What’s new and what’s coming w/ SharePoint & OneDrive Security, Compliance, & Administration – October 2018

What’s new and what’s coming with SharePoint & OneDrive Security, Compliance, and Administration – October 2018 Edition

In today’s complex and regulated environment, businesses need to focus on building more secure solutions that deliver value to their customers, partners, and shareholders—both in the cloud and on-premises.

Microsoft has been building enterprise software for decades and running some of the largest online services in the world. We draw from this experience to keep making SharePoint and OneDrive more secure for users, by implementing and continuously improving security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of your services and data.

SharePoint and OneDrive are uniquely positioned to help you address these evolving security challenges. To begin with, Microsoft has continued to evolve with new standards and regulations. This has been a guiding principle as we think about security for SharePoint and OneDrive. Right alongside that principle is this one: There is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.

At Microsoft Ignite 2018 we announced many of the new capabilities that are available now and coming soon to Office 365.

NOTE This is the first of regular monthly updates for what’s new and what’s coming with security, compliance, and administration in SharePoint and OneDrive.

Unified Labels

Unified labels in Microsoft 365 provide you a more integrate and consistent approach when creating labels and configuring and applying policies to protect and govern information across devices, applications, cloud, and on-premises locations. Unified labels provide a single location to create and configure data sensitivity labels for both Azure Information Protection and Office 365, so you can set up protection and retention labels and policies in the same place.

Unified labels in Microsoft 365 are available now.

SharePoint site classification labels

Across your organization, you probably have different types of content that require different security requirements to comply with industry regulations and internal policies.

Using Microsoft Information protection labels you can now apply consistent security and access policies to SharePoint Sites based on the sensitivity of the site. You can create sensitivity labels and associate them with policies in the new Microsoft 365 Security and Compliance Center. You can then apply these labels to files, emails, groups, Sites and Teams to automatically enforce consistent policies across your content.

SharePoint site classification labels will begin rolling out to Targeted Release in December 2018.

Automation application of retention labels

Data is your company’s most important asset, with the automatic application of retention labels you can ensure your most important assets are compliant to meet your corporate or regulatory requirements.  These retention labels can be created by importing the content types that you already use in SharePoint to help streamline the application of retention policies across all your content in SharePoint.

Content type to label support will begin rolling out in November 2018.

Label analytics

Information is growing at exponential rates and we’re making it easier for you to stay informed on how retention and sensitivity labels are being used to classify, retain, and protect your organization’s content in the cloud.

Using label analytics you can now get insights into how content is being labeled, including which labels are used most, and what emails and files they’re being applied to and also explore user activity to identify who’s been applying labels, investigate unusual trends, and more.

Label analytics will begin rolling out in Q4 2018.

File plans

Office 365 already provides data governance labels to establish rules for records management and retention.  Later this year we’ll be augmenting those with hierarchical file plans, allowing you to manage a range of retention labels with identifiers, departments, categories, statutory references and more.  File plans can be exported from Office 365 for easy editing in Excel, and then reimported to update label rules.

Files plans will begin to be available in Q4 2018.

Files Restore for SharePoint and Microsoft Teams

Data loss is non-negotiable, today we announced Files Restore for SharePoint and Microsoft Teams.

Files Restore is now available for SharePoint document libraries, protecting your shared files in SharePoint, Teams, Outlook groups, and Yammer groups connected to Office 365 groups and uses the same recovery capabilities that protect your personal files in OneDrive for Business.

Files Restore is a complete self-service recovery solution that allows site administrators restore document libraries from any point in time during the last 30 days and rewind changes using activity data to find the exact moment to revert to.

Files Restore for SharePoint and Microsoft Teams will begin rolling out to Targeted Release in December 2018.

Multi-geo capabilities for SharePoint

Multi-geo capabilities with SharePoint support your global data residency needs by storing SharePoint data in more than one selected Office 365 data center regions or countries. Microsoft commits to provide in-geo data residency, business continuity and disaster recovery for your core customer data at rest.

