtual root for all SharePoint sites	Files appear as `/Marketing/Shared Documents/plan.docx`

Advanced Usage Examples

Custom Index Name

python3 diskover.py --altscanner scandir_onedrive -i <INDEX-NAME> od:///users

Debug Logging

python3 diskover.py --altscanner scandir_onedrive -i <INDEX-NAME> --debug od:///users

Integration with Index Tasks

The OneDrive/SharePoint scanner can be configured as part of a Diskover Index Task for scheduled or recurring scans.

Field

Value

Scanner

OneDrive

Crawl Directory

od:///users or od:///sharepoint

Path will depend on your set up

Sample One Drive Storage Scan - Task Configuration:

Here we can see a basic setup for an One Drive Scan! The setup is very similar when doing a scan of a SharePoint Site..

Performance Tips

Start with a small scan to validate your configuration — scan a single user or site (using user_list or site_list) before running a full tenant scan.
Use --debug for production scans. The overhead is minimal, and the additional logging is invaluable if something goes wrong partway through a long scan.
Schedule scans during off-hours to minimize impact on Graph API quotas shared with other applications in your tenant.

Metadata Fields / Elasticsearch Mappings

The scanner indexes files and directories with standard Diskover document fields, plus one scanner-specific field.

Custom Field

Field Path	ES Type	Description
`onedrive_item_id`	keyword	The Microsoft Graph item ID for the file or folder. Uniquely identifies the item in OneDrive/SharePoint.

Standard Fields (Files)

Field Path	ES Type	Description
`name`	keyword	File name
`extension`	keyword	Lowercase file extension (e.g., `.xlsx`, `.pdf`)
`parent_path`	keyword	Full virtual path to the parent directory
`size`	long	File size in bytes
`size_du`	long	Disk usage size in bytes (same as `size` for cloud files)
`owner`	keyword	Display name of the file creator
`group`	keyword	Always `0` (not applicable for cloud storage)
`mtime`	date	Last modified timestamp
`atime`	date	Last accessed timestamp (set to `mtime` value)
`ctime`	date	Creation timestamp
`ino`	keyword	Microsoft Graph API item ID (unique identifier)
`type`	keyword	Always `file`

Standard Fields (Directories)

Field Path	ES Type	Description
`name`	keyword	Directory name
`parent_path`	keyword	Full virtual path to the parent directory
`size`	long	Total recursive size of all descendant files
`size_norecurs`	long	Size of immediate child files only
`file_count`	long	Total recursive file count
`file_count_norecurs`	long	Immediate child file count
`dir_count`	long	Total recursive subdirectory count
`dir_count_norecurs`	long	Immediate child subdirectory count
`dir_depth`	integer	Depth relative to user/site root
`type`	keyword	Always `directory`

Example Indexed Document (File)

{
  "name": "Q4-Report.xlsx",
  "extension": ".xlsx",
  "parent_path": "/onedrive/users/jdoe/Documents/Reports",
  "size": 245760,
  "size_du": 245760,
  "owner": "John Doe",
  "group": "0",
  "mtime": "2025-12-15T14:30:00",
  "atime": "2025-12-15T14:30:00",
  "ctime": "2025-11-01T09:00:00",
  "nlink": 0,
  "ino": "01ABCDEF12345678",
  "type": "file"
}

Example Indexed Document (File from a SharePoint Site Scan)

{
  "name": "Brand-Guidelines.pdf",
  "extension": ".pdf",
  "parent_path": "/sharepoint/sites/Marketing/Shared Documents/Brand",
  "size": 5242880,
  "size_du": 5242880,
  "owner": "Jane Smith",
  "group": "0",
  "mtime": "2025-09-20T11:15:00",
  "atime": "2025-09-20T11:15:00",
  "ctime": "2025-06-10T08:00:00",
  "nlink": 0,
  "ino": "01ZYXWVU87654321",
  "onedrive_item_id": "Marketing",
  "type": "file"
}

Searching in Diskover

Once the scanner has indexed your OneDrive and SharePoint data, you can search for it in the Diskover Web UI using standard search syntax. Here are some practical query examples.

