Administration, OneDrive for Business, Security and Compliance, SharePoint

What’s new and what’s coming w/ SharePoint & OneDrive Security, Compliance, & Administration – October 2018

What’s new and what’s coming with SharePoint & OneDrive Security, Compliance, and Administration – October 2018 Edition

In today’s complex and regulated environment, businesses need to focus on building more secure solutions that deliver value to their customers, partners, and shareholders—both in the cloud and on-premises.

Microsoft has been building enterprise software for decades and running some of the largest online services in the world. We draw from this experience to keep making SharePoint and OneDrive more secure for users, by implementing and continuously improving security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of your services and data.

SharePoint and OneDrive are uniquely positioned to help you address these evolving security challenges. To begin with, Microsoft has continued to evolve with new standards and regulations. This has been a guiding principle as we think about security for SharePoint and OneDrive. Right alongside that principle is this one: There is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.

At Microsoft Ignite 2018 we announced many of the new capabilities that are available now and coming soon to Office 365.

NOTE This is the first of regular monthly updates for what’s new and what’s coming with security, compliance, and administration in SharePoint and OneDrive.

Unified Labels

Unified labels in Microsoft 365 provide you a more integrate and consistent approach when creating labels and configuring and applying policies to protect and govern information across devices, applications, cloud, and on-premises locations. Unified labels provide a single location to create and configure data sensitivity labels for both Azure Information Protection and Office 365, so you can set up protection and retention labels and policies in the same place.

Unified labels in Microsoft 365 are available now.

SharePoint site classification labels

Across your organization, you probably have different types of content that require different security requirements to comply with industry regulations and internal policies.

Using Microsoft Information protection labels you can now apply consistent security and access policies to SharePoint Sites based on the sensitivity of the site. You can create sensitivity labels and associate them with policies in the new Microsoft 365 Security and Compliance Center. You can then apply these labels to files, emails, groups, Sites and Teams to automatically enforce consistent policies across your content.

SharePoint site classification labels will begin rolling out to Targeted Release in December 2018.

Automation application of retention labels

Data is your company’s most important asset, with the automatic application of retention labels you can ensure your most important assets are compliant to meet your corporate or regulatory requirements.  These retention labels can be created by importing the content types that you already use in SharePoint to help streamline the application of retention policies across all your content in SharePoint.

Content type to label support will begin rolling out in November 2018.

Label analytics

Information is growing at exponential rates and we’re making it easier for you to stay informed on how retention and sensitivity labels are being used to classify, retain, and protect your organization’s content in the cloud.

Using label analytics you can now get insights into how content is being labeled, including which labels are used most, and what emails and files they’re being applied to and also explore user activity to identify who’s been applying labels, investigate unusual trends, and more.

Label analytics will begin rolling out in Q4 2018.

File plans

Office 365 already provides data governance labels to establish rules for records management and retention.  Later this year we’ll be augmenting those with hierarchical file plans, allowing you to manage a range of retention labels with identifiers, departments, categories, statutory references and more.  File plans can be exported from Office 365 for easy editing in Excel, and then reimported to update label rules.

Files plans will begin to be available in Q4 2018.

Files Restore for SharePoint and Microsoft Teams

Data loss is non-negotiable, today we announced Files Restore for SharePoint and Microsoft Teams.

Files Restore is now available for SharePoint document libraries, protecting your shared files in SharePoint, Teams, Outlook groups, and Yammer groups connected to Office 365 groups and uses the same recovery capabilities that protect your personal files in OneDrive for Business.

Files Restore is a complete self-service recovery solution that allows site administrators restore document libraries from any point in time during the last 30 days and rewind changes using activity data to find the exact moment to revert to.

Files Restore for SharePoint and Microsoft Teams will begin rolling out to Targeted Release in December 2018.

Multi-geo capabilities for SharePoint

Multi-geo capabilities with SharePoint support your global data residency needs by storing SharePoint data in more than one selected Office 365 data center regions or countries. Microsoft commits to provide in-geo data residency, business continuity and disaster recovery for your core customer data at rest.

