The Box integration enables security and compliance teams to automate User Access Reviews (UAR) by syncing user and group data directly from Box. This helps organizations review who has access to Box resources and maintain accurate access records for compliance monitoring.
Key Capabilities
User Access Review Data Sync: Import Box users and groups to support access review workflows
Access Governance: Monitor which users and groups have access to Box resources
Compliance Monitoring: Maintain visibility into system access to support security and audit requirements
This integration supports User Access Review workflows, helping demonstrate compliance with access control policies.
Prerequisites & Data Access
Box Access Requirements
You must have Admin privileges in your Box account.
2-Step Verification must be enabled in your Box account settings.
You must create a Box OAuth application to generate a Client ID and Client Secret.
Drata Role Requirements
To create or modify connections, you must have one of the following Drata roles with write access: Admin, Workspace Manager, or DevOps Engineer
Access Reviewers can view the connection page but cannot create or modify connections
Permissions & Required Access
Permission / Scope | Why It’s Needed |
Read all files and folders stored in Box | Allows Drata to review accessible content and associated users |
Manage users | Allows Drata to retrieve user account information |
Manage groups | Allows Drata to retrieve group membership information |
Client ID | Identifies the OAuth application used for authentication |
Client Secret | Authenticates the Box OAuth application |
Step-by-Step Setup
Step 1: Create a Box OAuth Application
Log in to your Box account.
Navigate to the Developer Console.
Open the My Platform Apps page.
Select Create Platform App.
Choose Custom App as the application type.
Enter the required application details:
App Name
Purpose: Select Automation
Select User Authentication (OAuth 2.0) as the authentication method.
Select Create App.
Expected outcome:
A new Box application is created and ready for configuration.
Step 2: Retrieve OAuth Credentials
Scroll to the OAuth 2.0 Credentials section.
Copy the Client ID and store it securely.
Select Fetch Client Secret.
Enter your 2-Step Verification code if prompted.
Copy the Client Secret and store it securely.
Expected outcome:
You have retrieved the Client ID and Client Secret required for the integration.
Step 3: Configure OAuth Settings
Scroll to the OAuth 2.0 Redirect URIs section.
Add the following redirect URI:
https://api.stackone.com/connect/oauth2/box_iam/callbackScroll to the Application Scopes section.
Select the following scopes:
Read all files and folders stored in Box
Manage users
Manage groups
Save your changes.
Expected outcome:
The OAuth application is configured with the required redirect URI and permissions.
Step 4: Connect Box in Drata
Log in to Drata → go to the Connections page.
Navigate to your Available Connections.
Search for and start the Box connection process.
Enter the following information when prompted:
Client ID
Client Secret
Expected outcome:
Box is successfully connected and user access data begins syncing to Drata.
Important Notes
Authentication method: The Box integration uses OAuth 2.0 application credentials.
Security requirement: Box requires 2-Step Verification to retrieve OAuth credentials.
Network restrictions: If your organization uses a Web Application Firewall (WAF), ensure required Drata IP addresses are allowlisted so the connection can be established.
Security best practice: Store OAuth credentials securely and rotate them according to your organization’s security policies.