Administration, Security and Compliance

Secure your information with SharePoint and OneDrive

Today at the SharePoint Virtual Summit, we unveiled the latest innovations for SharePoint and OneDrive, including powerful integrations across Office 365, Windows and Azure – and while we continue to drive forward with a cloud-first, mobile-first vision – security and compliance are at the foundation of everything we do.

Microsoft has been building enterprise software for decades and running some of the largest online services in the world. We draw from this experience to keep making SharePoint Online and OneDrive for Business more secure for users, implementing and continuously improving security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of your services and data.

The collaboration landscape has changed. Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device – and for that experience to be seamless.
While this has been an enormous boost to productivity, it also presents huge challenges for security. Previously, businesses needed to concern themselves with a firewall that ended at the corporate boundary. Now that boundary has shifted to the end user. Businesses need to ensure sure that corporate data is safe while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

blog2

SharePoint Online and OneDrive for Business are uniquely positioned to help you address these evolving security challenges. To begin with, Microsoft has continued to evolve with new standards and regulations. This has been a guiding principle as we think about security for SharePoint Online and OneDrive for Business. Right alongside that principle is this one: There is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.

SharePoint Online and OneDrive for Business allow your organization to go beyond its regular business rhythms and be nimbler in responding to market changes and opportunities. These solutions enable users to access the files and documents they need wherever they’re doing work, while sharing and collaborating in real-time. And you control and own your data while Microsoft takes care of it – click here to explore the many options SharePoint and OneDrive provide to secure you and your information and then read our eBook Securing your content in the new world of work with SharePoint and OneDrive.

What’s coming next with Administration and Manageability?
In Q4 CY2017 we will begin rolling out the new SharePoint admin center. From the home page, you’ll notice just how much better it is, with interactive activity reports, Message Center posts, and a health dashboard tuned to the needs of SharePoint administrators.

1_1

You’ll easily find and work with the dozens of SharePoint settings the service gives you to configure sharing, access, and the service. And we know you’ll love the dynamic new Site Management page, which lets you view, filter, and edit the configuration of all of your SharePoint sites, including sites connected to Office 365 groups.

1_2

What’s coming next with Security and Compliance?
The rapidly-changing security landscape means that your organization’s content – its knowledge – is being shared more broadly, and accessed from more devices and more locations, than ever before. We’re committed to the security, privacy, and compliance of your data, and we continuously innovate intelligent ways to protect your content, and to empower you to govern and manage information. Last month we announced label-based classification for information management policies, which enable a more dynamic governance of content across SharePoint, Exchange, and Skype, and Microsoft Teams.

Today we announced upcoming support for customer managed keys. In Q4 CY2017, you will be able to host your own key in Azure. That key be used to further encrypt your data in Office 365, so that should you choose to leave Office 365, you can revoke the key and your data will be inaccessible to the service.

We also announced that conditional access policies will be coming to site collections. These policies allow you to define access based not only on user and permissions levels, but also based on the device , the user, or the location. Conditional access policies can currently be applied to your Office 365 tenant as a whole. In late CY 2017 we will allow you to define these policies at the site collection level, so that you can manage security on a granular, use-case basis.

Watch the short video here that demonstrates and shares more details about these investments and hope to see you at Microsoft Ignite where you can learn more about what’s next for security, compliance, and administration for SharePoint and OneDrive.

Standard
OneDrive for Business

Which OneDrive for Business Sync Client is Right for Me?

I want to sync SharePoint and OneDrive for Business libraries on-premises

To sync on-premises instances of OneDrive for Business or SharePoint site libraries (when you don’t have an Office 365 business or 21 Vianet subscription), you need to use the previous OneDrive for Business sync client (Groove.exe). If you’re not sure which version of OneDrive you’re using, or which version of OneDrive you need, see also Which version of OneDrive am I using? for information on determining which sync client you are using.

See also Set up your computer to sync SharePoint Server on-premises files  for information on configuring OneDrive for Business.