With multi-geo capabilities for SharePoint you can have a single Office 365 tenant that can span across multiple geos and enable a unified communication and collaboration experience across your global organization. You can migrate various on-premises satellites data silos into a single Office 365 tenant and at the same time meet your data residency needs. Your users are now connected to the people and content that matter most, regardless of where they work.

For IT, you can use powerful Office 365 admin tools to easily create and manage satellite sites and if needed move user data between geos to meet your data residency business needs. Get reports on where each user’s data is stored and audit trail of activities of all users in your global enterprise. Tailor sharing, security, and compliance policies separately for each geo—all from a familiar admin experience.

To learn more about Multi-Geo Capabilities in Office 365 see https://products.office.com/en-us/business/multi-geo-capabilities.

Multi-Geo capabilities with SharePoint Online are available now.

External sharing integration with Azure AD B2B

Last year at Ignite we introduced a new external sharing experience where recipients could access the shared content in a secure way by entering a one-time passcode sent to their email address without the need of creating or remembering passwords. This year, we’re taking it a step further by integrating the one-time passcode sign-in experience with the Azure AD B2B platform. This enables external users to exist in your Azure AD directory as Guests which can be managed in the way you are already familiar with. This integration also brings the one-time passcode experience when sharing SharePoint sites and lists with external user.

SharePoint admin center updates

At Microsoft Ignite, in addition to our security and compliance news, we announced several exciting new features coming to the new SharePoint admin center.

Make the new admin center your default admin center…

The new SharePoint admin experience provides a completely revamped SharePoint admin center that draws heavily on our modern principles… an administrative console designed to help IT achieve more, so their users can achieve more. If you’ve enjoyed using the new SharePoint admin center up until today, you now have the option to make the new SharePoint admin center your default experience while still being able to go back to the classic admin center if you need to.

Improved management experience for group-connected sites

Office 365 Groups is a service that works with the Office 365 tools you use already so you can collaborate with your teammates when writing documents, creating spreadsheets, working on project plans, scheduling meetings, or sending email. Now we’re making it easier to manage group-connected sites by allowing SharePoint administrators manage ownership, change sharing settings, and delete and restore sites.

Simplified hub site creation and association

Sites and data grow as your organization grows. With SharePoint hub sites, you can bring flexible, dynamic building blocks to your organization’s intranet – connecting collaboration and communication.  Now in the SharePoint admin center, you can manage existing hub sites in addition to creating hub sites and associating existing sites with a hub site.  These capabilities also extend to multi-geo scenarios.

Quickly customize and control the site creation experience

Creating sites is one of the most common tasks an administrator performs in many SharePoint environments, and we’ve made it easier to customize and control how sites are created.

New site creation options allow you to create sites on behalf of users and configure common settings such as language, time zone, and storage limit and for classic and communication sites you can now also specify their managed path.

In addition to these site creation controls, you now can specify global settings that apply to all site when they’re created too such as the time zone and site creation path and for organizations who want to control the site creation experience, you can enable or disable self-service site creation.

Improved site management experience

In response to your feedback, we’ve added more management controls across site management and storage, including a simplified view of your tenant-level storage usage and limit and the ability to switch to manual site storage management.

Additionally, in many cases you may want or need more than one or two administrators for a site collection.  In response to your feedback, we’ve now enabled the use of security groups as a site collection administrator in SharePoint Online.

Finally, we’re making it simpler to execute site actions by moving many of the common actions to the command bar rather than the site information panel.

Keep your information secure with improved access control and policies options

The freedom to work fluidly, independent of location has become an expectation as has the freedom to access email and documents from anywhere on any device—and that experience is expected to be seamless.  However, data loss is non-negotiable, and overexposure to information can have lasting legal and compliance implications.  IT needs to make sure that corporate data is secure while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

New updates to the SharePoint admin center include a consolidated view of access control policies to help safeguard your information.   On the new access control page, you can configure policies for unmanaged or non-compliant devices, configure the idle-session sign-out experience for users, as well as configure location policies to restrict or allow access to SharePoint Online from known IP ranges.

SharePoint admin center improvements will begin rolling out to Target Release in October 2018.

Learn more about how we secure your data with SharePoint and OneDrive in Office 365 and how customers are achieving success at https://aka.ms/SharePoint-Security.

