Secure your information with SharePoint and OneDrive

Today at the SharePoint Virtual Summit, we unveiled the latest innovations for SharePoint and OneDrive, including powerful integrations across Office 365, Windows and Azure – and while we continue to drive forward with a cloud-first, mobile-first vision – security and compliance are at the foundation of everything we do.

Microsoft has been building enterprise software for decades and running some of the largest online services in the world. We draw from this experience to keep making SharePoint Online and OneDrive for Business more secure for users, implementing and continuously improving security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of your services and data.

The collaboration landscape has changed. Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device – and for that experience to be seamless.
While this has been an enormous boost to productivity, it also presents huge challenges for security. Previously, businesses needed to concern themselves with a firewall that ended at the corporate boundary. Now that boundary has shifted to the end user. Businesses need to ensure sure that corporate data is safe while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

blog2

SharePoint Online and OneDrive for Business are uniquely positioned to help you address these evolving security challenges. To begin with, Microsoft has continued to evolve with new standards and regulations. This has been a guiding principle as we think about security for SharePoint Online and OneDrive for Business. Right alongside that principle is this one: There is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.

SharePoint Online and OneDrive for Business allow your organization to go beyond its regular business rhythms and be nimbler in responding to market changes and opportunities. These solutions enable users to access the files and documents they need wherever they’re doing work, while sharing and collaborating in real-time. And you control and own your data while Microsoft takes care of it – click here to explore the many options SharePoint and OneDrive provide to secure you and your information and then read our eBook Securing your content in the new world of work with SharePoint and OneDrive.

What’s coming next with Administration and Manageability?
In Q4 CY2017 we will begin rolling out the new SharePoint admin center. From the home page, you’ll notice just how much better it is, with interactive activity reports, Message Center posts, and a health dashboard tuned to the needs of SharePoint administrators.

1_1

You’ll easily find and work with the dozens of SharePoint settings the service gives you to configure sharing, access, and the service. And we know you’ll love the dynamic new Site Management page, which lets you view, filter, and edit the configuration of all of your SharePoint sites, including sites connected to Office 365 groups.

1_2

What’s coming next with Security and Compliance?
The rapidly-changing security landscape means that your organization’s content – its knowledge – is being shared more broadly, and accessed from more devices and more locations, than ever before. We’re committed to the security, privacy, and compliance of your data, and we continuously innovate intelligent ways to protect your content, and to empower you to govern and manage information. Last month we announced label-based classification for information management policies, which enable a more dynamic governance of content across SharePoint, Exchange, and Skype, and Microsoft Teams.

Today we announced upcoming support for customer managed keys. In Q4 CY2017, you will be able to host your own key in Azure. That key be used to further encrypt your data in Office 365, so that should you choose to leave Office 365, you can revoke the key and your data will be inaccessible to the service.

We also announced that conditional access policies will be coming to site collections. These policies allow you to define access based not only on user and permissions levels, but also based on the device , the user, or the location. Conditional access policies can currently be applied to your Office 365 tenant as a whole. In late CY 2017 we will allow you to define these policies at the site collection level, so that you can manage security on a granular, use-case basis.

Watch the short video here that demonstrates and shares more details about these investments and hope to see you at Microsoft Ignite where you can learn more about what’s next for security, compliance, and administration for SharePoint and OneDrive.

Which OneDrive for Business Sync Client is Right for Me?

I want to sync SharePoint and OneDrive for Business libraries on-premises

To sync on-premises instances of OneDrive for Business or SharePoint site libraries (when you don’t have an Office 365 business or 21 Vianet subscription), you need to use the previous OneDrive for Business sync client (Groove.exe). If you’re not sure which version of OneDrive you’re using, or which version of OneDrive you need, see also Which version of OneDrive am I using? for information on determining which sync client you are using.

See also Set up your computer to sync SharePoint Server on-premises files  for information on configuring OneDrive for Business.

I want to sync SharePoint and OneDrive for Business libraries in Office 365

OneDrive for Business can sync both OneDrive for Business libraries as well as SharePoint Online document libraries from team sites. For more information about this functionality and how to set up team site sync using OneDrive for Business, see the following Microsoft website:

Enable users to sync SharePoint files with the new OneDrive sync client

If you want to sync from SharePoint on-premises environments or sync another user’s OneDrive library, you should use the previous OneDrive for Business application (Groove.exe).

See also Set up your computer to sync your OneDrive for Business files in Office 365 for information on configuring OneDrive for Business and Sync SharePoint files with the new OneDrive sync client for information on sync for SharePoint libraries in Office 365 with OneDrive for Business.

I want to sync SharePoint libraries across on-premises and Office 365

To sync on-premises instances of SharePoint libraries on-premises and Office 365 you will need to install both versions of OneDrive for Business.  Both the onedrive.exe and groove.exe clients can run at the same time.