I want to sync SharePoint and OneDrive for Business libraries in Office 365

OneDrive for Business can sync both OneDrive for Business libraries as well as SharePoint Online document libraries from team sites. For more information about this functionality and how to set up team site sync using OneDrive for Business, see the following Microsoft website:

Enable users to sync SharePoint files with the new OneDrive sync client

If you want to sync from SharePoint on-premises environments or sync another user’s OneDrive library, you should use the previous OneDrive for Business application (Groove.exe).

See also Set up your computer to sync your OneDrive for Business files in Office 365 for information on configuring OneDrive for Business and Sync SharePoint files with the new OneDrive sync client for information on sync for SharePoint libraries in Office 365 with OneDrive for Business.

I want to sync SharePoint libraries across on-premises and Office 365

To sync on-premises instances of SharePoint libraries on-premises and Office 365 you will need to install both versions of OneDrive for Business.  Both the onedrive.exe and groove.exe clients can run at the same time.

For instructions on how to install the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online see also How to install the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online.  If you are using Office 2016 applications refer to How to install the OneDrive for Business sync client for SharePoint 2013 and later and SharePoint Online when using Office 2016 applications at How to install the OneDrive for Business sync client for SharePoint 2013 and later and SharePoint Online when using Office 2016 applications.

Optionally you can choose to implement a OneDrive for Business hybrid scenario.  You can redirect users to OneDrive for Business in Office 365 when they choose OneDrive in the navigation bar (SharePoint Server 2010 and SharePoint Server 2013) or in the app launcher (SharePoint Server 2016).   In SharePoint Server 2013 and SharePoint Server 2016, hybrid OneDrive for Business is available as part of several hybrid option bundles. See Hybrid sites features and OneDrive for Business for details.

Hybrid OneDrive for Business is also available with SharePoint Server 2010. See Configure hybrid OneDrive for Business in SharePoint Server 2010 for details.

I want to sync OneDrive for Business libraries across on-premises and Office 365

To sync on-premises instances of SharePoint libraries on-premises and Office 365 you will need to install both versions of OneDrive for Business.  Both the onedrive.exe and groove.exe clients can run at the same time.

For instructions on how to install the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online see also How to install the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online.  If you are using Office 2016 applications refer to How to install the OneDrive for Business sync client for SharePoint 2013 and later and SharePoint Online when using Office 2016 applications at How to install the OneDrive for Business sync client for SharePoint 2013 and later and SharePoint Online when using Office 2016 applications.

Optionally you can choose to implement a OneDrive for Business hybrid scenario.  You can redirect users to OneDrive for Business in Office 365 when they choose OneDrive in the navigation bar (SharePoint Server 2010 and SharePoint Server 2013) or in the app launcher (SharePoint Server 2016).   In SharePoint Server 2013 and SharePoint Server 2016, hybrid OneDrive for Business is available as part of several hybrid option bundles. See Hybrid sites features and OneDrive for Business for details.

Hybrid OneDrive for Business is also available with SharePoint Server 2010. See Configure hybrid OneDrive for Business in SharePoint Server 2010 for details.

I want to sync SharePoint and OneDrive for Business libraries across on-premises and Office 365

To sync on-premises instances of SharePoint libraries on-premises and Office 365 you will need to install both versions of OneDrive for Business.  Both the onedrive.exe and groove.exe clients can run at the same time.

For instructions on how to install the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online see also How to install the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online.  If you are using Office 2016 applications refer to How to install the OneDrive for Business sync client for SharePoint 2013 and later and SharePoint Online when using Office 2016 applications at How to install the OneDrive for Business sync client for SharePoint 2013 and later and SharePoint Online when using Office 2016 applications.

