Security at the Site-Collection Level in SharePoint Online

Balancing security and usability are core to ensuring people can collaborate effectively without interrupting the necessary flow of information across organizations.  With SharePoint Online we’ve been at work developing security and sharing controls that are scoped at the site collection level.  This allows Tenant administrators to configure more restrictive controls at the site collection level, than those that are configured at the Tenant level providing a balance between the need to protect corporate information and the requirement to collaborate effectively across and outside of the corporate boundary.

Site Collection Controls

Restricted Domain Sharing Controls

With SharePoint Online sites can be shared with users from specific domains by using the restricted domains setting. This is useful for a business-to-business extranet scenario where sharing needs to be limited to a particular business partner or external user.

Administrators can configure external sharing by using either the domain allow list or deny list. This can be done at either the tenant level or the site collection level. Administrators can limit sharing invitations to a limited number of email domains by listing them in the allow list or opt to use the deny list, listing email domains to which users are prohibited from sending invitations.

To configure restrict domains in external sharing in SharePoint Online at the site collection level:

  1. From the SharePoint Admin Center, select the site collections tab.
  2. Select a site collection, and then click Sharing.
  3. Under Site collection additional settings, select the Limit external sharing using domain check box.
  4. From the drop-down list, choose either Don’t allow sharing with users from these blocked domains to deny access to targeted domains or Allow sharing only with users from these domains to limit access to only to the domains you list.
  5. List the domains (maximum of 60) in the box provided, using the format If listing more than one domain, separate each domain with a space or a carriage return.

Site-Scoped Conditional Access Policies

New to SharePoint Online are site-scoped conditional access policies.  Device-based policies for SharePoint and OneDrive in help administrators ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive on unmanaged devices at either the Tenant or site collection level.

Site-scoped device-based access policies can be configured with SharePoint Online Management Shell.

Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed, and you have connected to SharePoint Online.


The Tenant-level device-based policy must be configured to Full Access prior to configuring site-scoped policies.

Connect-SPOService -Url https://<URL to your SPO admin center>
$t2 = Get-SPOSite -Identity https://<Url to your SharePoint online>/sites/<name of site collection>
Set-SPOSite -Identity $t2.Url -ConditionalAccessPolicy AllowLimitedAccess

Read more about site-scoped conditional access at

Additional Controls

Allow users to Invite new partner users:    In certain site collections, admins can optionally allow users to invite new partner users. In this model, an email invite is sent to the partner user and the user must redeem that invite to access the resource. See Manage external sharing for your SharePoint Online environment for details.

Sharing by site owners only:    Ability to have site collections where only site owners can bring in or share with new users. Site members, who are typically external partner users, can see only the existing site members in the site. This helps in governing what partners can see and with whom they can share documents.

To learn more about security and compliance with SharePoint and OneDrive:

Site-Scoped Limited Access Policies in SharePoint Online

In March 2017 we introduced device-based policies for SharePoint and OneDrive, that enable administrators to configure Tenant-level policies.

Device-based policies for SharePoint and OneDrive help administrators ensure corporate data is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to the content to the browser, preventing files from being taken offline or synchronized with OneDrive.

On September 1st, 2017 we’ve continued to evolve our conditional access investments to address the ever-changing security landscape and business needs by introducing new levels of granularity with conditional access that allow administrators to scope device-based policies at the site collection level.  In addition, this granular policy can be configured to allow users on unmanaged devices to edit Office Online documents in the browser.

In the demonstration above, the Tenant is configured with a permissive device access policy, allowing full access from unmanaged devices to include desktop apps, mobile apps, and browsers.  The Marketing site inherits the policy configured at the Tenant; however, the Legal site has a policy configured less permissive than that configured at the Tenant level.  In addition, members of the Marketing site, while limited to browser only access on unmanaged devices, can continue to edit content they have access to provide a seamless collaborative experience.

Configuring Policies

Once available in First Release Tenants site-scoped device-based access policies can be configured with SharePoint Online Management Shell.

Before you get started using PowerShell to manage SharePoint Online, make sure that the SharePoint Online Management Shell is installed and you have connected to SharePoint Online.


The Tenant-level device-based policy must be configured to Full Access prior to configuring site-scoped policies.

  1. Connect-SPOService -Url https://<URL to your SPO admin center>
  2. $t2 = Get-SPOSite -Identity https://<Url to your SharePoint online>/sites/<name of site collection>
  3. Set-SPOSite -Identity $t2.Url -ConditionalAccessPolicy AllowLimitedAccess

SharePoint & OneDrive Security & Compliance Updates from Microsoft Ignite

Last week at Microsoft Ignite we shared our investments, our vision, and strategy for addressing today’s most challenging business and technology trends that are ever broadening the threat landscape.  From meeting complex corporate and governmental regulatory compliance, to addressing a more mobile and connected workforce, SharePoint and OneDrive and uniquely positioned to address your business needs.

