Administration, Security and Compliance, SharePoint

Security at the Site-Collection Level in SharePoint Online

Balancing security and usability are core to ensuring people can collaborate effectively without interrupting the necessary flow of information across organizations.  With SharePoint Online we’ve been at work developing security and sharing controls that are scoped at the site collection level.  This allows Tenant administrators to configure more restrictive controls at the site collection level, than those that are configured at the Tenant level providing a balance between the need to protect corporate information and the requirement to collaborate effectively across and outside of the corporate boundary.

Site Collection Controls

Restricted Domain Sharing Controls

With SharePoint Online sites can be shared with users from specific domains by using the restricted domains setting. This is useful for a business-to-business extranet scenario where sharing needs to be limited to a particular business partner or external user.

Administrators can configure external sharing by using either the domain allow list or deny list. This can be done at either the tenant level or the site collection level. Administrators can limit sharing invitations to a limited number of email domains by listing them in the allow list or opt to use the deny list, listing email domains to which users are prohibited from sending invitations.

To configure restrict domains in external sharing in SharePoint Online at the site collection level:

  1. From the SharePoint Admin Center, select the site collections tab.
  2. Select a site collection, and then click Sharing.
  3. Under Site collection additional settings, select the Limit external sharing using domain check box.
  4. From the drop-down list, choose either Don’t allow sharing with users from these blocked domains to deny access to targeted domains or Allow sharing only with users from these domains to limit access to only to the domains you list.
  5. List the domains (maximum of 60) in the box provided, using the format domain.com.. If listing more than one domain, separate each domain with a space or a carriage return.

Site-Scoped Conditional Access Policies

New to SharePoint Online are site-scoped conditional access policies.  Device-based policies for SharePoint and OneDrive in help administrators ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive on unmanaged devices at either the Tenant or site collection level.

Site-scoped device-based access policies can be configured with SharePoint Online Management Shell.

Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed, and you have connected to SharePoint Online.

NOTE

The Tenant-level device-based policy must be configured to Full Access prior to configuring site-scoped policies.

Connect-SPOService -Url https://<URL to your SPO admin center>
$t2 = Get-SPOSite -Identity https://<Url to your SharePoint online>/sites/<name of site collection>
Set-SPOSite -Identity $t2.Url -ConditionalAccessPolicy AllowLimitedAccess

Read more about site-scoped conditional access at https://blogs.technet.microsoft.com/wbaer/2017/10/08/site-scoped-conditional-access-policies-in-sharepoint-online/.

Additional Controls

Allow users to Invite new partner users:    In certain site collections, admins can optionally allow users to invite new partner users. In this model, an email invite is sent to the partner user and the user must redeem that invite to access the resource. See Manage external sharing for your SharePoint Online environment for details.

Sharing by site owners only:    Ability to have site collections where only site owners can bring in or share with new users. Site members, who are typically external partner users, can see only the existing site members in the site. This helps in governing what partners can see and with whom they can share documents.

To learn more about security and compliance with SharePoint and OneDrive:

Standard
Administration, Security and Compliance, SharePoint

Site-Scoped Limited Access Policies in SharePoint Online

In March 2017 we introduced device-based policies for SharePoint and OneDrive, that enable administrators to configure Tenant-level policies.

Device-based policies for SharePoint and OneDrive help administrators ensure corporate data is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to the content to the browser, preventing files from being taken offline or synchronized with OneDrive.

On September 1st, 2017 we’ve continued to evolve our conditional access investments to address the ever-changing security landscape and business needs by introducing new levels of granularity with conditional access that allow administrators to scope device-based policies at the site collection level.  In addition, this granular policy can be configured to allow users on unmanaged devices to edit Office Online documents in the browser.

In the demonstration above, the Tenant is configured with a permissive device access policy, allowing full access from unmanaged devices to include desktop apps, mobile apps, and browsers.  The Marketing site inherits the policy configured at the Tenant; however, the Legal site has a policy configured less permissive than that configured at the Tenant level.  In addition, members of the Marketing site, while limited to browser only access on unmanaged devices, can continue to edit content they have access to provide a seamless collaborative experience.