With multi-geo capabilities for SharePoint you can have a single Office 365 tenant that can span across multiple geos and enable a unified communication and collaboration experience across your global organization. You can migrate various on-premises satellites data silos into a single Office 365 tenant and at the same time meet your data residency needs. Your users are now connected to the people and content that matter most, regardless of where they work.

For IT, you can use powerful Office 365 admin tools to easily create and manage satellite sites and if needed move user data between geos to meet your data residency business needs. Get reports on where each user’s data is stored and audit trail of activities of all users in your global enterprise. Tailor sharing, security, and compliance policies separately for each geo—all from a familiar admin experience.

To learn more about Multi-Geo Capabilities in Office 365 see https://products.office.com/en-us/business/multi-geo-capabilities.

Multi-Geo capabilities with SharePoint Online are available now.

External sharing integration with Azure AD B2B

Last year at Ignite we introduced a new external sharing experience where recipients could access the shared content in a secure way by entering a one-time passcode sent to their email address without the need of creating or remembering passwords. This year, we’re taking it a step further by integrating the one-time passcode sign-in experience with the Azure AD B2B platform. This enables external users to exist in your Azure AD directory as Guests which can be managed in the way you are already familiar with. This integration also brings the one-time passcode experience when sharing SharePoint sites and lists with external user.

SharePoint admin center updates

At Microsoft Ignite, in addition to our security and compliance news, we announced several exciting new features coming to the new SharePoint admin center.

Make the new admin center your default admin center…

The new SharePoint admin experience provides a completely revamped SharePoint admin center that draws heavily on our modern principles… an administrative console designed to help IT achieve more, so their users can achieve more. If you’ve enjoyed using the new SharePoint admin center up until today, you now have the option to make the new SharePoint admin center your default experience while still being able to go back to the classic admin center if you need to.

Improved management experience for group-connected sites

Office 365 Groups is a service that works with the Office 365 tools you use already so you can collaborate with your teammates when writing documents, creating spreadsheets, working on project plans, scheduling meetings, or sending email. Now we’re making it easier to manage group-connected sites by allowing SharePoint administrators manage ownership, change sharing settings, and delete and restore sites.

Simplified hub site creation and association

Sites and data grow as your organization grows. With SharePoint hub sites, you can bring flexible, dynamic building blocks to your organization’s intranet – connecting collaboration and communication.  Now in the SharePoint admin center, you can manage existing hub sites in addition to creating hub sites and associating existing sites with a hub site.  These capabilities also extend to multi-geo scenarios.

Quickly customize and control the site creation experience

Creating sites is one of the most common tasks an administrator performs in many SharePoint environments, and we’ve made it easier to customize and control how sites are created.

New site creation options allow you to create sites on behalf of users and configure common settings such as language, time zone, and storage limit and for classic and communication sites you can now also specify their managed path.

In addition to these site creation controls, you now can specify global settings that apply to all site when they’re created too such as the time zone and site creation path and for organizations who want to control the site creation experience, you can enable or disable self-service site creation.

Improved site management experience

In response to your feedback, we’ve added more management controls across site management and storage, including a simplified view of your tenant-level storage usage and limit and the ability to switch to manual site storage management.

Additionally, in many cases you may want or need more than one or two administrators for a site collection.  In response to your feedback, we’ve now enabled the use of security groups as a site collection administrator in SharePoint Online.

Finally, we’re making it simpler to execute site actions by moving many of the common actions to the command bar rather than the site information panel.

Keep your information secure with improved access control and policies options

The freedom to work fluidly, independent of location has become an expectation as has the freedom to access email and documents from anywhere on any device—and that experience is expected to be seamless.  However, data loss is non-negotiable, and overexposure to information can have lasting legal and compliance implications.  IT needs to make sure that corporate data is secure while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

New updates to the SharePoint admin center include a consolidated view of access control policies to help safeguard your information.   On the new access control page, you can configure policies for unmanaged or non-compliant devices, configure the idle-session sign-out experience for users, as well as configure location policies to restrict or allow access to SharePoint Online from known IP ranges.

SharePoint admin center improvements will begin rolling out to Target Release in October 2018.

Learn more about how we secure your data with SharePoint and OneDrive in Office 365 and how customers are achieving success at https://aka.ms/SharePoint-Security.