 

 

Standard
Security and Compliance

What’s new in security, compliance & administration for SharePoint & OneDrive from Microsoft Ignite

Innovation in the cloud drives tremendous business value, and it delivers new capabilities to the IT professionals who work tirelessly to support, configure, administer, and secure their organizations’ content and services.  Office 365 empowers you to support sophisticated requirements for security and compliance, to manage day-to-day operations, and to maximize the value of Office 365 to people in your organization.

We’ve built Office 365 with global scale, exceptional reliability, and support for compliance across industries and geographies on top of intelligent security that keeps your service and content protected and private, we give you granular and dynamic controls so that you can manage access and distribution of your organization’s sensitive information. We’ve equipped you with detailed activity and usage reports. And we’ve brought the innovations born in Office 365 to SharePoint Server 2019? with out-of-the-box capabilities and connected, hybrid experiences.

Today at Microsoft Ignite 2018 we announced many of the new capabilities that are available now and coming soon to Office 365 and while our list of news is too big for a single blog, here you’ll find a summary of these announcements.

SharePoint site classification labels

Across your organization, you probably have different types of content that require different security requirements to comply with industry regulations and internal policies. 

Using Microsoft Information protection labels you can now apply consistent security and access policies to SharePoint Sites based on the sensitivity of the site. You can create sensitivity labels and associate them with policies in the new Microsoft 365 Security and Compliance Center. You can then apply these labels to files, emails, groups, Sites and Teams to automatically enforce consistent policies across your content.

Automation application of retention labels

Data is your company’s most important asset, with the automatic application of retention labels you can ensure your most important assets are compliant to meet your corporate or regulatory requirements.  These retention labels can be created by importing the content types that you already use in SharePoint to help streamline the application of retention policies across all your content in SharePoint.

Learn more about unified labeling management in the Security and Compliance Center at https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-the-availability-of-unified-labeling-management-in/ba-p/262492.

Label analytics

Information is growing at exponential rates and we’re making it easier for you to stay informed on how retention and sensitivity labels are being used to classify, retain, and protect your organization’s content in the cloud.

Using label analytics you can now get insights into how content is being labeled, including which labels are used most, and what emails and files they’re being applied to and also explore user activity to identify who’s been applying labels, investigate unusual trends, and more.

Learn more about unified labeling, analytics, file plan and more at https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Updates-to-Advanced-Data-Governance-Unified-labeling-analytics/ba-p/261876.

Files Restore for SharePoint and Microsoft Teams

Data loss is non-negotiable, today we announced Files Restore for SharePoint and Microsoft Teams.

Files Restore is now available for SharePoint document libraries, protecting your shared files in SharePoint, Teams, Outlook groups, and Yammer groups connected to Office 365 groups and uses the same recovery capabilities that protect your personal files in OneDrive for Business.

Files Restore is a complete self-service recovery solution that allows site administrators restore document libraries from any point in time during the last 30 days and rewind changes using activity data to find the exact moment to revert to.

SharePoint admin center updates

While our new user experiences are designed to be simpler, more intuitive, and more powerful we also believe administration should be just as simple, just as intuitive, and just as powerful. To that aim, we’re adding new controls and capabilities SharePoint Admin center to include:

  • The ability to manage all sites, including group connected team sites, communication sites, and hub sites
  • Controls such as Device Access and Sharing Policies through a richer menu to manage and control how information is accessed and shared.
  • A new command surface that provides an actionable command bar, hub site and classification management control
  • Enhancements to the site creation experience empowering admins with more settings and control such as storage and classification
  • Several new options in the settings page including ability to control the defaults for user created sites
  • A new simple way to track and manage tenant level storage and site level storage limits

In addition to these new capabilities, you’ll soon be able to also change site URLs and manage site creation settings.

Multi-geo capabilities for SharePoint

Multi-geo capabilities with SharePoint support your global data residency needs by storing SharePoint data in more than one selected Office 365 data center regions or countries. Microsoft commits to provide in-geo data residency, business continuity and disaster recovery for your core customer data at rest.

With multi-geo capabilities for SharePoint you can have a single Office 365 tenant that can span across multiple geos and enable a unified communication and collaboration experience across your global organization. You can migrate various on-premises satellites data silos into a single Office 365 tenant and at the same time meet your data residency needs. Your users are now connected to the people and content that matter most, regardless of where they work.