Stay ahead of data residency requirements with Multi-Geo capabilities in Microsoft 365

Governments around the world are strengthening laws and regulations to protect citizens’ data, preserve national security, and protect business interests.

New Multi-Geo Capabilities in Microsoft 365 with SharePoint and OneDrive provide global organizations a solution to maximizing the value of Office 365, including SharePoint and OneDrive, while meeting data residency and compliance requirements.  Multi-geo capabilities provide you with a choice of geographical locations in which to store, manage, and secure your data by allowing a single Office 365 tenant to span multiple regions, storing data on a per-user or per-site basis.  So whether you’re adding a new user to your organization or need to move an existing user, as well as their data, seamlessly and transparently to that user, to a new region, new multi-geo capabilities are designed to address those needs. Read more about Multi-Geo capabilities in Office 365 at

Watch and download Multi-Geo Capabilities in OneDrive and SharePoint Online at from Microsoft Ignite.

Multi-Geo capabilities for OneDrive and SharePoint are in private preview today. If you’re interested and want to learn more visit the links below.


Manage your service-level encryption key with Customer Key in Office 365

Gain greater trust from your own clients, with service-level encryption with customer key so that Microsoft does not see or extract any encryption keys. 

Customer key with Office 365 allows you to take control of your information, providing an additional layer of security and data privacy above which is already supplied by Microsoft with SharePoint and OneDrive in Office 365. Customer key can be used to encrypt and/or decrypt the individual encryption keys used to encrypt your cloud storage service for SharePoint Online and OneDrive for Business.  Additionally, you can decide when to change and/or revoke access to these keys limiting Microsoft’s ability to access encrypted content.

Microsoft encrypts your content at rest and in transit throughout SharePoint, OneDrive and Office 365. In fact, we use multiple keys to encrypt your data, and distribute those keys across multiple data centers.  At the service level, we encrypt those keys that are used to encrypt your data. With customer lockbox, even our administrators have no ability to access your data without your explicit, time-bounded consent. Learn more about our encryption features here.

Service-level encryption with customer key goes one step further. You can manage the service-level key(s) that is used to encrypt the SharePoint and OneDrive data encryption keys. You can decide when to change this key(s) and, if your business requires, you can revoke the service-level key(s) and thereby deny the service access to your content.  Read more about Controlling your data in Office 365 using Customer Key at

Watch and download Manage and control your data to help meet compliance needs with Customer Key from Microsoft Ignite and read the FaQ at

Limit information overexposure with sharing and access policies

The risk of information exposure has increased because users don’t always work on desktop computers connected to the corporate network. Access controls now need to account for users connecting their mobile devices to non-secure networks or using their own unmanaged devices. These new access controls start with conditional access policies. Conditional access allows you to keep your corporate data safe while providing your users a secure environment in which they can work from any device. Conditional access in SharePoint Online and OneDrive for Business offers security that goes beyond user permissions. It considers the identity of the user, the devices and applications being used, the network that the user has connected to, and the sensitivity of the data being accessed.

Watch and download Create and manage sharing and access policies for SharePoint from Microsoft Ignite.

Site-level device access policies

In March 2017, we introduced device access policies at the tenant level so you can control access from unmanaged or non-compliant devices to content stored in SharePoint and OneDrive.  At Microsoft Ignite 2017, we announced and demonstrated new support for bringing these device access policies to the site collection level, so you can limit access from these devices on a site by site basis, based on the classification of the content.  In addition, an administrator can also allow these devices access to collaborate using the Web browser to provide a seamless user experience for instances where unmanaged devices still need the ability to access and use content stored in one or more sites.

Session timeout policies

Unmanaged and non-compliant devices represent just one of many risks of information overexposure. The use of shared systems has also increased—from shared computers in the workplace, to kiosks at hotels and airports, devices and networks often change, but the one constant is the corporate data they access.  Also at Microsoft Ignite we shared our investments in idle-timeout scenarios that allow you to configure policy to automatically sign-out sessions at a specified interval on these shared systems after a period of inactivity.

Secure external sharing

Secure external sharing in SharePoint and OneDrive provides a seamless external sharing experience enabling sending of secure links to recipients outside of your organization, those recipients will be sent an email message with a time-limited, single-use verification code when they open the link. By entering the verification code, the user proves ownership of the email account to which the secure link was sent.

Read more about secure external sharing at

Moving forward…

In today’s volatile economic climate, organizations require collaboration, communication, and productivity solutions to be both cost-effective and flexible.  SharePoint and OneDrive can help businesses achieve new levels of reliability and performance, delivering features and capabilities that simplify administration, protect communications and information, and empower users while meeting their demands for greater business mobility.