 

 

Unleash your SharePoint admin superpowers with new admin center capabilities

At Microsoft Ignite, we announced several exciting new features coming to the new SharePoint admin center.

Today we’re excited to share that we’ll start to roll out these features worldwide later this month to organizations that have “Targeted release for everyone” turned on.

What’s coming in this release?

Make the new admin center your default admin center…

The new SharePoint admin experience provides a completely revamped SharePoint admin center that draws heavily on our modern principles… an administrative console designed to help IT achieve more, so their users can achieve more. If you’ve enjoyed using the new SharePoint admin center up until today, you now have the option to make the new SharePoint admin center your default experience while still being able to go back to the classic admin center if you need to.

Improved management experience for group-connected sites

Office 365 Groups is a service that works with the Office 365 tools you use already so you can collaborate with your teammates when writing documents, creating spreadsheets, working on project plans, scheduling meetings, or sending email. Now we’re making it easier to manage group-connected sites by allowing SharePoint administrators manage ownership, change sharing settings, and delete and restore sites.

Simplified hub site creation and association

Sites and data grow as your organization grows. With SharePoint hub sites, you can bring flexible, dynamic building blocks to your organization’s intranet – connecting collaboration and communication.  Now in the SharePoint admin center, you can manage existing hub sites in addition to creating hub sites and associating existing sites with a hub site.  These capabilities also extend to multi-geo scenarios.

Quickly customize and control the site creation experience

Creating sites is one of the most common tasks an administrator performs in many SharePoint environments, and we’ve made it easier to customize and control how sites are created.

New site creation options allow you to create sites on behalf of users and configure common settings such as language, time zone, and storage limit and for classic and communication sites you can now also specify their managed path.

In addition to these site creation controls, you now can specify global settings that apply to all site when they’re created too such as the time zone and site creation path and for organizations who want to control the site creation experience, you can enable or disable self-service site creation.

Improved site management experience

In response to your feedback, we’ve added more management controls across site management and storage, including a simplified view of your tenant-level storage usage and limit and the ability to switch to manual site storage management.

Additionally, in many cases you may want or need more than one or two administrators for a site collection.  In response to your feedback, we’ve now enabled the use of security groups as a site collection administrator in SharePoint Online.

Finally, we’re making it simpler to execute site actions by moving many of the common actions to the command bar rather than the site information panel.

Keep your information secure with improved access control and policies options

The freedom to work fluidly, independent of location has become an expectation as has the freedom to access email and documents from anywhere on any device—and that experience is expected to be seamless.  However, data loss is non-negotiable, and overexposure to information can have lasting legal and compliance implications.  IT needs to make sure that corporate data is secure while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

New updates to the SharePoint admin center include a consolidated view of access control policies to help safeguard your information.   On the new access control page, you can configure policies for unmanaged or non-compliant devices, configure the idle-session sign-out experience for users, as well as configure location policies to restrict or allow access to SharePoint Online from known IP ranges.

 

We’re looking forward to the ongoing feedback. Use the feedback button at the bottom right of the new UI.  Also, if you see a survey that pops up and asks you how you feel about the new site, don’t be shy, let us know.

Wanted to get started with some of these new features?  Take a tour of the new admin center at https://resources.techcommunity.microsoft.com/resources/demos/.

Resources

Manage sites in the new SharePoint admin center https://docs.microsoft.com/en-us/sharepoint/manage-sites-in-new-admin-center

Unmanaged Device Access Policies are Generally Available

In March 2017 we introduced device-based policies for SharePoint and OneDrive, that enable administrators to configure Tenant-level policies.

Device-based access policies for SharePoint and OneDrive help administrators ensure corporate data is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to the content to the browser, preventing files from being taken offline, printed, or synchronized with OneDrive.

On September 1st, 2017 we continued to evolve our conditional access investments to address the ever-changing security landscape and business needs by introducing new levels of granularity with conditional access that allow administrators to scope device-based policies at the site collection level.  In addition, this granular policy can be configured to allow users on unmanaged devices to edit Office Online documents in the browser.