For IT, you can use powerful Office 365 admin tools to easily create and manage satellite sites and if needed move user data between geos to meet your data residency business needs. Get reports on where each user’s data is stored and audit trail of activities of all users in your global enterprise. Tailor sharing, security, and compliance policies separately for each geo—all from a familiar admin experience.

To learn more about Multi-Geo Capabilities in Office 365 see https://products.office.com/en-us/business/multi-geo-capabilities.

External sharing integration with Azure AD B2B

Last year at Ignite we introduced a new external sharing experience where recipients could access the shared content in a secure way by entering a one-time passcode sent to their email address without the need of creating or remembering passwords. This year, we’re taking it a step further by integrating the one-time passcode sign-in experience with the Azure AD B2B platform. This enables external users to exist in your Azure AD directory as Guests which can be managed in the way you are already familiar with. This integration also brings the one-time passcode experience when sharing SharePoint sites and lists with external user.

SharePoint Migration Tool Improvements

In addition to these capabilities to help streamline your journey to Office 365 we announced several new capabilities we’re bringing to the SharePoint Migration Tool.

The SharePoint Migration Toolis designed to simplify your journey to the cloud through a free, simple, and fast solution to migrate content from on-premises SharePoint sites and file shares to SharePoint or OneDrive in Office 365.  The SharePoint Migration Tool allows you to accelerate your journey to Office 365 overcoming obstacles typically associated with migration projects.

With the SharePoint Migration Tool you can evaluate, address, and migrate the information that matters the most to your organization, the libraries, lists, and now complete SharePoint 2013 sites that form the foundation of the SharePoint experience.  Using the SharePoint Migration Tool you can start your migration today and take advantage of the full suite of features and security capabilitiesthat Office 365 offers. 

In addition to adding support for full site migrations with the SharePoint Migration Tool, we’re also refreshing the user experience and have made generally available its Windows PowerShell cmdlets to support automating your migration to Office 365.

Learn more about how we secure your data with SharePoint and OneDrive in Office 365 and how customers are achieving success at https://aka.ms/SharePoint-Security.

Thank you again for your support of SharePoint and OneDrive. We look forward to your continued feedback on UserVoice and hope to connect with you at Ignite or another upcoming Microsoft or community led event.

Frequently Asked Questions

Q:  When will SharePoint site classification labels be available?

A:  SharePoint site classification labels will begin rolling out to Targeted Release in December 2018.

Q:  When will Files Restore for SharePoint and Microsoft Teams be available?

A:  Files Restore for SharePoint and Microsoft Teams will begin rolling out to Targeted Release in December 2018.

Q:  When will the updates to the SharePoint admin center begin rolling out?

A:  These updates will begin to become available in Q1CY2019.

Q:  When will content type to label support be available?

A:  Content type to label support will be available in November 2018.

Standard
Security and Compliance

Office 365 Attack Simulator and Mitigating Common Attacks (Part 1)

When it comes to security your best line of defense is one that is reactive versus one that is proactive; however, how do you know how you’ll respond to a security incident if one hasn’t yet to occur…that’s where Attack Simulator in Office 365 shines, it’s what sets the security solutions we provide apart from other cloud services.

Attack Simulator is designed to put you ahead of curve and keep you in front of the proverbial 8 ball.  With Attack Simulator you can run realistic attack scenarios in your organization. This can help you identify and find vulnerable users before a real attack impacts your bottom line.

In brief, Attack Simulator as a component of Office 365 Security and Compliance is designed to help you identify issues before they become an issue.  It allows you to determine how end users behave in the event of an attack, and update policies to ensure that appropriate security tools are in place to protect your organization from threats.

Getting Started

Attack Simulator is available as Preview in Office 365 E5 Plans.  The Preview version of Attack Simulator allows you to simulate:

  • Display name spear-phishing attacks
  • Password-spray attacks
  • Brute-force password attacks

To skip ahead and learn how to get started with Attack Simulator visit https://support.office.com/en-us/article/attack-simulator-office-365-da5845db-c578-4a41-b2cb-5a09689a551b.