Optionally you can choose to implement a OneDrive for Business hybrid scenario.  You can redirect users to OneDrive for Business in Office 365 when they choose OneDrive in the navigation bar (SharePoint Server 2010 and SharePoint Server 2013) or in the app launcher (SharePoint Server 2016).   In SharePoint Server 2013 and SharePoint Server 2016, hybrid OneDrive for Business is available as part of several hybrid option bundles. See Hybrid sites features and OneDrive for Business for details.

Hybrid OneDrive for Business is also available with SharePoint Server 2010. See Configure hybrid OneDrive for Business in SharePoint Server 2010 for details.

Standard
Security and Compliance

Device-based Conditional Access Policies Rolling out to First Release for SharePoint and OneDrive

The collaboration landscape has changed, people expect to work across both boundaries and devices, to bring content with them versus bringing themselves to content.  Location, location, location is the best choice when buying or selling a home, but introduces new challenges when it comes to securing that content.  Ubiquitous connectivity and the proliferation of devices means responding to new security challenges.  SharePoint Online and OneDrive for Business are uniquely positioned to help you address these challenges…

Over the past several weeks we’ve introduced a variety of policies, to include location-based policies, that provide contextual controls at the user, location, device, and app levels and we’re excited to share you can now explore new device-based policies in First Release.

Conditional access provides the control and protection you need to keep your corporate data secure, while giving your people an experience that allows them to do their best work from any device.

Device-based policies allow you to allow or block access or challenge users with Multi-Factor Authentication, device enrollment, or password change.

Device-based policies for SharePoint Online and OneDrive for Business in First Release help administrators ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive for Business on unmanaged devices.

With conditional access you get the control you need to ensure your corporate data is secure, while your people roam freely between apps and devices, accessing your data in the cloud and on-premises.

Configured Device-based Policies in First Release Tenants

To being using device-based policies you must have your Office 365 Tenant set up for First Release.  

1.       In the SharePoint admin center, click device access.  

2.       Under Control access from devices that aren’t compliant or joined to a domain, decide whether you want to limit web access or block all access, and then click the link to configure the policy in the Microsoft Azure portal.  

For detailed information on configuring these policies see also https://support.office.com/en-us/article/Control-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622?ui=en-US&rs=en-US&ad=US&fromAR=1.

FaQ

Q:  Are there any license requirements to use these new policies?

A:  Yes.  An active Azure Active Directory Premium (P1) license in addition to Intune licenses are required.

Q:  Does the policy apply to existing sessions?

A:  No, policy applies to new sessions only.

Q:  Are there special considerations for files that do not support online viewing?

A:  Yes, by default files that can’t be viewed online (such as zip files) can be downloaded.  If you want to prevent download of these files onto unmanaged devices you can opt-in to block download of files that can’t be viewed on the web.  This will result in a read-only experience for the end users and customizations maybe affected.  

Q:  How do I protect content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps.

A:  To prevent content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps we recommend you re-use AAD CA policies to allow access only from managed devices.  For additional information refer to https://www.microsoft.com/en-us/cloud-platform/conditional-access.  For additional security on HBI data you should also consider using Azure RMS.

Standard
Security and Compliance

File Security in SharePoint Online and OneDrive for Business (Whitepaper)

When choosing a cloud collaboration platform, the most important consideration is trust in your provider. Microsoft SharePoint and OneDrive for Business are covered by the core tenets of earning and maintaining trust: security, privacy, compliance, and transparency. With SharePoint and OneDrive, they’re your files. You own them and control them. The Microsoft approach to securing your files involves:

A set of customer-managed tools that adapt to your organization and its security needs.
A Microsoft-built security control framework of technologies, operational procedures, and policies that meet the latest global standards and can quickly adapt to security trends and industry-specific needs.

These tools and processes apply to all Microsoft Office 365 services—including SharePoint and OneDrive—so all your content beyond files is secure.

Learn more about file security in SharePoint Online and OneDrive for Business in this whitepaper https://www.microsoft.com/en-us/download/details.aspx?id=53884.