Today we’re pleased to say that these policies are now available worldwide, in addition to new site-scoped policies that are available with this update.  This is our major milestone in the conditional access policy journey in SharePoint and OneDrive.

In a world that’s mobile, social, and about getting things done you’re expected to manage a growing number of devices, both managed and unmanaged that can access corporate content.  The corporate boundary as a result, has shifted from the firewall to the employee.  The need for protecting access from the unmanaged devices is ever increasing. This unmanaged device access policy is the right solution for your need.

What’s new in this update?

In this update to device-based policies at the site collection level you can:

  • Blocks users from accessing sites or the tenant from unmanaged devices
  • Allows users to preview only Office file types in the browser
  • Allows office file types to be editable or read-only in the previewer
  • Based on the sensitivity of a site’s contents, admins can now set access control from unmanaged devices on different sites to be full access, limited access, or block access

In the demonstration above, the Tenant is configured with a permissive device access policy, allowing full access from unmanaged devices to include desktop apps, mobile apps, and browsers.  The Marketing site inherits the policy configured at the Tenant; however, the Legal site has a policy configured less permissive than that configured at the Tenant level.  In addition, members of the Marketing site, while limited to browser only access on unmanaged devices, can continue to edit content they have access to provide a seamless collaborative experience.

Configuring Device Access Policies Overview

For complete instructions on enabling device-access policies refer to the support documentation at https://support.office.com/en-us/article/Control-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622?ui=en-US&rs=en-US&ad=US.

Unmanaged device access policies can be configured with SharePoint Online Management Shell.

Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed and you have connected to SharePoint Online.

NOTE

The Tenant-level device-based policy must be configured to Full Access prior to configuring site-scoped policies.

  1. Connect-SPOService -Url https://<URL to your SPO admin center>
  2. $t2 = Get-SPOSite -Identity https://<Url to your SharePoint online>/sites/<name of site collection>
  3. Set-SPOSite -Identity $t2.Url -ConditionalAccessPolicy AllowLimitedAccess

The following parameters can be used with -ConditionalAccessPolicy AllowLimitedAccess for both the organization-wide setting and the site-level setting:

-AllowEditing $false Prevents users from editing files in the browser and copying and pasting file contents out of the browser window.

-LimitedAccessFileType -OfficeOnlineFilesOnly Allows users to preview only Office files in the browser. This option increases security but may be a barrier to user productivity.

-LimitedAccessFileType -WebPreviewableFiles (default) Allows users to preview Office files and other file types (such as PDF files and images) in the browser. Note that the contents of file types other than Office files are handled in the browser. This option optimizes for user productivity but offers less security for files that aren’t Office files.

-LimitedAccessFileType -OtherFiles Allows users to download files that can’t be previewed, such as .zip and .exe. This option offers less security.

External users, because they most likely use unmanaged devices, access will also be controlled when you use conditional access policies to block or limit access from unmanaged devices. If users have shared items with specific external people (who must enter a verification code sent to their email address) and you want those external users to access shared items from their devices, then you can exempt them from this policy by running the following cmdlet.

Set-SPOTenant -ApplyAppEnforcedRestrictionsToAdHocRecipients $false

Licensing

    1. This feature has a dependency on Azure Active Directory Conditional Access Policy.
    2. To learn more about Azure Conditional Access policies work, refer to https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal.

Resources

As workforces become more globally distributed and the productivity barrier extended beyond the firewall, device-access policies allow you to provide a seamless collaborative experience across an array of devices, both managed and unmanaged, while keeping your most sensitive content that way.  To learn more about security and compliance with SharePoint & OneDrive visit https://aka.ms/SharePoint-Security.

Coming soon to the new SharePoint Admin Center

In May 2017 we unveiled our plans [https://techcommunity.microsoft.com/t5/SharePoint-Blog/Introducing-the-new-SharePoint-Admin-Center/ba-p/70294] to simplify SharePoint administration through delivering an administrative experience that’s intuitive, intelligent, and simple.  Since then we’ve made available the new admin experience as Preview for customers who have enabled Targeted Release at the Tenant level.  In the next several weeks in our preview we’ll be introducing new updates on our journey to deliver an administrative console designed to help IT achieve more, so their users can achieve more.

