How do you secure your SharePoint Online environment? This is one of the most important questions people ask (or should ask) before they start moving document content to SharePoint Online.
The answer is often dependent on type of licenses used. Microsoft 365 Business Standard doesn’t have the same capabilities of Microsoft 365 E5 Enterprise licensing and if the licensing decision has already been made, it can be a lot of work to get additional / upgraded licensing approved.
Here are some things everyone can do regardless of the license:
Review the default Sharing Policy in SharePoint and consider the various settings, including:
- Anonymous links
- Default Sharing link types
- Link expiry rules
- Disabling external Sharing by default
Full details of the Sharing Policy options: Manage sharing settings – SharePoint in Microsoft 365 | Microsoft Learn
It is also a good idea to document the rules for when External Sharing should and should not be used. This can form part of a governance document, or guidelines. For example:
- Sites are only shared externally if approved by x.
- Documents in these sites must not be confidential or contain personally identifiable information.
- Guests must be restricted by domain.
- Sites containing Employment and Financial information must not be shared.
Policies are easiest to apply at the site level. If the content conflicts with requirements for internal only vs external collaboration, consider creating a separate site.
You can also control these settings at the Site Level, allowing you to over-ride the tenant defaults where required e.g. projects with external collaboration. Learn more here Turn external sharing on or off for individual site collections – Microsoft Support.
Another important consideration in Microsoft 365, is the Guest User. There are controls that can be implemented to manage Guests and work in conjunction with other Sharing configuration, for example allowing only existing Guests and then “pre-registering” the approved Guests. Requiring Guests to use MFA and using Guest Expiry Policies.
These articles explain the steps for improving the management of Guests in your tenant.
Create a more secure guest sharing environment | Microsoft Learn
Manage guest expiration for a site – Microsoft Support
If you do have a more advanced license then you also have the option of using Sensitivity Labels to classify and protect content. Microsoft has an overview here to help get you started – Learn about sensitivity labels – Microsoft Purview (compliance) | Microsoft Learn
Often there is a trade off between security and usability, the goal is to find the balance that meets the organisations security and compliance needs with the needs of the end user. While it is easiest to just lock everything down, doing so can prevent people being able to work and result in unexpected work arounds. Find the balance and communicate the why.