Search by SharePoint Site Name

The onedrive_item_id field is available on all documents from SharePoint site scans, making it easy to scope searches to a specific site.

Query	Description
`onedrive_item_id:Marketing`	All files and folders in the "Marketing" SharePoint site
`onedrive_item_id:Marketing AND extension:.pptx`	Only PowerPoint files in the Marketing site
`onedrive_item_id:Engineering AND type:directory`	All folders in the Engineering site

Find Large Files

Query	Description
`size:>104857600 AND type:file`	Files larger than 100 MB
`size:>1073741824 AND type:file`	Files larger than 1 GB
`parent_path:\/onedrive\/* AND size:>52428800 AND type:file`	OneDrive files larger than 50 MB
`onedrive_item_id:Marketing AND size:>10485760 AND type:file`	Marketing site files larger than 10 MB

Find Old or Stale Files

Query	Description
`mtime:<2024-01-01 AND type:file`	Files not modified since before 2024
`mtime:<2023-01-01 AND type:file`	Files not modified in over 2 years
`onedrive_item_id:* AND mtime:<2024-01-01 AND type:file`	Stale SharePoint files across all sites
`ctime:<2023-01-01 AND mtime:<2023-01-01 AND type:file`	Files created and last modified before 2023

Combined Queries

Query	Description
`onedrive_item_id:Marketing AND extension:.mp4 AND size:>104857600`	Large video files in the Marketing site
`parent_path:\/onedrive\/users\/jdoe\/* AND extension:.xlsx`	All Excel files in John Doe's OneDrive
`extension:.tmp AND mtime:<2024-06-01`	Old temporary files (cleanup candidates)
`type:directory AND file_count:0`	Empty directories

Troubleshooting

Common Issues

Issue	Cause	Solution
Scanner fails immediately with "Authentication failed" or 401 error	Incorrect Azure credentials	Verify `tenant_id`, `client_id`, and `client_secret` in Diskover Admin under Settings → Alternate Scanners → OneDrive. Check that the client secret has not expired in the Azure Portal.
"Access denied" or 403 errors when accessing users or sites	Missing or unapproved API permissions	Confirm all three permissions (`Files.Read.All`, `User.Read.All`, `Sites.Read.All`) are set as Application permissions and that admin consent has been granted.
Scanner slows down significantly or logs show 429 errors	Microsoft Graph API throttling	Reduce `request_limit_per_minute` in Diskover Admin. See the "Conservative Configuration" example.
"Drive not found" for specific users	User does not have a OneDrive license or their OneDrive is not provisioned	This is expected for unlicensed users. Verify in the Microsoft 365 Admin Center that the user has a license that includes OneDrive.
Specific users or sites missing from results	Incorrect UPN or site name, or personal sites being filtered	Verify the exact `userPrincipalName` for users. Personal OneDrive sites (`isPersonalSite=true`) are automatically skipped during site scans.
`Invalid tree_dir arg for OneDrive scanner`	Path doesn't start with `od://`	Ensure the top path argument uses the `od://` prefix, e.g., `od:///users` or `od:///sharepoint`

Debug Logging

For troubleshooting, enable debug logging to get detailed operational output:

# Linux
python3 /opt/diskover/diskover.py --altscanner scandir_onedrive --debug od:///users

# Windows
python "C:\Program Files\Diskover\diskover.py" --altscanner scandir_onedrive --debug od:///users

Log File Locations

Linux: /var/log/diskover/diskover.log
Windows: Check Diskover service logs or the configured log location

Verifying Azure Authentication

You can test your Azure credentials independently using curl:

curl -X POST \
  "https://login.microsoftonline.com/{your-tenant-id}/oauth2/v2.0/token" \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "client_id={your-client-id}&scope=https://graph.microsoft.com/.default&client_secret={your-client-secret}&grant_type=client_credentials"