Improvements to Site Management

Export

New export capabilities allow you to export the displayed information in Site Management to CSV on both PC and Mac.  Using this output you can now use popular tools such as Microsoft Excel and PowerBI to simplify data prep, drive ad hoc analysis, and create dynamic charts and graphs.

Custom Views

In the upcoming updates you’ll now be able to customize views based on your individual preferences in addition to updating and customizing the default view of sites and related information.

NOTE Views you create are shared across all admins on the new SharePoint admin center.

Search Improvements

If you have hundreds or even thousands of sites, they can be difficult to discover through a single view.  New search improvements will allow you to search across Site Management to find the right information when you need it whether searching by site name, Url, or the primary admin.

Site-Level Sharing for Standalone Sites

SharePoint was born on the concept of sharing and now we’re bringing that core principle to SharePoint admin center by enabling management of site level sharing settings for non-group-connected sites. We will follow this shortly with support for group-connected sites, and also support for advanced sharing settings. In case you’re wondering, yes, we are working on a new tenant-level sharing page.

Improved Email Layout

We’re also updating the email layout when contacting site administrators through the SharePoint admin center to make it cleaner and easier to read.

These updates will begin rolling out to Targeted Release in 4-8 weeks.

We’re looking forward to the ongoing feedback. Use the feedback button at the bottom right of the new UI.  Also, if you see a survey that pops up and asks you how you feel about the new site, don’t be shy, let us know.

Resources

Manage sites in the new SharePoint admin center [https://support.office.com/en-us/article/manage-sites-in-the-new-sharepoint-admin-center-d8c63491-0410-405c-880a-8cef7fa4480a?ui=en-US&rs=en-US&ad=US]

SharePoint and OneDrive Management, Migration, and Security Updates

In this post:

SharePoint Admin Center Updates

SharePoint Migration Tool Updates

OneDrive Files Restore

Microsoft has been building enterprise software for decades and running some of the largest online services in the world. We draw from this experience to keep making SharePoint and OneDrive more secure for users, implementing and continuously improving security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of your services and data. This update shares upcoming improvements in SharePoint and OneDrive.

SharePoint Admin Center Preview

ROLLING OUT NOW TO TARGETED RELEASE ON 2/1

Innovation in the cloud drives tremendous business value, and it delivers new capabilities to the IT professionals who work tirelessly to support, configure, administer, and secure their organizations’ content and services.

While our new user experiences are designed to be simpler, more intuitive, and more powerful we also believe administration should be just as simple, just as intuitive, and just as powerful, and to that we’re introducing a completely revamped SharePoint Admin center that draws heavily on our modern principles. An administrative console designed to help IT achieve more, so their users can achieve more.

For Targeted Release customers the option to try the new SharePoint Admin Center will be available through the existing administration experience for SharePoint Online (see illustration below).  This permits the use of both administrative experiences as we continue to refine and add capabilities to the new admin center that are currently not present in the existing administrative experience.

  • Sign in to Office 365 as a global admin or SharePoint admin.
  • Select the app launcher icon in the upper-left and choose Admin to open the Office 365 admin center. (If you don’t see the Admin tile, you don’t have Office 365 administrator permissions in your organization.)
  • In the left pane, choose Admin centers > SharePoint.

To see more of the new SharePoint Admin Center check out the video below:

To learn more about the new SharePoint Admin Center refer to https://support.office.com/en-us/article/Get-started-with-the-new-SharePoint-admin-center-0bb250bb-1d3c-43f8-b751-b322522ccf33.

General Availability of the SharePoint Migration Tool

GENERAL AVAILABILITY ON 1/9/2018 refer to complete article at https://techcommunity.microsoft.com/t5/SharePoint-Blog/General-Availability-of-the-SharePoint-Migration-Tool-amp/ba-p/143689/jump-to/first-unread-message.

Taking advantage of cloud services doesn’t have to be difficult or a long-phased migration project.  In addition to the new SharePoint Admin Center, we’re also announcing General Availability of the SharePoint Migration Tool, a new free, simple, and fast migration solution to help you migrate content from on-premises SharePoint sites and file shares to SharePoint or OneDrive in Office 365.