Configuring Policies

Once available in First Release Tenants site-scoped device-based access policies can be configured with SharePoint Online Management Shell.

Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed and you have connected to SharePoint Online.

NOTE

The Tenant-level device-based policy must be configured to Full Access prior to configuring site-scoped policies.

  1. Connect-SPOService -Url https://<URL to your SPO admin center>
  2. $t2 = Get-SPOSite -Identity https://<Url to your SharePoint online>/sites/<name of site collection>
  3. Set-SPOSite -Identity $t2.Url -ConditionalAccessPolicy AllowLimitedAccess
Standard
Events, OneDrive for Business, Security and Compliance, SharePoint

SharePoint & OneDrive Security & Compliance Updates from Microsoft Ignite

Last week at Microsoft Ignite we shared our investments, our vision, and strategy for addressing today’s most challenging business and technology trends that are ever broadening the threat landscape.  From meeting complex corporate and governmental regulatory compliance, to addressing a more mobile and connected workforce, SharePoint and OneDrive and uniquely positioned to address your business needs.

Stay ahead of data residency requirements with Multi-Geo capabilities in Microsoft 365

Governments around the world are strengthening laws and regulations to protect citizens’ data, preserve national security, and protect business interests.

New Multi-Geo Capabilities in Microsoft 365 with SharePoint and OneDrive provide global organizations a solution to maximizing the value of Office 365, including SharePoint and OneDrive, while meeting data residency and compliance requirements.  Multi-geo capabilities provide you with a choice of geographical locations in which to store, manage, and secure your data by allowing a single Office 365 tenant to span multiple regions, storing data on a per-user or per-site basis.  So whether you’re adding a new user to your organization or need to move an existing user, as well as their data, seamlessly and transparently to that user, to a new region, new multi-geo capabilities are designed to address those needs. Read more about Multi-Geo capabilities in Office 365 at https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Introducing-Multi-Geo-in-Office-365/ba-p/107016.

Watch and download Multi-Geo Capabilities in OneDrive and SharePoint Online at https://myignite.microsoft.com/videos/53873 from Microsoft Ignite.

Multi-Geo capabilities for OneDrive and SharePoint are in private preview today. If you’re interested and want to learn more visit the links below.

OneDrive http://aka.ms/OneDriveMultiGeo
SharePoint http://aka.ms/SharePointMultiGeo

Manage your service-level encryption key with Customer Key in Office 365

Gain greater trust from your own clients, with service-level encryption with customer key so that Microsoft does not see or extract any encryption keys. 

Customer key with Office 365 allows you to take control of your information, providing an additional layer of security and data privacy above which is already supplied by Microsoft with SharePoint and OneDrive in Office 365. Customer key can be used to encrypt and/or decrypt the individual encryption keys used to encrypt your cloud storage service for SharePoint Online and OneDrive for Business.  Additionally, you can decide when to change and/or revoke access to these keys limiting Microsoft’s ability to access encrypted content.

Microsoft encrypts your content at rest and in transit throughout SharePoint, OneDrive and Office 365. In fact, we use multiple keys to encrypt your data, and distribute those keys across multiple data centers.  At the service level, we encrypt those keys that are used to encrypt your data. With customer lockbox, even our administrators have no ability to access your data without your explicit, time-bounded consent. Learn more about our encryption features here.

Service-level encryption with customer key goes one step further. You can manage the service-level key(s) that is used to encrypt the SharePoint and OneDrive data encryption keys. You can decide when to change this key(s) and, if your business requires, you can revoke the service-level key(s) and thereby deny the service access to your content.  Read more about Controlling your data in Office 365 using Customer Key at https://support.office.com/en-us/article/Controlling-your-data-in-Office-365-using-Customer-Key-f2cd475a-e592-46cf-80a3-1bfb0fa17697.

Watch and download Manage and control your data to help meet compliance needs with Customer Key https://myignite.microsoft.com/videos/53748 from Microsoft Ignite and read the FaQ at https://support.office.com/en-us/article/Customer-Key-for-Office-365-FAQ-41ae293a-bd5c-4083-acd8-e1a2b4329da6.

