Administration, OneDrive for Business, Security and Compliance, SharePoint

Office 365 Data Loss Prevention Block Access with SharePoint and OneDrive

Last week we announced Office 365 Data Loss Prevention Block Access (https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Policy-Tips-in-SharePoint-Online-and-OneDrive-for-Business-at/ba-p/116158) with SharePoint Online and OneDrive for Business.  Office 365 Data Loss Prevention Block Access prevents the potential for overexposure of sensitive information by allowing a Tenant administrator to configure Data Loss Prevention Policies limiting how and with whom sensitive information can be shared.

For example, if a document is determined to contain sensitive information, for example U.S. Financial Data, a DLP policy can prevent that information from being shared externally or with guests while providing real-time policy information to the user attempting to initiate the share.

Users are presented with a Policy Tip when viewing information about the document in addition to the option to view the specific policy that limits sharing of the document.

In addition, if the user attempts to share content that violates the policy configuration, they are notified at the time of sharing with a Policy Tip and link to additional information.

Configuring Office 365 Data Loss Prevention Block Access policies in the Security and Compliance Center

To configure Office 365 Data Loss Prevention Block Access policies browse to https://protection.office.com/, and expand Data loss prevention.

Under Data loss prevention select Policy.

Select Create new policy to create a policy and choose from one of the available templates.

Provide a Name and Optional description of the policy and click Next.

Select one or more locations to protect and click Next.

Under Policy settings select Detect when this content is shared: and choose With people outside of my organization and click Next.

On the What do you want to do if we detect sensitive info? dialog select Restrict who can access to the content and override the policy and click Next.

Optionally you can configure additional settings for the policy such as:

  • The ability to block specific people from accessing sensitive content that meets the criteria of the policy.
  • Allowing policy override with or without business justification.

Click Next to save the policy settings.

On the Review your settings page, click Create to save and apply the policy.

Configuring Existing DLP Policies

In addition to the creation of new policies, a Tenant administrator can use Windows PowerShell to configure existing data loss prevention policies for block access.

To update one or more existing policies, connect to Office 365 Security and Compliance Center PowerShell, refer to the Windows PowerShell example below:

Get-DlpComplianceRule | Where-Object {$_.BlockAccess -eq 'true' -and $_.BlockAccessScope -ne 'PerUser' -and $_.AccessScope -eq 'NotInOrganization' -and $_.NotifyUser -ne ''} | Set-DLPComplianceRule -BlockAccessScope 'PerUser'

NOTE

The script above will turn any DLP policy rules that previously blocked everyone (except Last Modifier, Owner, and Site Administrator) into a rule that only blocks access to external users.

Resources

To learn more about data loss preventions policies in Office 365 visit Overview of data loss prevention policies at https://support.office.com/en-us/article/Overview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e.

Standard
Administration, Security and Compliance, SharePoint

Security at the Site-Collection Level in SharePoint Online

Balancing security and usability are core to ensuring people can collaborate effectively without interrupting the necessary flow of information across organizations.  With SharePoint Online we’ve been at work developing security and sharing controls that are scoped at the site collection level.  This allows Tenant administrators to configure more restrictive controls at the site collection level, than those that are configured at the Tenant level providing a balance between the need to protect corporate information and the requirement to collaborate effectively across and outside of the corporate boundary.

Site Collection Controls

Restricted Domain Sharing Controls

With SharePoint Online sites can be shared with users from specific domains by using the restricted domains setting. This is useful for a business-to-business extranet scenario where sharing needs to be limited to a particular business partner or external user.

Administrators can configure external sharing by using either the domain allow list or deny list. This can be done at either the tenant level or the site collection level. Administrators can limit sharing invitations to a limited number of email domains by listing them in the allow list or opt to use the deny list, listing email domains to which users are prohibited from sending invitations.

To configure restrict domains in external sharing in SharePoint Online at the site collection level:

  1. From the SharePoint Admin Center, select the site collections tab.
  2. Select a site collection, and then click Sharing.
  3. Under Site collection additional settings, select the Limit external sharing using domain check box.
  4. From the drop-down list, choose either Don’t allow sharing with users from these blocked domains to deny access to targeted domains or Allow sharing only with users from these domains to limit access to only to the domains you list.
  5. List the domains (maximum of 60) in the box provided, using the format domain.com.. If listing more than one domain, separate each domain with a space or a carriage return.

Site-Scoped Conditional Access Policies

New to SharePoint Online are site-scoped conditional access policies.  Device-based policies for SharePoint and OneDrive in help administrators ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive on unmanaged devices at either the Tenant or site collection level.