Based on the learning and experience from Microsoft FastTrack, using the SharePoint Migration Tool from Microsoft with a few simple clicks you can begin to bring your information to the cloud and take advantage of the latest collaboration, intelligence, and security solutions with Office 365.

Whether you’re looking to migrate from file shares on-premises to SharePoint or OneDrive or from on-premises versions of SharePoint, the SharePoint Migration Tool is designed to support the smallest of migrations to large scale migrations with support for bulk scenarios.

Using the SharePoint Migration Tool, you can quickly and easily migrate files from file shares, SharePoint sites, or support bulk migrations with a few simple clicks in the intuitive user interface.

To get started with the SharePoint Migration Tool refer to https://support.office.com/en-us/article/How-to-use-the-SharePoint-Migration-Tool-65462df1-42fe-40cf-88f7-e39f82f5130f..

While the SharePoint Migration Tool provides support for many migration scenarios, we recognize your needs may differ in scope and complexity.  For more complex migrations, support with adoption and usage, or help planning Microsoft FastTrack includes resources, tools, and experts to make your rollout of Office 365 a success.

To learn more about Microsoft FastTrack visit https://fasttrack.microsoft.com/office.  In addition, consider one of Microsoft’s many partners that can help ensure your migration to Office 365 is both seamless and successful.

Getting Started
To get started and preview the new SharePoint Migration Tool from Microsoft visit https://aka.ms/spmt.

OneDrive Files Restore Rolling out to Production

ROLLING OUT NOW refer to complete article at https://techcommunity.microsoft.com/t5/OneDrive-Blog/Announcing-New-OneDrive-for-Business-feature-Files-Restore/bc-p/147462#M387.

Data loss is non-negotiable, it’s not something that can be bought back.  From corruption, to ransomware, to just accidental deletion—losing content can completely disrupt a business.  The recent issues with WannaCry and other ransomware attacks showed just how disruptive it can be.

Keeping your data safe has always been a top concern.  In addition to simplifying control with the new SharePoint Migration Tool and migration with the SharePoint Migration Tool, we are also excited to announce that “OneDrive File Restore”, a complete self-service recovery solution to allow content owners to go back in time to any second in the last 30 days is now rolling out to our customers.   Now your users and your administrators can rewind changes using activity data to find the exact moment to revert to.

Files Restore starts rolling out today and will be fully rolled out by Spring 2018.

Resources

To learn more about the new SharePoint Admin Center, the SharePoint Migration Tool, and Files Restore with OneDrive and more security, admin ,and migration capabilities in SharePoint and OneDrive, watch the video below.

https://myignite.microsoft.com/sessions/55100?source=sessions

Office 365 Advanced Threat Protection for SharePoint, OneDrive and Microsoft Teams now available

When moving your organization to cloud services, security concerns add another layer of consideration; one of trust.

Security and compliance is an ongoing process, not a steady state. It is constantly maintained, enhanced, and verified by highly-skilled, experienced and trained personnel. We strive to keep software and hardware technologies up to date through robust processes. To help keep Office 365 security at the top of the industry, we use processes such as the Security Development Lifecycle; we also employ techniques that throttle traffic and prevent, detect, and mitigate breaches.

At Microsoft we continue systematic approach to disrupting attacks through eliminating weaknesses by eliminating the vectors of attack themselves by implementing architectural changes some of which leverage virtualization, containers, and other types of technologies.

In April 2015 we launched Office 365 Advanced Threat Protection to help customers secure their environment from evolving security threats providing protection against unknown malware and viruses, real time, time-of-click protection against malicious URLs, and rich reporting and URL trace capabilities.

In our continued effort to address the modern threat landscape, today we’re announcing General Availability of Office 365 Advanced Threat Protection for SharePoint, OneDrive, and Microsoft Teams.

Office 365 Advanced Threat Protection SharePoint, OneDrive, and Microsoft Teams uses signals and smart heuristics as quality indicators to identify the files within your tenant that may contain malicious content, which includes correlating the file activity signals from SharePoint, OneDrive, and Microsoft Teams within your tenant with the Microsoft Security Intelligence Graph threat feeds.

