SharePoint & OneDrive. Providing a safe and secure environment for collaboration (part 1)

Microsoft SharePoint and OneDrive are used to support an extensive range of business scenarios including file sharing, collaboration, document management and many other activities for users across many organisations. These activities can involve users both within and outside of an organisation. Many organisations are unaware of the measures available to help ensure the environment remains safe and secure.

In part 1 of this blog, I cover a couple of the basic areas an organisation should consider for helping to make SharePoint and OneDrive a safe and secure environment in which to collaborate:

  • Access Control
  • Terms of use

How do we control access to Microsoft SharePoint and OneDrive?

Thinking about Microsoft SharePoint and OneDrive in a safe and secure environment can sometimes start with needing to define how to grant and control access as a first step. Users within an organisation will probably want to access SharePoint or OneDrive on a variety of devices from different locations, however a starting point for most organisations is to enable a baseline level of security using ‘security defaults’.

What are ‘Security Defaults’?

Managing security can be difficult when common identity-related attacks are becoming more and more popular. These attacks include password spray, replay, and phishing.

Security defaults in Azure Active Directory (Azure AD) make it easier to be secure and help protect your organisation. Security defaults contain preconfigured security settings for common attacks and Microsoft is making them available to everyone. The goal is to ensure that all organisations have a basic level of security enabled at no extra cost.

You turn on security defaults in the Azure portal a shown below:

The organisation will typically need to consider under what conditions it will grant access. Will it grant access from unmanaged personal devices, for example? How can the organisation be sure that the user requesting access is the actual authorised user and not someone using that users stolen credentials?

Security Defaults implements Azure Multi Factor Authentication (MFA) as a baseline security measure.

The initial experience whenever a user attempts to access SharePoint or OneDrive using their credentials by entering their username and password is as follows:

After clicking the ‘Sign in’ button (with Security Defaults enabled), they are initially prompted to enter additional information to validate their identity as follows:

The first time a user logs in they are prompted to confirm how they will provide the additional security information as follows:

After clicking ‘Next’ the user is sent a one-time passcode (OTP) as follows:

Once the user has setup their additional security verification, they are then prompted to enter it each time they login as follows:

With Security Defaults enabled, Azure Multi Factor Authentication is enforced for all users within an organisations Office 365 tenant including Administrator roles (e.g. SharePoint Admin, Exchange Online Admin etc.). This should be considered as a standard approach for all SharePoint and OneDrive users to improve security when authenticating.

Note:

Azure Multi Factor Authentication is provided with all Office 365 subscriptions (E1 / E3 / E5) however more advanced features (including such capabilities as enabling it with conditional access to support different scenarios) are only available with upgraded licence options such as Azure AD P1 / P2 etc.

Click the link for more information about Features and licences for Azure Multi-Factor Authentication

How should you enable users to accept responsibility for using Microsoft SharePoint and OneDrive?

In the modern cloud era users can login to all sorts of applications using their corporate credentials. Although some apps have their own method of displaying terms of use, a central point of management is best.

Azure Active Directory provides a central point to display a custom Terms of Use to access Microsoft SharePoint and OneDrive with Azure AD Terms of Use (which is actually a feature of conditional access so you will need to check your subscription level to use this feature).

Configuring terms of use in Azure AD requires you to be licensed for Azure AD Premium P1 / P2, which are available as standalone licenses or are bundled in with the EM+S E3 / E5 licenses.

With this feature, users must review and accept the organisation’s terms of use before they can access Microsoft SharePoint or OneDrive.

Important:

Enabling custom Terms of Use requires Security Defaults to be disabled as this approach is designed to move beyond the basic settings provided by Security Defaults and use Conditional Access:

How do we create a custom Terms of Use?

Creating a new custom Terms of Use is fairly straightforward and requires an Administrator to browse to the Conditional Access portal and select ‘Terms of Use’. It is then a case of simply completing the form and adding the required details as follows:

In order to enforce the terms of use, a conditional access policy is required. You can create a conditional access policy targeted to specific users and applications later or use one of the predefined templates.

Important:

If you allow the terms of use to create a new conditional access policy automatically, the policy applies to all users. This is not recommended as it could lock out Administrator accounts etc.

Once the conditional access policy has been created and targeted to the relevant users or groups, those users will be prompted to accept the Terms of Use after authenticating as follows:

Users can choose to expand the terms of use to read the relevant document before clicking ‘Accept’:

In part 2 of this blog I will cover the following key areas:

  • Guest access reviews
  • Web-only access
  • Session timeout policies
  • Sensitivity labels to protect sites and files

Want to know more?

Please feel free to use the form below to contact us if you wish to speak to one of our experts

We host regular events so please do check our schedule of current seminars, webinars and events. We also post regular blogs on the latest updates and expert advice on Microsoft 365, Cloud and Hybrid IT, User Adoption and the Power Platform, so please do follow us.