Standard
OneDrive for Business, Security and Compliance, SharePoint

Conditional Access Policies with SharePoint Online and OneDrive for Business

The days of the corporate boundary beginning at the firewall are over, today’s corporate boundary is the end user.  Connectivity is ubiquitous and with an endless number of devices available, people have an increasing number of options for staying connected at anytime, anywhere.

The freedom to work fluidly, independent of location has become an expectation as has the freedom to access email and documents from anywhere on any device—and that experience is expected to be seamless.  However, data loss is non-negotiable, and overexposure to information can have lasting legal and compliance implications.  IT needs to make sure that corporate data is secure while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

SharePoint Online and OneDrive for Business are uniquely positioned to respond to today’s evolving security challenges.  As a first step to providing administrators security and control in a mobile and connected world are conditional access policies.  Conditional access provides the control and protection businesses need to keep their corporate data secure, while giving their people an experience that allows them to do their best work from any device.  Conditional access policies with SharePoint and OneDrive allow administrators define policies that provide contextual controls at the user, location, device, and app levels.

In January we made available to First Release Tenants location-based policies which allow administrators to limit access to content from defined networks.  These policies ensure content can only be access when someone is connected to the defined network, denying access outside of that boundary – whether the content is access via a browser, application, or mobile app.

Configuring Location-Based Policies

To configure location-based policies:

Navigate to the SharePoint Admin Center in Office 365 and select device access from the list of available options (see illustration).

settingsconditionalaccess

On the Restrict access based on device or network location page navigate to Control access based on network location and specify a range of allowed IP addresses (see illustration).

devicepolicy

 

In scenarios where an administrator has also configured Azure Active Directory Premium (AADP) to restrict location access by IP network range, this policy is prioritized, followed by the SharePoint policy; however, the specified ranges should not be in conflict of one another.  To learn more about conditional access in Azure Active Directory see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access.

Conditional access policies are just one of a broad array of features and capabilities designed to make certain that sensitive information remains that way, and to ensure that the right people have access to the right information at the right time.  To learn more about how Office 365 safeguards your data while increasing employee productivity see https://www.microsoft.com/en-us/trustcenter/cloudservices/office365.

FaQ

Q: Is location-based policy limited to SharePoint Online and OneDrive for Business?
A: Location-based policy, as configured through the SharePoint Admin Center are limited to SharePoint Online, OneDrive for Business, and Groups.

Q:  Is location-based policy available to E3?
A:  Yes.  Location-based policy is available to all SharePoint Online SKUs including E3?

Q:  Does location-based policy require Azure Active Directory Premium?
A:  No, location-based policy does not require Azure Active Directory Premium.

Standard
Events, SharePoint

The SharePoint Journey

Microsoft Ignite will open the window to our vision, strategy, and future for SharePoint and provide a first look at most recent developments with SharePoint Server 2016.  From the business value for organizations looking to modernize their workplace and infrastructure to the technical value it will deliver to IT Professionals and Developers as well as new hybrid investments for those customers looking to enrich their existing investments with cloud innovation.

With Microsoft Ignite just around the corner, it’s time to look back and provide a little historical SharePoint information.

There have been 5SharePoint releases.

1997-1998

“Exchange and SharePoint become best friends”

Exchange Server works on a new information store (Web Store) to support document, web content, and e-mail management.

Codename Tahoe (the genesis of SharePoint Products and Technologies) advances Platinum introducing document management capabilities through WebDAV – Document Authoring and Versioning in addition to an improved search and indexing engine.

Platinum and Tahoe would represent a new, next generation messaging, collaboration, and document management platform.

Learn more about the evolution of SharePoint’s storage architecture at http://blogs.technet.com/b/wbaer/archive/2012/12/20/shredded-storage-and-the-evolution-of-sharepoint-s-storage-architecture.aspx.