Examples of file activity signals include anonymous, company wide or explicit sharing, or activity from guest users. Threat feeds that Office 365 Advanced Threat Protection leverages include known malware in email or SharePoint, Windows Defender/Defender ATP detections, suspicious or risky logins or other indicators of irregular file activity within your tenant.

Getting Started

Office 365 Advanced Threat Protection SharePoint, OneDrive, and Microsoft Teams can be configured in the Office 365 Security and Compliance Center.

Learn more on configuring Office 365 Advanced Threat Protection for SharePoint, OneDrive, and Microsoft Teams at https://support.office.com/en-us/article/Office-365-ATP-for-SharePoint-OneDrive-and-Microsoft-Teams-26261670-db33-4c53-b125-af0662c34607?ui=en-US&rs=en-US&ad=US.

Resources

Office 365 Advanced Threat Protection overview [https://support.office.com/en-us/article/Office-365-Advanced-Threat-Protection-overview-e100fe7c-f2a1-4b7d-9e08-622330b83653?ui=en-US&rs=en-US&ad=US]

Advanced Threat Protection safe attachments in Office 365 [https://support.office.com/en-us/article/ATP-safe-attachments-in-Office-365-6E13311E-92AE-495E-A619-56D770199170]

FaQ

Can I block download of infected files in Office 365?

There is a tenant level configuration that allows or blocks the download of an infected file. This configuration is leveraged by the different native user experiences that are triggered within SPO, ODB and Teams. Tenant admins can be updated using a PowerShell script. Refer to https://technet.microsoft.com/en-us/library/fp161390.aspx and the DisallowInfectedFileDownload parameter for additional details.

Is there a licensing requirement for ATP?

ATP is included in Office 365 Enterprise E5 and Office 365 Education A5. You can add ATP to the following Exchange and Office 365 subscription plans:

  • Exchange Online Plan 1
  • Exchange Online Plan 2
  • Exchange Online Kiosk
  • Exchange Online Protection
  • Office 365 Business Essentials
  • Office 365 Business Premium
  • Office 365 Enterprise E1
  • Office 365 Enterprise E3
  • Office 365 Enterprise F1
  • Office 365 Education A1
  • Office 365 Education A3

To buy Office 365 Advanced Threat Protection, see Office 365 Advanced Threat Protection.

To compare features across plans, see Compare Office 365 for Business plans.

Introducing Idle Session Timeout in SharePoint and OneDrive (Preview)

There’s a new culture of work; one that is increasingly diverse, geographically distributed, and mobile.  Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device – and for that experience to be seamless, among these trends includes the increasing use of shared systems, such as kiosks to access and work with corporate data.  In order to help safeguard your information on these systems, we’re introducing new idle session timeout policies rolling out as preview on November 6, 2017 and changes to the “Keep me signed in” experience with Office 365.

Idle session timeout provides an Office 365 administrator to configure a threshold at which a user is warned and subsequently signed out of SharePoint or OneDrive after a period of inactivity as illustrated below.

 

Demo

The demonstration below illustrates the idle session timeout policy enacted on a site that is also configured with site-scoped limited access policies.

Idle session timeout policies allow Office 365 administrators to automatically sign out inactive sessions preventing the overexposure of information in the event a user leaves a shared system unattended.

NOTE

Idle session timeout takes a dependency on the Keep me signed in signal.  In scenarios where Keep me signed in is selected at authentication, the client will not honor the idle session timeout. 

In addition to the new idle session timeout policy we’re rolling out in preview, in late September we updated the keep me signed in experience, replacing the “Keep me signed in” checkbox that appears on the sign-in flow with a prompt that shows after the user successfully signs in.  Idle session timeout interprets this signal and where selected does not affect the client where “Keep me signed in” has been selected, on devices where “Keep me signed in” is not selected, the policy applies.

In addition to those recent changes, we’re also adding a layer of protection to intelligently hide this prompt if we detect a shared device, or a high-risk sign-in. Our goal is to decrease the number of times users are prompted to authenticate. Although the new screen adds a small amount of friction up front, users get a better long-term experience as they get less sign-in prompts when they use our services.