Site-scoped device-based access policies can be configured with SharePoint Online Management Shell.

Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed, and you have connected to SharePoint Online.

NOTE

The Tenant-level device-based policy must be configured to Full Access prior to configuring site-scoped policies.

Connect-SPOService -Url https://<URL to your SPO admin center>
$t2 = Get-SPOSite -Identity https://<Url to your SharePoint online>/sites/<name of site collection>
Set-SPOSite -Identity $t2.Url -ConditionalAccessPolicy AllowLimitedAccess

Read more about site-scoped conditional access at https://blogs.technet.microsoft.com/wbaer/2017/10/08/site-scoped-conditional-access-policies-in-sharepoint-online/.

Additional Controls

Allow users to Invite new partner users:    In certain site collections, admins can optionally allow users to invite new partner users. In this model, an email invite is sent to the partner user and the user must redeem that invite to access the resource. See Manage external sharing for your SharePoint Online environment for details.

Sharing by site owners only:    Ability to have site collections where only site owners can bring in or share with new users. Site members, who are typically external partner users, can see only the existing site members in the site. This helps in governing what partners can see and with whom they can share documents.

To learn more about security and compliance with SharePoint and OneDrive:

Standard
Administration, Security and Compliance, SharePoint

Site-Scoped Limited Access Policies in SharePoint Online

In March 2017 we introduced device-based policies for SharePoint and OneDrive, that enable administrators to configure Tenant-level policies.

Device-based policies for SharePoint and OneDrive help administrators ensure corporate data is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to the content to the browser, preventing files from being taken offline or synchronized with OneDrive.

On September 1st, 2017 we’ve continued to evolve our conditional access investments to address the ever-changing security landscape and business needs by introducing new levels of granularity with conditional access that allow administrators to scope device-based policies at the site collection level.  In addition, this granular policy can be configured to allow users on unmanaged devices to edit Office Online documents in the browser.

In the demonstration above, the Tenant is configured with a permissive device access policy, allowing full access from unmanaged devices to include desktop apps, mobile apps, and browsers.  The Marketing site inherits the policy configured at the Tenant; however, the Legal site has a policy configured less permissive than that configured at the Tenant level.  In addition, members of the Marketing site, while limited to browser only access on unmanaged devices, can continue to edit content they have access to provide a seamless collaborative experience.

Configuring Policies

Once available in First Release Tenants site-scoped device-based access policies can be configured with SharePoint Online Management Shell.

Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed and you have connected to SharePoint Online.

NOTE

The Tenant-level device-based policy must be configured to Full Access prior to configuring site-scoped policies.

  1. Connect-SPOService -Url https://<URL to your SPO admin center>
  2. $t2 = Get-SPOSite -Identity https://<Url to your SharePoint online>/sites/<name of site collection>
  3. Set-SPOSite -Identity $t2.Url -ConditionalAccessPolicy AllowLimitedAccess
Standard
Administration, Events, OneDrive for Business, Security and Compliance, SharePoint

Stay ahead of data residency requirements with Multi-Geo Capabilities in Office 365

Governments around the world are strengthening laws and regulations to protect citizens’ data, preserve national security, and protect business interests.

Last week at Microsoft Ignite we announced new Multi-Geo Capabilities in Office 365 to help ensure you remain compliant with services to include SharePoint, OneDrive, and Exchange.

The new Multi-Geo Capabilities in Microsoft 365 with SharePoint and OneDrive provide global organizations a solution to maximizing the value of Office 365, including SharePoint and OneDrive, while meeting data residency and compliance requirements.

Multi-geo capabilities provide you with a choice of geographical locations in which to store, manage, and secure your data by allowing a single Office 365 tenant to span multiple regions, storing data on a per-user or per-site basis.  So, whether you’re adding a new user to your organization or need to move an existing user, as well as their data, seamlessly and transparently to that user, to a new region, new multi-geo capabilities are designed to address those needs.

 

In a multi-geo configuration, your Office 365 Tenant consists of a central, default location, such as North America and one or more satellite locations.  In this scenario, a single Tenant can span across multiple locations ensuring your data resides within the boundaries of each respective geo.  Each geo in a multi-geo configuration is addressed with a unique Url specified when configuring the Office 365 Tenant, such as contosona or consotoeur to represent North America or Europe respectively.