Limit information overexposure with sharing and access policies

The risk of information exposure has increased because users don’t always work on desktop computers connected to the corporate network. Access controls now need to account for users connecting their mobile devices to non-secure networks or using their own unmanaged devices. These new access controls start with conditional access policies. Conditional access allows you to keep your corporate data safe while providing your users a secure environment in which they can work from any device. Conditional access in SharePoint Online and OneDrive for Business offers security that goes beyond user permissions. It considers the identity of the user, the devices and applications being used, the network that the user has connected to, and the sensitivity of the data being accessed.

Watch and download Create and manage sharing and access policies for SharePoint https://myignite.microsoft.com/videos/53875 from Microsoft Ignite.

Site-level device access policies

In March 2017, we introduced device access policies at the tenant level so you can control access from unmanaged or non-compliant devices to content stored in SharePoint and OneDrive.  At Microsoft Ignite 2017, we announced and demonstrated new support for bringing these device access policies to the site collection level, so you can limit access from these devices on a site by site basis, based on the classification of the content.  In addition, an administrator can also allow these devices access to collaborate using the Web browser to provide a seamless user experience for instances where unmanaged devices still need the ability to access and use content stored in one or more sites.

Session timeout policies

Unmanaged and non-compliant devices represent just one of many risks of information overexposure. The use of shared systems has also increased—from shared computers in the workplace, to kiosks at hotels and airports, devices and networks often change, but the one constant is the corporate data they access.  Also at Microsoft Ignite we shared our investments in idle-timeout scenarios that allow you to configure policy to automatically sign-out sessions at a specified interval on these shared systems after a period of inactivity.

Secure external sharing

Secure external sharing in SharePoint and OneDrive provides a seamless external sharing experience enabling sending of secure links to recipients outside of your organization, those recipients will be sent an email message with a time-limited, single-use verification code when they open the link. By entering the verification code, the user proves ownership of the email account to which the secure link was sent.

Read more about secure external sharing at https://support.office.com/article/cc78357c-6d48-499c-9cc7-dae447d0d391.

Moving forward…

In today’s volatile economic climate, organizations require collaboration, communication, and productivity solutions to be both cost-effective and flexible.  SharePoint and OneDrive can help businesses achieve new levels of reliability and performance, delivering features and capabilities that simplify administration, protect communications and information, and empower users while meeting their demands for greater business mobility.

However, data loss is non-negotiable, and overexposure to information can have legal and compliance implications.  In SharePoint and OneDrive, we’re providing a broad array of features and capabilities designed to make certain that sensitive information remains that way, and to ensure that the right people have access to the right information at the right time – whether challenged by an increasingly distributed and remote workforce, ubiquities connectivity, or rapid changes in corporate and regulatory compliance, we’ll be there each step of the way, evolving our protection in parallel to your risk.

After all, the security landscape has changed. Ubiquitous connectivity has led to users to expect data mobility, across networks, across devices, and more often, personal devices and shared systems, like kiosks.  These challenges and more complex corporate and regulatory compliance requirements have only made it more challenging to stay ahead of the trends. The video below demonstrates a subset of the latest controls we’ve built and announced at Microsoft Ignite, and how we’ll continue to evolve our capabilities with more fine-grained controls – from the tenant and site level all the way down to the file level.

Office 365 is designed to help every company’s needs for business productivity, content security and compliance with technical, legal and regulatory standards. We’ve been hard at work in lighting up new productivity scenarios in OneDrive and SharePoint and architecting the service to support advanced features to help customers meet their regulatory security and compliance needs.