However, data loss is non-negotiable, and overexposure to information can have legal and compliance implications.  In SharePoint and OneDrive, we’re providing a broad array of features and capabilities designed to make certain that sensitive information remains that way, and to ensure that the right people have access to the right information at the right time – whether challenged by an increasingly distributed and remote workforce, ubiquities connectivity, or rapid changes in corporate and regulatory compliance, we’ll be there each step of the way, evolving our protection in parallel to your risk.

After all, the security landscape has changed. Ubiquitous connectivity has led to users to expect data mobility, across networks, across devices, and more often, personal devices and shared systems, like kiosks.  These challenges and more complex corporate and regulatory compliance requirements have only made it more challenging to stay ahead of the trends. The video below demonstrates a subset of the latest controls we’ve built and announced at Microsoft Ignite, and how we’ll continue to evolve our capabilities with more fine-grained controls – from the tenant and site level all the way down to the file level.

Office 365 is designed to help every company’s needs for business productivity, content security and compliance with technical, legal and regulatory standards. We’ve been hard at work in lighting up new productivity scenarios in OneDrive and SharePoint and architecting the service to support advanced features to help customers meet their regulatory security and compliance needs.


We understand that there is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.  Learn more about how we address our customers security and compliance concerns with the resources here.

eBook –

Visual Interactive –

Microsoft Ignite Recording – Security you can trust, control you can count on with SharePoint and OneDrive
Microsoft Ignite Recording – Learn how SharePoint Online safeguards your data in the cloud
Microsoft Ignite Recording – Quickly find what’s relevant and reduce risk with intelligent eDiscovery in Office 365

Device-based Conditional Access Policies Rolling out to First Release for SharePoint and OneDrive

The collaboration landscape has changed, people expect to work across both boundaries and devices, to bring content with them versus bringing themselves to content.  Location, location, location is the best choice when buying or selling a home, but introduces new challenges when it comes to securing that content.  Ubiquitous connectivity and the proliferation of devices means responding to new security challenges.  SharePoint Online and OneDrive for Business are uniquely positioned to help you address these challenges…

Over the past several weeks we’ve introduced a variety of policies, to include location-based policies, that provide contextual controls at the user, location, device, and app levels and we’re excited to share you can now explore new device-based policies in First Release.

Conditional access provides the control and protection you need to keep your corporate data secure, while giving your people an experience that allows them to do their best work from any device.

Device-based policies allow you to allow or block access or challenge users with Multi-Factor Authentication, device enrollment, or password change.

Device-based policies for SharePoint Online and OneDrive for Business in First Release help administrators ensure data on corporate resources is not leaked onto unmanaged devices such as non-domain joined or non-compliant devices by limiting access to content to the browser, preventing files from being taken offline or synchronized with OneDrive for Business on unmanaged devices.

With conditional access you get the control you need to ensure your corporate data is secure, while your people roam freely between apps and devices, accessing your data in the cloud and on-premises.

Configured Device-based Policies in First Release Tenants

To being using device-based policies you must have your Office 365 Tenant set up for First Release.  

1.       In the SharePoint admin center, click device access.  

2.       Under Control access from devices that aren’t compliant or joined to a domain, decide whether you want to limit web access or block all access, and then click the link to configure the policy in the Microsoft Azure portal.  

For detailed information on configuring these policies see also


Q:  Are there any license requirements to use these new policies?

A:  Yes.  An active Azure Active Directory Premium (P1) license in addition to Intune licenses are required.

Q:  Does the policy apply to existing sessions?

A:  No, policy applies to new sessions only.

Q:  Are there special considerations for files that do not support online viewing?

A:  Yes, by default files that can’t be viewed online (such as zip files) can be downloaded.  If you want to prevent download of these files onto unmanaged devices you can opt-in to block download of files that can’t be viewed on the web.  This will result in a read-only experience for the end users and customizations maybe affected.  

Q:  How do I protect content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps.

A:  To prevent content from being synchronized with OneDrive for Business or opened with the Office client or mobile apps we recommend you re-use AAD CA policies to allow access only from managed devices.  For additional information refer to  For additional security on HBI data you should also consider using Azure RMS.

File Security in SharePoint Online and OneDrive for Business (Whitepaper)

When choosing a cloud collaboration platform, the most important consideration is trust in your provider. Microsoft SharePoint and OneDrive for Business are covered by the core tenets of earning and maintaining trust: security, privacy, compliance, and transparency. With SharePoint and OneDrive, they’re your files. You own them and control them. The Microsoft approach to securing your files involves:

A set of customer-managed tools that adapt to your organization and its security needs.
A Microsoft-built security control framework of technologies, operational procedures, and policies that meet the latest global standards and can quickly adapt to security trends and industry-specific needs.

These tools and processes apply to all Microsoft Office 365 services—including SharePoint and OneDrive—so all your content beyond files is secure.

Learn more about file security in SharePoint Online and OneDrive for Business in this whitepaper