Display Name Spear-Phishing Attacks

Spear-phishing attacks are designed to play on the trust of a user or users.  The most common spear-phishing attacks involve some level of sophistication, such as understanding influencers within an organization that generate trust amongst potential recipients of email from that individual.

Using Attack Simulator you can simulate this type of attack by creating messages that appear to have originated from such individuals by changing the display name and source address.

The most common objective by bad actors when implementing spear-phishing attacks are to gain access to users’ credentials.

In addition to leveraging the email sender (display name) and body, attackers will also use document phishing to lure users into passing their credentials such as sending spam emails to many harvested email addresses. These spam emails may contain content that tries to lure the user into clicking on the provided link or opening the provided attachment. As the victim of a phishing attack, the user may be directed to a legitimate-looking website that masquerades as an online bank or corporate mail service to steal user credentials. These credentials may then be captured on the masquerading web server.

Protect Users from Phishing/Spear Phishing with Office 365 Advanced Threat Protection

Office 365 Advanced Threat Protection allows you to configure anti-phishing policies to protect your users.

The anti-phishing capabilities with ATP applies a set of machine learning models together with impersonation detection algorithms to incoming email messages that provides protection for both spear and commodity phishing attacks. All messages are subject to an extensive set of machine learning models trained to detect phishing messages, together with a set of advanced algorithms used to protect against various user and domain impersonation attacks.

Learn more on using ATP to prevent phishing attacks at https://support.office.com/en-us/article/atp-anti-phishing-capabilities-in-office-365-5076d0f6-7a59-4d6c-bd07-ba95033f0682?ui=en-US&rs=en-US&ad=US.

ATP capabilities such as Spoof Intelligence and Safe Links/Safe Attachments can also be used to further protect users from impersonation, malicious hyperlinks in a message, and malware and viruses.

For a complete list of protected scenarios refer to the ATP service description at https://technet.microsoft.com/en-us/library/exchange-online-advanced-threat-protection-service-description.aspx.

In addition, consider adding DKIM (DomainKeys Identified Mail) signatures to your domains so recipients know that email messages came from users in your organization and weren’t modified after they were sent to help protect both senders and recipients from forged and phishing email.

Learn more about DKIM at https://technet.microsoft.com/en-US/library/ms.exch.eac.DKIMDisabled(EXCHG.150).aspx?v=15.20.609.10&l=1&s=BPOS_S_E15_0.

Password-Spray Attacks

Password-spraying is a method of attempting to login with only one password across all domain accounts.  It’s an alternative to brute-force password attacks that is designed to mitigate account lockouts where a lockout threshold is in place.

This allows an attacker to attempt many more authentication attempts without locking out users. For example, if I were to attempt to login to every account with the password ‘pass@word1’ it is very likely (hopefully not ;-)) that someone at the target organization used that password and I will now have access to their account.

Simplified, password-spraying is essentially a reverse brute-force attack in that as opposed to attempting many password attempts against a single known user, it involves a single, strategic password, used across many known users.

In the Microsoft cloud we handle billions of sign-ins each day and our security detection algorithms allow us to both detect and subsequently block attacks such as these in real-time.

Some of these capabilities include:

Smart Lockout

Azure Active Directory (Azure AD) protects against password attacks with Smart Lockout.  Smart Lockout differentiates between sign-in attempts that look like they’re from a valid user and sign-ins from what may be an attacker. Smart Lockout ensures potential attackers are locked out without impacting a valid user which helps to prevent denial of service on the user and stops password spray attacks.

IP Lockout

IP lockout works by analyzing sign-ins to assess the quality of traffic from each IP address hitting Microsoft systems, using that data, IP lockout finds IP addresses acting maliciously and blocks those sign-ins in real-time.

Password-Spray Attack Prevention

A password is the key to accessing an account, but in a successful password spray attack, the attacker has guessed the correct password.  The best solution to mitigating password spray attacks is using something more than just a password to distinguish between the account owner and the attacker. For example:

Implement Multi-Factor Authentication

Azure AD Identity Protection uses sign-in data and adds on advanced machine learning and algorithmic detection to risk score every sign-in that comes in to the system. This enables you to create policies in Identity Protection that prompt a user to authenticate with a second factor if and only if there’s risk detected for the user or for the session.