Resources

We understand that there is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.  Learn more about how we address our customers security and compliance concerns with the resources here.

eBook – http://www.microsoft.com/en-us/download/details.aspx?id=55242

Visual Interactive – http://sharepoint-infographic.azurewebsites.net/

Microsoft Ignite Recording – Security you can trust, control you can count on with SharePoint and OneDrive https://myignite.microsoft.com/videos/55100
Microsoft Ignite Recording – Learn how SharePoint Online safeguards your data in the cloud https://myignite.microsoft.com/videos/53874
Microsoft Ignite Recording – Quickly find what’s relevant and reduce risk with intelligent eDiscovery in Office 365 https://myignite.microsoft.com/videos/53650
Standard
Security and Compliance

Device-based Conditional Access Policies Rolling out to First Release for SharePoint and OneDrive

The collaboration landscape has changed, people expect to work across both boundaries and devices, to bring content with them versus bringing themselves to content.  Location, location, location is the best choice when buying or selling a home, but introduces new challenges when it comes to securing that content.  Ubiquitous connectivity and the proliferation of devices means responding to new security challenges.  SharePoint Online and OneDrive for Business are uniquely positioned to help you address these challenges…

Over the past several weeks we’ve introduced a variety of policies, to include location-based policies, that provide contextual controls at the user, location, device, and app levels and we’re excited to share you can now explore new device-based policies in First Release.

Conditional access provides the control and protection you need to keep your corporate data secure, while giving your people an experience that allows them to do their best work from any device.

Device-based policies allow you to allow or block access or challenge users with Multi-Factor Authentication, device enrollment, or password change.

Device-based policies for SharePoint Online and OneDrive for Business in First Release help administrators ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive for Business on unmanaged devices.

With conditional access you get the control you need to ensure your corporate data is secure, while your people roam freely between apps and devices, accessing your data in the cloud and on-premises.

Configured Device-based Policies in First Release Tenants

To being using device-based policies you must have your Office 365 Tenant set up for First Release.  

1.       In the SharePoint admin center, click device access.  

2.       Under Control access from devices that aren’t compliant or joined to a domain, decide whether you want to limit web access or block all access, and then click the link to configure the policy in the Microsoft Azure portal.  

For detailed information on configuring these policies see also https://support.office.com/en-us/article/Control-access-from-unmanaged-devices-5ae550c4-bd20-4257-847b-5c20fb053622?ui=en-US&rs=en-US&ad=US&fromAR=1.

FaQ

Q:  Are there any license requirements to use these new policies?

A:  Yes.  An active Azure Active Directory Premium (P1) license in addition to Intune licenses are required.

Q:  Does the policy apply to existing sessions?

A:  No, policy applies to new sessions only.

Q:  Are there special considerations for files that do not support online viewing?

A:  Yes, by default files that can’t be viewed online (such as zip files) can be downloaded.  If you want to prevent download of these files onto unmanaged devices you can opt-in to block download of files that can’t be viewed on the web.  This will result in a read-only experience for the end users and customizations maybe affected.  

Q:  How do I protect content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps.

A:  To prevent content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps we recommend you re-use AAD CA policies to allow access only from managed devices.  For additional information refer to https://www.microsoft.com/en-us/cloud-platform/conditional-access.  For additional security on HBI data you should also consider using Azure RMS.

Standard
Security and Compliance

File Security in SharePoint Online and OneDrive for Business (Whitepaper)

When choosing a cloud collaboration platform, the most important consideration is trust in your provider. Microsoft SharePoint and OneDrive for Business are covered by the core tenets of earning and maintaining trust: security, privacy, compliance, and transparency. With SharePoint and OneDrive, they’re your files. You own them and control them. The Microsoft approach to securing your files involves:

A set of customer-managed tools that adapt to your organization and its security needs.
A Microsoft-built security control framework of technologies, operational procedures, and policies that meet the latest global standards and can quickly adapt to security trends and industry-specific needs.

These tools and processes apply to all Microsoft Office 365 services—including SharePoint and OneDrive—so all your content beyond files is secure.

Learn more about file security in SharePoint Online and OneDrive for Business in this whitepaper https://www.microsoft.com/en-us/download/details.aspx?id=53884.

Standard
Security and Compliance

Unified eDiscovery and Data Loss Prevention in Office 365 Recap and Updates

Unified eDiscovery and Data Loss Prevention in Office 365 allows Tenant Administrators to create, manage, and secure content from a unified console (Office 365 Security and Compliance Center).