1999

“A gem is found in nuggets”

Microsoft makes available a free download called Digital Dashboard Starter Kit introducing our first portal framework.   Solutions based on the starter kit enabled a user interface that could reside within Outlook through visual aids called “nuggets” that displayed information from a variety of content sources – “nuggets” would later take on the name Web Parts.

2000-2001

“A rolling milestone gathers no moss”

Tahoe reaches its beta 1 milestone in early 2000 and the Digital Dashboard Starter Kit is renamed the Digital Dashboard Resource Kit.  In mid-2000 Tahoe reaches another important milestone (Beta 2) with important changes to include a new user interface based on the Digital Dashboard Resource Kit creating a “true” portal user experience and subsequently retiring its codename in favor of SharePoint Portal Server 2001.

2001

“So it begins”

SharePoint Portal Server 2001 is released and creates a portal web site that allows users to share documents and search for information across the organization and enterprise, including SharePoint Team Services-based Web sites—all within one extensible portal interface. SharePoint Portal Server includes robust document management features that allow companies to incorporate business processes into their portal solution, but is limited by the Web Store and Digital Dashboard.

Web Store performance and scalability limited the expansion of SharePoint and Digital Dashboards were developed outside of the core development platform (Visual Studio) which limited the audience for extensibility.

In parallel the fledging portal market began to see unprecedented growth and overlap with the existing  Web Content Management (WCM) market which included CMS 2001.

As the growth and adoption of SharePoint Portal Server 2001 continued to rise in the then new portals market, SharePoint Team Services was released in conjunction with Office 2000 providing web-based team-centric collaboration capabilities.

Untitled

2002-2003

“Raise the roof”

The Web Store, the storage foundation for SharePoint Portal Server 2001 is replaced with SQL Server as the storage backend – on the other side of the topology Digital Dashboards were phased out in favor of ASP.NET improving overall scalability and portal capabilities at the expense of some document management capabilities, notably document profiles and workflow that were to be removed from the upcoming SharePoint release.

This was also a tumultuous time for SharePoint Team Services – but in the end the teams responsible for SharePoint Portal Server and SharePoint Team Services were converged.  In parallel to the changes affecting the technologies that powered SharePoint, CMS evolved as well leveraging ASP.NET on the frontend and delivered as CMS 2002.

In 2002 SharePoint Team Services officially was renamed as Windows SharePoint Services (WSS) and packaged in Windows Server 2003 as a Feature of the server – like SharePoint Portal Server it also provided a collaboration store and Web Part user interface build on ASP.NET.

In this same period SharePoint Portal Server (v2 at the time) was officially branded Microsoft Office SharePoint Portal Server 2003 (no longer referred to as codename Matrix), built on top of Windows SharePoint Services, but delivered independent of Windows Server 2003.

sharepointserver2003

This new release contained important scenarios such as search and indexing, but also ushered in personalization (people-centric collaboration), and enhanced taxonomy capabilities with improved overall manageability.

2004-2005

“Got SOX”?

SOX or Sarbanes-Oxley is introduced to the world and changes document and records management practices.  In response, the CMS and SharePoint Portal Server groups converge in 2004 and Web Parts built using ASP.NET were enabled for developers.  The extensibility era begins…

Near the end of 2005 ASP.NET v2 launches to include new native Web Parts and Windows Workflow Foundation becomes a native add-on to Windows Server that provides a new workflow service that other applications can build on.

2005

“Time to Groove”

In 2005, Grove was acquired, a peer-to-peer (P2P) team-based collaboration product that also includes synchronization of SharePoint sites.

2006-2007

“Who puts MOSS on a server anyway”

Microsoft Office SharePoint Server 2007 is born signifying a leap forward in experiences.

Microsoft Office SharePoint Server 2007 was defined as a Microsoft server product that creates a portal website that allows users to share documents and search for information across the organization and enterprise within one extensible portal interface.

SharePoint-2007

Windows SharePoint Services moves forward, but now as a standalone product versus Windows Server feature.