Information about multi-geo enabled Tenants such as geo locations, groups, and user information, is mastered in Azure Active Directory (AAD).  Since the Tenant information is mastered centrally and synchronized into each geo location, sharing and experiences involving anyone from your company contain global awareness.  For example, a user whose preferred OneDrive data location in Europe, can share with users in North America or other configured geo locations, and discover content created across the tenancy using services such as search and Office Delve.  In addition, independent policies can be configured at each geo location to include explicit sharing policies, eDiscovery, etc.

Multi-Geo capabilities for OneDrive is in private preview today. If you’re interested and want to learn more visit the links below.

OneDrive http://aka.ms/OneDriveMultiGeo

Resources

To learn more about Multi-Geo Capabilities in Office 365 refer to the resources below:

Watch and download Understanding Multi-Geo Capabilities in Office 365 at https://myignite.microsoft.com/sessions/54705?source=sessions from Microsoft Ignite.

Watch and download Multi-Geo Capabilities in OneDrive and SharePoint Online at https://myignite.microsoft.com/videos/53873 from Microsoft Ignite.

Watch and download Exchange Online Multi-Geo Capabilities at https://myignite.microsoft.com/sessions/55160?source=sessions from Microsoft Ignite.

Read more about Multi-Geo capabilities in Office 365 at https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Introducing-Multi-Geo-in-Office-365/ba-p/107016.

Watch Introducing Multi-Geo capabilities in Office 365 on Microsoft Mechanics at https://www.youtube.com/watch?v=3d9-Vt2fArk&feature=youtu.be.

Standard
Administration, Events, Hybrid, OneDrive for Business, SharePoint

Ignite 2017 Pre-Day Training – SharePoint and Office 365 Hybrid Scenarios

Join myself, Neil Hodgkinson, Spence Harbar, Bob Fox, and other industry experts for a Microsoft Ignite pre-day training on implementing hybrid scenarios with SharePoint and Office 365.

Cloud computing has become a popular way to reduce capital and operational expenditures, renew IT innovation, and gain the advantage of more rapid software delivery to meet the needs of business. However, compliance, data sovereignty, sensitivity concerns, or a significant investment in customization may limit your organization’s ability to take advantage of this. Today you can maximize your on-premises investment by upgrading to SharePoint Server 2016 and using hybrid scenarios in Office 365 to seamlessly leverage the cloud. This pre-day workshop is designed to give you the deep technical knowledge to deploy SharePoint Server 2016 as well as design and implement the latest hybrid scenarios including search, auditing, taxonomy and more.

Attendees will receive instructor led training on best practices for implementing a variety of hybrid scenarios and workloads, training materials, to include documentation and presentations and a each, a dedicated lab environment including a SharePoint Server 2016 farm and an Office 365 Tenant that can be used to complete hands on labs during and after the event.

Space is limited, register today https://www.microsoft.com/en-us/ignite/agenda.

Standard
Administration, Security and Compliance

Secure your information with SharePoint and OneDrive

Today at the SharePoint Virtual Summit, we unveiled the latest innovations for SharePoint and OneDrive, including powerful integrations across Office 365, Windows and Azure – and while we continue to drive forward with a cloud-first, mobile-first vision – security and compliance are at the foundation of everything we do.

Microsoft has been building enterprise software for decades and running some of the largest online services in the world. We draw from this experience to keep making SharePoint Online and OneDrive for Business more secure for users, implementing and continuously improving security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of your services and data.

The collaboration landscape has changed. Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device – and for that experience to be seamless.
While this has been an enormous boost to productivity, it also presents huge challenges for security. Previously, businesses needed to concern themselves with a firewall that ended at the corporate boundary. Now that boundary has shifted to the end user. Businesses need to ensure sure that corporate data is safe while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

blog2

SharePoint Online and OneDrive for Business are uniquely positioned to help you address these evolving security challenges. To begin with, Microsoft has continued to evolve with new standards and regulations. This has been a guiding principle as we think about security for SharePoint Online and OneDrive for Business. Right alongside that principle is this one: There is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.

SharePoint Online and OneDrive for Business allow your organization to go beyond its regular business rhythms and be nimbler in responding to market changes and opportunities. These solutions enable users to access the files and documents they need wherever they’re doing work, while sharing and collaborating in real-time. And you control and own your data while Microsoft takes care of it – click here to explore the many options SharePoint and OneDrive provide to secure you and your information and then read our eBook Securing your content in the new world of work with SharePoint and OneDrive.