To date, Tenant Administrators have had to manage Data Loss Prevention for SharePoint, OneDrive for Business, and Exchange in two separate locations, the Office 365 Security and Compliance Center and the Exchange Admin Center respectively.  In January 2017, Data Loss Prevention was centralized for SharePoint, OneDrive for Business and Exchange in the Office 365 Security and Compliance Center.  This unified Data Loss Prevention platform allows you to manage a variety of Office 365 scenarios through a single management layer – reducing time spent configuring and organizing policies across tools.

sc-all

On July 1st, 2017 eDiscovery will also be unified in the Office 365 Security and Compliance Center.  After July 1st, 2017 the ability to create new In-Place eDiscovery searches and In-Place Holds (*-MailboxSearch) in the Exchange Admin Center in Exchange Online and the creation of new cases in the eDiscovery Center in SharePoint Online will be disabled and new cases and searches should be created and managed through the Office 365 Security & Compliance Center to fulfill eDiscovery needs. In both cases, you will still be able to edit and run existing searches in the Exchange Admin Center and work with existing cases in the SharePoint eDiscovery Center.

sc-disc-all

These discrete solutions are being disabled due to their limited breadth across Office 365 services.  The Security & Compliance Center supports permissions, cases, holds and exports as well as Advanced eDiscovery features such as Themes, Email Threading, Near Duplicate Detections, and Predictive coding.  These changes only apply to the Exchange Admin Center in Exchange Online and the eDiscovery Center in SharePoint Online.

These changes do not impact any existing policies, searches or holds created via the EAC, and you will still be able to create new email DLP policies in the EAC (you will not be able to create new eDiscovery searches and In-Place Holds after July 1, 2017). However, it’s recommended to use the new DLP management experience in the Office 365 Security and Compliance Center, as this is where new capabilities will be delivered in the future.

Resources

Learn more about the Office 365 Security and Compliance Center at https://support.office.com/en-us/article/Office-365-Security-Compliance-Center-7e696a40-b86b-4a20-afcc-559218b7b1b8.

Learn more about eDiscovery in Office 365 at https://support.office.com/en-us/article/eDiscovery-in-Office-365-143b3ab8-8cb0-4036-a5fc-6536d837bfce?ui=en-US&rs=en-US&ad=US.

Learn more about Data Loss Prevention in Office 365 at https://support.office.com/en-us/article/Overview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e.

FAQ

Where can I learn more about eDiscovery in the Office 365 Security & Compliance Center?
https://support.office.com/en-us/article/eDiscovery-in-Office-365-143b3ab8-8cb0-4036-a5fc-6536d837bf…

Where can I learn more about Advanced eDiscovery in Office 365?
https://support.office.com/en-us/article/eDiscovery-in-Office-365-143b3ab8-8cb0-4036-a5fc-6536d837bf…

Does this change my Office 365 pricing or plan?
Although Advanced eDiscovery requires E5 Licensing, the base eDiscovery offering is available for all enterprise plans.

When will this happen?
New cases in the eDiscovery Center in SharePoint Online and new In-Place eDiscovery searches and holds in the Exchange Admin Center will be disabled on July 1, 2017. This might vary slightly based on the actual deployment schedule.

Will I still have access to my existing cases in the SharePoint eDiscovery Center?
Yes, you can continue to interact will all existing cases, you can add searches, holds and export from these cases.  We are only removing the ability to add new cases.  All new cases should be created in the Security & Compliance Center. For more information, see Manage eDiscovery cases in the Office 365 Security & Compliance Center.

Will I still have access to my existing searches and holds in the Exchange Admin Center?
Yes, you can continue to interact with all existing searches and holds in the Exchange Admin Center.  We are only removing the capability to create new searches.  All new searches should be created in the Security & Compliance Center. For more information, see Run a Content Search in the Office 365 Security & Compliance Center.

I use the Exchange Admin Center or SharePoint eDiscovery Center for Retention and Preservation, how do I do this now?
The Security & Compliance Center has a full set of features for preserving content. For more information, see Overview of preservation policies.

