Showing results for 
Search instead for 
Did you mean: 
Create Post
Level 14

Guidance needed about monitoring OneDrive traffic

Hello everyone!!!

We have been asked to provide reports about flow data usage by the Microsoft OneDrive application. I checked the Microsoft URL shown below, seeking for clarification:

Unfortunately, the Microsoft article did not shed much light on this. So, I am hoping that some in this forum have faced the same (or similar) question and can share their insights on how we can accomplish this. Many thanks!!! 

Labels (2)
4 Replies
Level 8

darragh.delaney is correct; you'll need to build an IP Address group and put all of the MS Subnets in that address group.  You should be able to get the IP addresses from Microsoft for your company. They will balk, and tell you the addresses will change, but stick with it. You'll probably get a fairly large address range.  Use port 443 and the address group to identify the OneDrive traffic.  We're globally distributed, and all of the address groups for OneDrive come back to the US, and so far we've not seen any deviation from those IP address groups for our business.   The address ranges will be fairly large (at least they are for us), and of course there's the possibility that some of the traffic going to those ranges may not be specifically OneDrive, but it's better than nothing.  Works for us, and so far they haven't changed the addresses after a year and a half.

0 Kudos

Hi all,

I did some quick analysis of the one drive traffic. From an IP lookup point of view all of the IP addresses are registered to Microsoft so you may not be able to definitely say it was Onedrive activity using IP look up alone. I used our own LANGuardian system to do this analysis but you may be able to use some of the detail to setup reports on your own system.


First up all of the traffic is encrypted, ignore the HTTP bit as that was me browsing other sites.


Drilling down on the HTTPS traffic it revealed that the data was associated with the domain.


Further analysis shows that this activity is associated with storage sub domains within LANGuardian captures this by dissecting the server's SSL certificate (which is always required to be presented to the client) and at this point it can extract the server\domain name. By filtering on this sub domain info it would then be possible to show how much data is associated with Onedrive


Finally, looking at the GeoIP data I can see that the IP addresses are registered in the US. Nothing strange there as I think all of Microsofts IP blocks are US registered.

0 Kudos
Level 20

I would look for the destinations listed there from your flows.  Once you figure out which you are talking to you can filter on all the traffic going to and from that endpoint.

0 Kudos

You'll have to let me know if you get a good answer, i am looking for the same thing.