Learn more about Azure AD Identity Protection at https://docs.microsoft.com/en-us/azure/active-directory/active-directory-identityprotection.

For an additional layer of security, you can use Azure MFA to require multi-factor authentication for your users all the time, both in cloud authentication and ADFS.

Learn more about Azure Multi-Factor Authentication at https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication, and how to configure Azure MFA for AD FS at https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-and-azure-mfa.

Azure MFA as primary authentication

In AD FS 2016, you have the ability use Azure MFA as the primary authentication means for passwordless authentication which helps to protect against password-spray and theft attacks.  Using Azure MFA as primary authentication bypasses the need for a password which means there is no password for an attacker to guess.  With Azure MFA you can also use a password as the second factor only after your OTP has been validated with Azure MFA. Learn more about using password as the second factor at https://github.com/Microsoft/adfsAuthAdapters.

Brute-Force Password Attack

Perhaps one of the more archaic attacks, brute-force attacks consist of an attacker trying many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found.

Brute-Force Password Attack Prevention

Like password-spray attacks you can take advantage of the same recommendations (above) in addition to detection and handling through capabilities such as Cloud App Security.

Cloud App Security is a comprehensive solution that can help you as you move to take advantage of cloud applications, but keep you in control, through improved visibility into activity and increase the protection of critical data across cloud applications.  Cloud App Security provides tools that help uncover shadow IT, assess risk, enforce policies, investigate activities, and stop threats, to help you more safely move to the cloud while maintaining control of critical data.

Through Office 365 Cloud App Security you can, for example, use the Multiple failed user log on attempts to an app policy template to be alerted when a single user attempts to log on to a single app, and fails more than n times within a defined number of minutes.

Learn more about Cloud App Security at https://docs.microsoft.com/en-us/cloud-app-security/what-is-cloud-app-security.

Lastly, enforcing strong passwords and account lockout policies can help to mitigate brute-force attacks.  For more information see also https://docs.microsoft.com/en-us/azure/active-directory/active-directory-passwords-policy.

Conclusion

Your security is only as good as what you put into it.  Using Attack Simulator you can better understand how your users will react and then implement the best set of solutions to ensuring both your organizations’, as well as your users’ security.  While this article is not intended to provide a comprehensive view of all of the security options available in Office 365, it helps map those capabilities to the simulations available in Attack SimulatorTo learn more about Attack Simulator visit https://support.office.com/en-us/article/attack-simulator-office-365-da5845db-c578-4a41-b2cb-5a09689a551b?ui=en-US&rs=en-US&ad=US.

Office 365 to include SharePoint Online and OneDrive for Business provide a broad set of control to help keep your data safe no matter where users are when they access or share data, what device they’re working on, and how secure their network connection is. Through these controls you can customize the level of access granted to users while making sure the resulting constraints meet your organizational security requirements.

For additional information on protecting yourself against threats in Office 365 refer to https://support.office.com/en-us/article/protect-against-threats-in-office-365-b10023f6-f30f-45d3-b3ad-b71aa4aa0d58.  This article will help you protect your organization against a variety of threats, including spoofing, malware, spam, phishing attempts, and unauthorized access to data.

Next up, Part 2 Using Attack Simulation and Configuring Security Options…

 

Standard
OneDrive for Business, Security and Compliance, SharePoint

DLP Policy Tips are now available across new endpoints in Office 365

This summer we introduced a consistent, coherent sharing experience across the Web and desktop – these improvements allow you to share Office 365 files directly from File Explorer on PC and Finder on Mac, in addition to the latest versions of Office on the desktop and Office 365 web experiences. The updates we made provide a simplified sharing experience, so you can share files and folders easily with partners both internal and external, while retaining the right level of security – so whether you share on the web, in Explorer on Windows 10 and Windows 7, or Finder or the Mac, the sharing experience is secure, consistent and simple.

While we’ve made the sharing experience consistent across these endpoints we also understand that data loss and leakage are non-negotiable and to comply with business standards and industry regulations, organizations need to protect sensitive information and prevent its inadvertent disclosure.