For instructions on how to install the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online see also How to install the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online.  If you are using Office 2016 applications refer to How to install the OneDrive for Business sync client for SharePoint 2013 and later and SharePoint Online when using Office 2016 applications at How to install the OneDrive for Business sync client for SharePoint 2013 and later and SharePoint Online when using Office 2016 applications.

Optionally you can choose to implement a OneDrive for Business hybrid scenario.  You can redirect users to OneDrive for Business in Office 365 when they choose OneDrive in the navigation bar (SharePoint Server 2010 and SharePoint Server 2013) or in the app launcher (SharePoint Server 2016).   In SharePoint Server 2013 and SharePoint Server 2016, hybrid OneDrive for Business is available as part of several hybrid option bundles. See Hybrid sites features and OneDrive for Business for details.

Hybrid OneDrive for Business is also available with SharePoint Server 2010. See Configure hybrid OneDrive for Business in SharePoint Server 2010 for details.

I want to sync OneDrive for Business libraries across on-premises and Office 365

To sync on-premises instances of SharePoint libraries on-premises and Office 365 you will need to install both versions of OneDrive for Business.  Both the onedrive.exe and groove.exe clients can run at the same time.

For instructions on how to install the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online see also How to install the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online.  If you are using Office 2016 applications refer to How to install the OneDrive for Business sync client for SharePoint 2013 and later and SharePoint Online when using Office 2016 applications at How to install the OneDrive for Business sync client for SharePoint 2013 and later and SharePoint Online when using Office 2016 applications.

Optionally you can choose to implement a OneDrive for Business hybrid scenario.  You can redirect users to OneDrive for Business in Office 365 when they choose OneDrive in the navigation bar (SharePoint Server 2010 and SharePoint Server 2013) or in the app launcher (SharePoint Server 2016).   In SharePoint Server 2013 and SharePoint Server 2016, hybrid OneDrive for Business is available as part of several hybrid option bundles. See Hybrid sites features and OneDrive for Business for details.

Hybrid OneDrive for Business is also available with SharePoint Server 2010. See Configure hybrid OneDrive for Business in SharePoint Server 2010 for details.

I want to sync SharePoint and OneDrive for Business libraries across on-premises and Office 365

To sync on-premises instances of SharePoint libraries on-premises and Office 365 you will need to install both versions of OneDrive for Business.  Both the onedrive.exe and groove.exe clients can run at the same time.

For instructions on how to install the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online see also How to install the OneDrive for Business sync client for SharePoint 2013 and SharePoint Online.  If you are using Office 2016 applications refer to How to install the OneDrive for Business sync client for SharePoint 2013 and later and SharePoint Online when using Office 2016 applications at How to install the OneDrive for Business sync client for SharePoint 2013 and later and SharePoint Online when using Office 2016 applications.

Optionally you can choose to implement a OneDrive for Business hybrid scenario.  You can redirect users to OneDrive for Business in Office 365 when they choose OneDrive in the navigation bar (SharePoint Server 2010 and SharePoint Server 2013) or in the app launcher (SharePoint Server 2016).   In SharePoint Server 2013 and SharePoint Server 2016, hybrid OneDrive for Business is available as part of several hybrid option bundles. See Hybrid sites features and OneDrive for Business for details.

Hybrid OneDrive for Business is also available with SharePoint Server 2010. See Configure hybrid OneDrive for Business in SharePoint Server 2010 for details.

Device-based Conditional Access Policies Rolling out to First Release for SharePoint and OneDrive

The collaboration landscape has changed, people expect to work across both boundaries and devices, to bring content with them versus bringing themselves to content.  Location, location, location is the best choice when buying or selling a home, but introduces new challenges when it comes to securing that content.  Ubiquitous connectivity and the proliferation of devices means responding to new security challenges.  SharePoint Online and OneDrive for Business are uniquely positioned to help you address these challenges…

Over the past several weeks we’ve introduced a variety of policies, to include location-based policies, that provide contextual controls at the user, location, device, and app levels and we’re excited to share you can now explore new device-based policies in First Release.

Conditional access provides the control and protection you need to keep your corporate data secure, while giving your people an experience that allows them to do their best work from any device.

Device-based policies allow you to allow or block access or challenge users with Multi-Factor Authentication, device enrollment, or password change.

Device-based policies for SharePoint Online and OneDrive for Business in First Release help administrators ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive for Business on unmanaged devices.

With conditional access you get the control you need to ensure your corporate data is secure, while your people roam freely between apps and devices, accessing your data in the cloud and on-premises.

Configured Device-based Policies in First Release Tenants

To being using device-based policies you must have your Office 365 Tenant set up for First Release.  

