Deauthorize and resume monitoring a data connection

Updated December 15, 2025 20:47

Overview

To help protect you from data loss, you can use Incydr to monitor when files are downloaded as reports from your business data in Salesforce, moved to and from cloud storage environments (such as Google Drive or Microsoft OneDrive), or emailed as attachments through Gmail or Office 365.

This article explains how to deauthorize those data connections so that Incydr no longer has access to user data in those environments. You can also resume monitoring cloud storage data connections to resolve errors, reconfigure cloud storage scoping, or restart the collection of file activity from data connections after a pause.

For information about disconnecting an automated integration, see Configure Incydr Flows.

Considerations

You cannot deauthorize a cloud storage data connection (Google Drive, OneDrive, or Box, for example) or email service data connection (such as Gmail or Office 365) while the status is Initializing. Wait for the connection to indicate that it has a status of Monitoring or Error before attempting to deauthorize.
If needed, you can use this process to reconfigure scoping for monitoring a cloud storage connection's users or groups.
Google Workspace administrators must have the Super Admin role in order to share file activity data with Incydr without errors. For more information see Resolve Google Drive security data errors.
Deauthorization is not available for automated integrations. For more information, see Configure Incydr Flows.
Cloud storage and email service connections are not available in the Incydr federal environment.

Deauthorize a data connection

Deauthorize a Salesforce, cloud storage, or email service data connection to stop monitoring it for new event activity.

For cloud storage data connections, you can resume monitoring that connection for up to 90 days after you deauthorize it. After 90 days, Incydr removes the cloud storage or email service's configuration and authorization information. To resume monitoring that connection again after 90 days have elapsed, you must set it up as a new connection.

For Salesforce, Gmail, and Microsoft Office 365 data connections, Incydr removes the connection's configuration and authorization information immediately after deauthorization. To resume monitoring one of these data connections, you must set it up again as a new connection.

For all connections, events that have been collected prior to deauthorization remain searchable in Forensic Search for up to 90 days.

Sign in to the Incydr console.
Select Administration > Integrations > Data Connections.
Locate the connection to deauthorize in the table, then click View details .
Click Deauthorize.
When the dialog box opens, read the information and then click Deauthorize.
At this point, Incydr stops collecting new file activity from the data connection.
If you do not plan to resume monitoring the connection, remove Incydr's access in the external console.
Removing Incydr's access in the external console is optional, but may increase security. After deauthorization, Incydr immediately stops monitoring or accessing that environment.

Remove Incydr's access in Box

Log in to your Box Admin Console using your Box Admin email and password.
Select Apps from the Admin Console menu.
Click the to the Custom Apps tab.
Click the options button to the right of the Code42 Cloud Services application and select the appropriate action from the menu.
- Select Disable app authorization to remove Incydr's access to your Box service while retaining basic information about the connection.
  Use this option when you want to temporarily stop Incydr from collecting file activity from Box but may want to resume monitoring in the future. When you want to resume monitoring, you can use the saved information to reconnect to Incydr without having to enter that setup information again.
- Select Delete app authorization and users to completely remove the Code42 Cloud Services custom app from your Box environment. This selection may require assistance from Box.
  This option deletes all information about the Code42 Cloud Service application. If you want to resume monitoring in the future, you'll need to recreate the app in Box and re-enter all of your setup information. See Connect Incydr to Box for details.

Remove Incydr's access in Google Drive or Gmail

Log in to your Google Admin console using your Google Workspace admin username and password.

Requires Super Admin role
This email address must be associated with a Google Workspace administrator that has the Super Admin role
Go to Security > Access and data control > API controls.
In the Domain wide delegation panel, click Manage domain wide delegation.
Follow the instructions in the Deauthorize dialog box in the Incydr console to find and delete the Code42 entry in the Google API clients table.

Remove Incydr's access in Microsoft OneDrive, SharePoint, or Office 365 email

Log in to portal.azure.com.
Click Azure Active Directory.
Click Enterprise Applications. (If Enterprise Applications is not listed among the Azure services, enter "enterprise applications" in the search bar.)
Find the appropriate Code42 application and delete it.
- For OneDrive and SharePoint, delete the application with a name starting with "Code42 Cloud Services."
- For Microsoft Office 365 DLP email, delete the application with a name starting with "Code42 Email Services."
- For Microsoft Office 365 email, delete the application with a name starting with "Code42 Email Data Connector."