To ensure your sensitive data remains that way we’re excited to announce that we’ve extended sharing to include DLP policy tips across OneDrive, SharePoint, Word, Excel and PowerPoint on PC, Mac and Web, so whether you’re working on the web or the desktop, you can remain informed with a consistent policy tip experience as you share files.

SharePoint Online

Microsoft Word

 

By bringing DLP policy tips into the sharing experience you can both block the sharing action as well as use the sharing dialog as a platform to help understand why an is action is blocked regardless of where you’re working.

Learn more about DLP in Office 365 at https://support.office.com/en-us/article/Overview-of-data-loss-prevention-policies-1966b2a7-d1e2-4d92-ab61-42efbb137f5e.

For more information on sending policy notifications and policy tips see https://support.office.com/en-us/article/Send-email-notifications-and-show-policy-tips-for-DLP-policies-87496bc5-9601-4473-8021-cb05c71369c1.

Standard
Administration, Events, OneDrive for Business, Security and Compliance, SharePoint

Stay ahead of data residency requirements with Multi-Geo Capabilities in Office 365

Governments around the world are strengthening laws and regulations to protect citizens’ data, preserve national security, and protect business interests.

Last week at Microsoft Ignite we announced new Multi-Geo Capabilities in Office 365 to help ensure you remain compliant with services to include SharePoint, OneDrive, and Exchange.

The new Multi-Geo Capabilities in Microsoft 365 with SharePoint and OneDrive provide global organizations a solution to maximizing the value of Office 365, including SharePoint and OneDrive, while meeting data residency and compliance requirements.

Multi-geo capabilities provide you with a choice of geographical locations in which to store, manage, and secure your data by allowing a single Office 365 tenant to span multiple regions, storing data on a per-user or per-site basis.  So, whether you’re adding a new user to your organization or need to move an existing user, as well as their data, seamlessly and transparently to that user, to a new region, new multi-geo capabilities are designed to address those needs.

 

In a multi-geo configuration, your Office 365 Tenant consists of a central, default location, such as North America and one or more satellite locations.  In this scenario, a single Tenant can span across multiple locations ensuring your data resides within the boundaries of each respective geo.  Each geo in a multi-geo configuration is addressed with a unique Url specified when configuring the Office 365 Tenant, such as contosona or consotoeur to represent North America or Europe respectively.

Information about multi-geo enabled Tenants such as geo locations, groups, and user information, is mastered in Azure Active Directory (AAD).  Since the Tenant information is mastered centrally and synchronized into each geo location, sharing and experiences involving anyone from your company contain global awareness.  For example, a user whose preferred OneDrive data location in Europe, can share with users in North America or other configured geo locations, and discover content created across the tenancy using services such as search and Office Delve.  In addition, independent policies can be configured at each geo location to include explicit sharing policies, eDiscovery, etc.

Multi-Geo capabilities for OneDrive is in private preview today. If you’re interested and want to learn more visit the links below.

OneDrive http://aka.ms/OneDriveMultiGeo

Resources

To learn more about Multi-Geo Capabilities in Office 365 refer to the resources below:

Watch and download Understanding Multi-Geo Capabilities in Office 365 at https://myignite.microsoft.com/sessions/54705?source=sessions from Microsoft Ignite.

Watch and download Multi-Geo Capabilities in OneDrive and SharePoint Online at https://myignite.microsoft.com/videos/53873 from Microsoft Ignite.

Watch and download Exchange Online Multi-Geo Capabilities at https://myignite.microsoft.com/sessions/55160?source=sessions from Microsoft Ignite.

Read more about Multi-Geo capabilities in Office 365 at https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Introducing-Multi-Geo-in-Office-365/ba-p/107016.

Watch Introducing Multi-Geo capabilities in Office 365 on Microsoft Mechanics at https://www.youtube.com/watch?v=3d9-Vt2fArk&feature=youtu.be.

Standard
Administration, Security and Compliance

Secure your information with SharePoint and OneDrive

Today at the SharePoint Virtual Summit, we unveiled the latest innovations for SharePoint and OneDrive, including powerful integrations across Office 365, Windows and Azure – and while we continue to drive forward with a cloud-first, mobile-first vision – security and compliance are at the foundation of everything we do.