1.       In the SharePoint admin center, click device access.  

2.       Under Control access from devices that aren’t compliant or joined to a domain, decide whether you want to limit web access or block all access, and then click the link to configure the policy in the Microsoft Azure portal.  

For detailed information on configuring these policies see also https://support.office.com/en-us/article/Control-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622?ui=en-US&rs=en-US&ad=US&fromAR=1.

FaQ

Q:  Are there any license requirements to use these new policies?

A:  Yes.  An active Azure Active Directory Premium (P1) license in addition to Intune licenses are required.

Q:  Does the policy apply to existing sessions?

A:  No, policy applies to new sessions only.

Q:  Are there special considerations for files that do not support online viewing?

A:  Yes, by default files that can’t be viewed online (such as zip files) can be downloaded.  If you want to prevent download of these files onto unmanaged devices you can opt-in to block download of files that can’t be viewed on the web.  This will result in a read-only experience for the end users and customizations maybe affected.  

Q:  How do I protect content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps.

A:  To prevent content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps we recommend you re-use AAD CA policies to allow access only from managed devices.  For additional information refer to https://www.microsoft.com/en-us/cloud-platform/conditional-access.  For additional security on HBI data you should also consider using Azure RMS.

File Security in SharePoint Online and OneDrive for Business (Whitepaper)

When choosing a cloud collaboration platform, the most important consideration is trust in your provider. Microsoft SharePoint and OneDrive for Business are covered by the core tenets of earning and maintaining trust: security, privacy, compliance, and transparency. With SharePoint and OneDrive, they’re your files. You own them and control them. The Microsoft approach to securing your files involves:

A set of customer-managed tools that adapt to your organization and its security needs.
A Microsoft-built security control framework of technologies, operational procedures, and policies that meet the latest global standards and can quickly adapt to security trends and industry-specific needs.

These tools and processes apply to all Microsoft Office 365 services—including SharePoint and OneDrive—so all your content beyond files is secure.

Learn more about file security in SharePoint Online and OneDrive for Business in this whitepaper https://www.microsoft.com/en-us/download/details.aspx?id=53884.

Conditional Access Policies with SharePoint Online and OneDrive for Business

The days of the corporate boundary beginning at the firewall are over, today’s corporate boundary is the end user.  Connectivity is ubiquitous and with an endless number of devices available, people have an increasing number of options for staying connected at anytime, anywhere.

The freedom to work fluidly, independent of location has become an expectation as has the freedom to access email and documents from anywhere on any device—and that experience is expected to be seamless.  However, data loss is non-negotiable, and overexposure to information can have lasting legal and compliance implications.  IT needs to make sure that corporate data is secure while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

SharePoint Online and OneDrive for Business are uniquely positioned to respond to today’s evolving security challenges.  As a first step to providing administrators security and control in a mobile and connected world are conditional access policies.  Conditional access provides the control and protection businesses need to keep their corporate data secure, while giving their people an experience that allows them to do their best work from any device.  Conditional access policies with SharePoint and OneDrive allow administrators define policies that provide contextual controls at the user, location, device, and app levels.

In January we made available to First Release Tenants location-based policies which allow administrators to limit access to content from defined networks.  These policies ensure content can only be access when someone is connected to the defined network, denying access outside of that boundary – whether the content is access via a browser, application, or mobile app.

Configuring Location-Based Policies

To configure location-based policies:

Navigate to the SharePoint Admin Center in Office 365 and select device access from the list of available options (see illustration).

settingsconditionalaccess

On the Restrict access based on device or network location page navigate to Control access based on network location and specify a range of allowed IP addresses (see illustration).

devicepolicy

 

In scenarios where an administrator has also configured Azure Active Directory Premium (AADP) to restrict location access by IP network range, this policy is prioritized, followed by the SharePoint policy; however, the specified ranges should not be in conflict of one another.  To learn more about conditional access in Azure Active Directory see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access.

Conditional access policies are just one of a broad array of features and capabilities designed to make certain that sensitive information remains that way, and to ensure that the right people have access to the right information at the right time.  To learn more about how Office 365 safeguards your data while increasing employee productivity see https://www.microsoft.com/en-us/trustcenter/cloudservices/office365.

FaQ

Q: Is location-based policy limited to SharePoint Online and OneDrive for Business?
A: Location-based policy, as configured through the SharePoint Admin Center are limited to SharePoint Online, OneDrive for Business, and Groups.

Q:  Is location-based policy available to E3?
A:  Yes.  Location-based policy is available to all SharePoint Online SKUs including E3?

Q:  Does location-based policy require Azure Active Directory Premium?
A:  No, location-based policy does not require Azure Active Directory Premium.