What’s coming next with Administration and Manageability?
In Q4 CY2017 we will begin rolling out the new SharePoint admin center. From the home page, you’ll notice just how much better it is, with interactive activity reports, Message Center posts, and a health dashboard tuned to the needs of SharePoint administrators.

1_1

You’ll easily find and work with the dozens of SharePoint settings the service gives you to configure sharing, access, and the service. And we know you’ll love the dynamic new Site Management page, which lets you view, filter, and edit the configuration of all of your SharePoint sites, including sites connected to Office 365 groups.

1_2

What’s coming next with Security and Compliance?
The rapidly-changing security landscape means that your organization’s content – its knowledge – is being shared more broadly, and accessed from more devices and more locations, than ever before. We’re committed to the security, privacy, and compliance of your data, and we continuously innovate intelligent ways to protect your content, and to empower you to govern and manage information. Last month we announced label-based classification for information management policies, which enable a more dynamic governance of content across SharePoint, Exchange, and Skype, and Microsoft Teams.

Today we announced upcoming support for customer managed keys. In Q4 CY2017, you will be able to host your own key in Azure. That key be used to further encrypt your data in Office 365, so that should you choose to leave Office 365, you can revoke the key and your data will be inaccessible to the service.

We also announced that conditional access policies will be coming to site collections. These policies allow you to define access based not only on user and permissions levels, but also based on the device , the user, or the location. Conditional access policies can currently be applied to your Office 365 tenant as a whole. In late CY 2017 we will allow you to define these policies at the site collection level, so that you can manage security on a granular, use-case basis.

Watch the short video here that demonstrates and shares more details about these investments and hope to see you at Microsoft Ignite where you can learn more about what’s next for security, compliance, and administration for SharePoint and OneDrive.

Standard
Administration, Security and Compliance, SharePoint

Introducing the new SharePoint Admin Center

Today at the SharePoint Virtual Summit, we unveiled the latest innovations for SharePoint and OneDrive, including powerful integrations across Office 365, Windows and Azure.

Innovation in the cloud drives tremendous business value, and it delivers new capabilities to the IT professionals who work tirelessly to support, configure, administer, and secure their organizations’ content and services.

We’ve built Office 365 with global scale, exceptional reliability, and support for compliance across every industry and geography. On top of intelligent security that keeps your service and content protected and private, we give you granular and dynamic controls so that you can manage access and distribution of your organization’s sensitive information. We’ve equipped you with detailed activity and usage reports. And we’ve brought the innovations born in Office 365 to SharePoint Server with out-of-the-box capabilities and connected, hybrid experiences.

While our new user experiences are designed to be simpler, more intuitive, and more powerful we also believe administration should be just as simple, just as intuitive, and just as powerful, and to that, later this year we’re introducing a completely revamped SharePoint Admin center that draws heavily on our modern principles. An administrative console designed to help IT achieve more, so their users can achieve more.

Home
The redesigned “Home” is designed to surface the most important information and quickly help you discover some of the most important information about the service, both its health, and how your organization is using SharePoint Online.

home

Site Management
Borrowing from the modern List experience in SharePoint Online, the new Site Management page promotes ease of use and flexibility – a one stop shop for viewing and managing some of the most important aspects of SharePoint Online sites.  You can now sort, filter, and discover information about your sites and their activity.

sitemanagement

Sharing
At the foundation of SharePoint is sharing, and we’re bringing sharing controls to the forefront of administration. Closely aligned with the OneDrive Admin Center, our sharing controls are designed to help your users make the most of their work all the while making it easy for you to control the flow of your organizations information.

sharing

Device Access
If you’re complacent, you’re likely not compliant – however, we believe compliance shouldn’t get in the way of collaboration and over the past year have introduced several new conditional access policies across user, location, and device pivots to help you secure access to your information. With the upcoming SharePoint Admin Center, you can quickly access and use these policies to address your unique business needs.

deviceaccess

To learn more about conditional access in SharePoint Online https://blogs.technet.microsoft.com/wbaer/2017/03/13/security-and-compliance-in-sharepoint-online-an… or to explore more security and compliance scenarios visit https://go.microsoft.com/fwlink/?linkid=848765. When you’re done exploring, be sure to read our new eBook “Securing your information in the new world of work” at https://go.microsoft.com/fwlink/?linkid=849048.

Settings
We’ve taken the many settings available to you for SharePoint Online and grouped and isolated them to simplify how you manage some of the more discrete options for the service and sites.

settings

To see more of the new SharePoint Admin Center check out the video below and to learn more be sure to register for Microsoft Ignite.

 

 

Standard