This prompt asks the user if they would like to remain signed in. Responding “Yes” to this drops a persistent refresh token, the same behavior as when the user checks the old “Keep me signed in” checkbox.

For federated tenants, this prompt will show after the user successfully authenticates with the federated identity service. Some things to consider: – During the Public Preview period of the new sign-in experience, this new “Keep me signed in” prompt will only show when users opt-in to the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt. – You can choose to hide this new prompt for your users by using the “Show option to remain signed in” setting in company branding. Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox on your tenant, we won’t show the new prompt to your users. – This change will not affect any token lifetime settings you have configured.

Configuring Idle Session Timeout

Idle-session timeout is configured using Windows PowerShell.

Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed and you have connected to SharePoint Online.

Install the SharePoint Online Management Shell by downloading and running the SharePoint Online Management Shell. You only need to do this once for each computer from which you are running SharePoint Online PowerShell commands.

To open the SharePoint Online Management Shell command prompt, from the Start screen, type sharepoint, and then click SharePoint Online Management Shell.

To connect to SharePoint Online with a username and password run the following commands at the SharePoint Online Management Shell command prompt:

Connect-SPOService -Url https://<Tenant>-admin.sharepoint.com

To configure idle-session timeout run the following commands at the SharePoint Online Management Shell command prompt:

Set-SPOBrowserIdleSignOut -Enabled $true -WarnAfter (New-TimeSpan -Seconds 1200) -SignOutAfter (New-TimeSpan -Seconds 1500)

Where:

-Enabled specifies whether idle session timeout is enabled or disabled using $true, $false respectively.

-WarnAfter specifies the amount of after which a user is notified that they will be signed out after a period of inactivity as a New-TimeSpan which can be configured in seconds, minutes, or hours.

-SignOutAfter specifies the amount of time after which is a user is signed out of Office 365 if they do not respond to the -WarnAfter prompt.

To view the idle browser sign-out settings, use the Get-SPOBrowserIdleSignOut cmdlet.

NOTE

  1. Mouse movement or scrolling up and down is not included as activity. Activity is counted as requests sent to SharePoint Online.  Mouse clicks within the context of a site are considered activity.
  2. Idle-session timeout is limited to SharePoint Online browser sessions; however, will sign users out of all Office 365 workloads within that browser session.
  3. It will not sign out users who are on managed devices or select Keep Me Signed In during sign-in.
  4. Idle session timeout is currently limited to Classic sites.  A fix will be rolled out to support Modern sites soon.
  5. The WarnAfter and SignOutAfter values cannot be the same.
  6. The policy scope is Tenant-wide.

Frequently Asked Questions

When will idle session timeout start rolling out as preview?

November 6, 2017

Is idle session timeout enabled by default, can I control the settings?

No.  Idle session timeout is disabled by default.  The warning and timeout timespans, as well as enabling idle session timeout are administrator controlled.  Instructions will follow as we start to roll out this feature.

Does the policy effect existing signed in sessions?

No, only new sign-ins to new browsers

How long does it take to effect?

Approx. 15 minutes

What is considered a managed device?

A device is managed if Azure Active Directory indicates to SharePoint Online that the device state was evaluated and the device is at least one of the following:

  • Domain joined
  • Compliant

Device state claims are not passed in Google Chrome or when using inPrivate mode – device claims are only available on Internet Explorer or Microsoft Edge on Microsoft Windows.

Can I hide the Keep me signed in prompt?

During the public preview period of the new sign-in experience, the updated “Keep me signed in” prompt will only show when users opt into the new sign-in experience. Users using the old experience will continue to see the checkbox and will not get the prompt.

Admins can choose to hide this new prompt for users by using the “Show option to remain signed in” setting in company branding.

NOTE 

Existing configurations of this setting will carry forward, so if you previously chose to hide the “Keep me signed in” checkbox in your tenant, we won’t show the new prompt to users in your tenant.

This change won’t affect any token lifetime settings you have configured.

When will idle-session timeout be generally available?

April 2018