Remove Incydr's access in Salesforce

Log in to Salesforce using the credentials assigned to the Incydr service account.
Revoke the Incydr connected application.
When you deauthorize the connection, Incydr automatically deletes its authorization and connection information, including any OAuth tokens required to access your Salesforce environment. However, you can also revoke the Incydr application in Salesforce to increase security.
1. In the upper-right corner of the screen, click the profile icon and then click Settings.
2. In the navigation menu, go to My Personal Information > Connections.
3. Locate the Incydr application in the OAuth Connected Apps table and then click Revoke in the Action column.
(Optional) Deactivate the Incydr user in Salesforce.
To preserve business data and avoid orphaned records, you cannot delete users from Salesforce. However, you can deactivate users to prevent them from logging into or otherwise accessing your Salesforce environment.
1. Log into Salesforce using your administrator account.
2. If needed, navigate to Setup. Salesforce "remembers" what you were last working on when you log out. If you were last working in Setup, you may not need to navigate there again.
  - In Lightning Experience: Click the Setup icon in the upper-right corner of the screen, then select Setup from the menu that appears.
  - In Salesforce Classic: Click Setup in the upper-right corner of the screen.
3. Navigate to Users.
  - In Lightning Experience: Under Administration, go to Users > Users.
  - In Salesforce Classic: Under Administer, go to Manage Users > Users.
4. Locate the Incydr service account user in the list and click Edit.
5. Under General Information, clear the Active checkbox to deactivate that user.
6. Click Save to save your changes.
(Optional) Verify that the custom profile you created or updated for the Incydr service account isn't in use for any other purposes, then delete that custom profile.
Deleting the Incydr custom profile frees up a Salesforce license for other uses. Note that you can only delete custom profiles that you have added to Salesforce. Profiles that are built into Salesforce cannot be deleted.
1. In Salesforce, navigate to Profiles.
  - In Lightning Experience: Under Administration in the left navigation pane, select Users > Profiles.
  - In Salesforce Classic: Under Administer in the left navigation pane, go to Manage Users > Profiles.
    Alternately, use the Quick Find search to search for "Profiles," then click the Profiles link.
2. Locate the profile in the list and click Delete.
3. When the confirmation message appears at the top of the screen, click OK.
(Optional) Verify that no other services are using Salesforce Event Manager's reporting stream, then disable Report Event.
Disabling Report Event disables the reporting stream for the entire organization (and any associated services that may rely on it).
1. In Salesforce, navigate to Event Manager.
  - In Lightning Experience: Under Platform Tools, go to Events > Event Manager.
  - In Salesforce Classic: Under Build in the left navigation pane, go to Develop > Events > Event Manager.
2. Locate the Report Event entry in the Events list.
3. Click the arrow on the right side of the screen and select Disable Streaming from the menu.

Resume monitoring a data connection

You can resume monitoring cloud storage connections for up to 90 days after you deauthorized the initial connection. Incydr removes connections that have been deactivated for over 90 days. To resume monitoring a Salesforce, Gmail, or Microsoft Office 365 email service after deauthorization, set it up as a new connection.

Sign in to the Incydr console.
Select Administration > Integrations > Data Connections.
Locate the connection to resume monitoring in the table, then click View details .
Click Resume Monitoring.
You can resume monitoring only connections with a status of Deauthorized. You cannot resume monitoring a Salesforce, Gmail, or Microsoft Office 365 email service. Instead, set it up as a new connection to monitor that service again.
Follow the prompts to authorize Incydr to monitor file events on that connection.
Option to update administrator email address
If you are resuming monitoring of a Google Drive environment, you can change the administrator's email address if needed. When doing so, you can change the username in the email address, but the domain used (such as "@example.com") must remain the same. This new email address must be associated with a Google Workspace administrator that has the Super Admin role.

Use cases

You can deauthorize and then resume monitoring a cloud storage connection to update the scoping used or resolve errors. In most cases, errors caused by permissions or licensing issues within the cloud storage environment can be resolved by deauthorizing the connection and then immediately resuming its monitoring.

Some use cases for using the deauthorization and resume monitoring processes for a cloud storage connection are detailed in the following articles:

External resources

Microsoft: Integrating Applications with Azure Active Directory
Google: OAuth: Managing API client access

Deauthorize and resume monitoring a data connection

Overview

Considerations

Deauthorize a data connection

Remove Incydr's access in Box

Remove Incydr's access in Google Drive or Gmail

Remove Incydr's access in Microsoft OneDrive, SharePoint, or Office 365 email

Remove Incydr's access in Salesforce

Resume monitoring a data connection

Use cases

External resources

Related topics

Comments