Can I migrate searches in the Exchange Admin Center or cases in the SharePoint eDiscovery Center to the Security & Compliance Center?
No. eDiscovery cases in the Security & Compliance Center and cases in the eDiscovery Center in SharePoint Online are completely different objects, and their underlying architecture is also different. The same is true for In-Place eDiscovery searches in the Exchange Admin Center and Content Searches the Security & Compliance Center. Thus, existing cases and searches can’t be migrated to the Security & Compliance Center. If you have existing cases in the eDiscovery Center, we recommend that you continue to manage them in the eDiscovery Center until they are completed and you close them. If you need to support a new legal investigation in your organization, we recommend that you use eDiscovery cases in the Security & Compliance Center.

If you have existing searches in the Exchange Admin Center, you can create a corresponding Content Search in the Security & Compliance Center.

What about my existing holds, will they continue to preserve data?
Yes, all existing holds from the Exchange Admin Center and eDiscovery Center will continue to hold content. Only the creation of new In-Place Holds in the Exchange Admin Center and new cases in the SharePoint eDiscovery center are being disabled.

How do I get access to the Security & Compliance Center?
By default, global administrators have access to the Security & Compliance Center. Administrators can assign permissions to other users so they can the eDiscovery tools in the Security & Compliance Center.

How do I access the Security & Compliance Center?
You can navigate directly from https://protection.office.com/ or from the app launcher, choose the Security & Compliance tile.

Standard
OneDrive for Business, Security and Compliance, SharePoint

Conditional Access Policies with SharePoint Online and OneDrive for Business

The days of the corporate boundary beginning at the firewall are over, today’s corporate boundary is the end user.  Connectivity is ubiquitous and with an endless number of devices available, people have an increasing number of options for staying connected at anytime, anywhere.

The freedom to work fluidly, independent of location has become an expectation as has the freedom to access email and documents from anywhere on any device—and that experience is expected to be seamless.  However, data loss is non-negotiable, and overexposure to information can have lasting legal and compliance implications.  IT needs to make sure that corporate data is secure while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

SharePoint Online and OneDrive for Business are uniquely positioned to respond to today’s evolving security challenges.  As a first step to providing administrators security and control in a mobile and connected world are conditional access policies.  Conditional access provides the control and protection businesses need to keep their corporate data secure, while giving their people an experience that allows them to do their best work from any device.  Conditional access policies with SharePoint and OneDrive allow administrators define policies that provide contextual controls at the user, location, device, and app levels.

In January we made available to First Release Tenants location-based policies which allow administrators to limit access to content from defined networks.  These policies ensure content can only be access when someone is connected to the defined network, denying access outside of that boundary – whether the content is access via a browser, application, or mobile app.

Configuring Location-Based Policies

To configure location-based policies:

Navigate to the SharePoint Admin Center in Office 365 and select device access from the list of available options (see illustration).

settingsconditionalaccess

On the Restrict access based on device or network location page navigate to Control access based on network location and specify a range of allowed IP addresses (see illustration).

devicepolicy

 

In scenarios where an administrator has also configured Azure Active Directory Premium (AADP) to restrict location access by IP network range, this policy is prioritized, followed by the SharePoint policy; however, the specified ranges should not be in conflict of one another.  To learn more about conditional access in Azure Active Directory see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access.

Conditional access policies are just one of a broad array of features and capabilities designed to make certain that sensitive information remains that way, and to ensure that the right people have access to the right information at the right time.  To learn more about how Office 365 safeguards your data while increasing employee productivity see https://www.microsoft.com/en-us/trustcenter/cloudservices/office365.

FaQ

Q: Is location-based policy limited to SharePoint Online and OneDrive for Business?
A: Location-based policy, as configured through the SharePoint Admin Center are limited to SharePoint Online, OneDrive for Business, and Groups.

Q:  Is location-based policy available to E3?
A:  Yes.  Location-based policy is available to all SharePoint Online SKUs including E3?

Q:  Does location-based policy require Azure Active Directory Premium?
A:  No, location-based policy does not require Azure Active Directory Premium.

Standard