Groove Server 2007 is released with Microsoft Office SharePoint Server 2007, which provides the server software and tools that IT organizations can use to best deploy, manage, and integrate the Groove functionality that comes with the new Groove 2007.

2009

SharePoint Server 2010 is released, the first in two successive releases to drop the Microsoft Office branding.

SP2010

Groove is renamed SharePoint Workspace and released as Microsoft SharePoint Workspace 2010, the server management platform remains Groove Server and released as Groove Server 2010.

2012

10/11/12 the world is introduced to the most recent generation of SharePoint Products and Technologies, SharePoint 2013.

prev_EN_ShrPt_Srvr_PT_C_rgb

Personal sites, a staple of SharePoint people-centric collaboration are rebranded and paired with a new sync client powered by Groove as SkyDrive Pro, over the course of the SharePoint Server 2013 release these capabilities will become OneDrive for Business.

2015

The next generation of SharePoint is revealed as SharePoint Server 2016 – want to learn more…  Register now for Microsoft Ignite.

Standard
Administration, SharePoint

SharePoint IT…evolving?

The English philosopher Alan Watts once said “The only way to make sense out of change is to plunge into it, move with it, and join the dance”.

A recent #CollabTalk topic was that of the changing role of SharePoint IT…as the cloud becomes mainstream, this conversation will inevitably thrive as a broader topic that transcends SharePoint.

And while change may be to exist, opportunity continues to rise – the cloud has given way to capabilities previous impossible behind the firewall, from predictive analytics to machine learning, to infinite storage, and on-demand access to content and conversations.

For IT, the cloud is oft perceived as a disruptive force as it’s enabled both business and individuals to secure technology on their own, ushering in the BYOD era – and while disruption can be real or perceived, there’s opportunity for IT to become an enabler.  Though the pressures exist that ask IT to do more, to drive business process, reduce cost, advance innovation, and deliver new, compelling user experiences… the cloud uniquely positions IT to meet those demands.

The role of IT has largely been based on a reactive relationship to the environments which they support, the opportunity in this transition to the cloud enables IT to become a proactive force, a value added service broker.

When we launched SharePoint Server 2013 in October of 2012 we had a vision of which the cloud and on-premises would converge – through parity and through unique technology investments that differentiate SharePoint from other collaborative platforms, hybrid is representative of those early investments.  As we moved through 2013 we delivered a number of cumulative updates and introduced new ways to consume SharePoint, namely in Windows Azure. Finally in early 2014 just prior to the 2014 SharePoint Conference we shipped Service Pack 1.  Throughout the lifecycle of SharePoint, we’ve continued to explore ways we can support IT through this transition, to enabling OneDrive for Business in Office 365 and Yammer for SharePoint on-premises, to improving the hybrid experience.

SharePoint on-premises provides a valuable experience that is defined by the sum of its parts whereas in the cloud, SharePoint isn’t delivered as much as a platform, but through its unique capabilities.  On-premises search experiences are defined by the OOTB search service, in the cloud by Office Delve, social is defined by the Newsfeed, in the cloud, by Yammer, collaboration and mobility is defined in Team Sites, Device Channels, etc., in the cloud, by OneDrive for Business…

So has IT changed?  Absolutely, but for the better…with new opportunities IT becomes an extension of the business, driving and delivering strategy and pulling together experiences within and beyond the firewall.

Succeeding with the cloud is understanding where it can add value to existing capabilities such as enabling mobility and anytime, anywhere access while working with familiar IT controls, or extending your datacenter with Microsoft Azure, extending your platform with SharePoint in Microsoft Azure, and extending your workloads with Office 365.

As Albert Einstein said “Strive not to be a success, but rather to be of value”.

Learn more at http://technet.microsoft.com/en-us/library/jj838715(v=office.15).aspx.  These resources provide a roadmap for exploring, planning, installing, and configuring SharePoint Server 2013 and SharePoint Online hybrid environments.

Standard