Microsoft has been building enterprise software for decades and running some of the largest online services in the world. We draw from this experience to keep making SharePoint Online and OneDrive for Business more secure for users, implementing and continuously improving security-aware software development, operational management, and threat-mitigation practices that are essential to the strong protection of your services and data.

The collaboration landscape has changed. Connectivity is ubiquitous and the ability to work remotely has become an ingrained part of the work practice. People have come to expect to be able to access email and documents from anywhere on any device – and for that experience to be seamless.
While this has been an enormous boost to productivity, it also presents huge challenges for security. Previously, businesses needed to concern themselves with a firewall that ended at the corporate boundary. Now that boundary has shifted to the end user. Businesses need to ensure sure that corporate data is safe while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.

blog2

SharePoint Online and OneDrive for Business are uniquely positioned to help you address these evolving security challenges. To begin with, Microsoft has continued to evolve with new standards and regulations. This has been a guiding principle as we think about security for SharePoint Online and OneDrive for Business. Right alongside that principle is this one: There is no security without usability. If security gets in the way of productivity, users will find a different, less secure way to do their work.

SharePoint Online and OneDrive for Business allow your organization to go beyond its regular business rhythms and be nimbler in responding to market changes and opportunities. These solutions enable users to access the files and documents they need wherever they’re doing work, while sharing and collaborating in real-time. And you control and own your data while Microsoft takes care of it – click here to explore the many options SharePoint and OneDrive provide to secure you and your information and then read our eBook Securing your content in the new world of work with SharePoint and OneDrive.

What’s coming next with Administration and Manageability?
In Q4 CY2017 we will begin rolling out the new SharePoint admin center. From the home page, you’ll notice just how much better it is, with interactive activity reports, Message Center posts, and a health dashboard tuned to the needs of SharePoint administrators.

1_1

You’ll easily find and work with the dozens of SharePoint settings the service gives you to configure sharing, access, and the service. And we know you’ll love the dynamic new Site Management page, which lets you view, filter, and edit the configuration of all of your SharePoint sites, including sites connected to Office 365 groups.

1_2

What’s coming next with Security and Compliance?
The rapidly-changing security landscape means that your organization’s content – its knowledge – is being shared more broadly, and accessed from more devices and more locations, than ever before. We’re committed to the security, privacy, and compliance of your data, and we continuously innovate intelligent ways to protect your content, and to empower you to govern and manage information. Last month we announced label-based classification for information management policies, which enable a more dynamic governance of content across SharePoint, Exchange, and Skype, and Microsoft Teams.

Today we announced upcoming support for customer managed keys. In Q4 CY2017, you will be able to host your own key in Azure. That key be used to further encrypt your data in Office 365, so that should you choose to leave Office 365, you can revoke the key and your data will be inaccessible to the service.

We also announced that conditional access policies will be coming to site collections. These policies allow you to define access based not only on user and permissions levels, but also based on the device , the user, or the location. Conditional access policies can currently be applied to your Office 365 tenant as a whole. In late CY 2017 we will allow you to define these policies at the site collection level, so that you can manage security on a granular, use-case basis.

Watch the short video here that demonstrates and shares more details about these investments and hope to see you at Microsoft Ignite where you can learn more about what’s next for security, compliance, and administration for SharePoint and OneDrive.

Standard
Security and Compliance

File Security in SharePoint Online and OneDrive for Business (Whitepaper)

When choosing a cloud collaboration platform, the most important consideration is trust in your provider. Microsoft SharePoint and OneDrive for Business are covered by the core tenets of earning and maintaining trust: security, privacy, compliance, and transparency. With SharePoint and OneDrive, they’re your files. You own them and control them. The Microsoft approach to securing your files involves:

A set of customer-managed tools that adapt to your organization and its security needs.
A Microsoft-built security control framework of technologies, operational procedures, and policies that meet the latest global standards and can quickly adapt to security trends and industry-specific needs.

These tools and processes apply to all Microsoft Office 365 services—including SharePoint and OneDrive—so all your content beyond files is secure.

Learn more about file security in SharePoint Online and OneDrive for Business in this whitepaper https://www.microsoft.com/en-us/download/details.aspx?id=53884.

Standard