Follow me on Twitter @AntonioMaio2

Monday, April 3, 2017

Security Controls in the OneDrive for Business Admin Center

Microsoft recently added a new and extremely helpful Admin Center to Office 365 specifically for OneDrive for Business.

In terms of additional security controls this is a great addition because it allows us to more easily control access and sharing specifically in OneDrive for Business, and not just SharePoint Online. Many of the external sharing settings overlap with those already available for SharePoint Online sites. However, this is a very good start and we look forward to seeing more capabilities added over time to help us control and manage how our users share content with those outside of our organizations.

For now, let's take a closer look at the security controls now available for OneDrive for Business..



The first option available on the left side is the Sharing page. This provides the following security controls to allow us to better administer sharing with external users.

Enabling and Disabling External Sharing



  • The first thing we notice is there is a switch for Let users share SharePoint content with external users. This will actually disable or enable external sharing for all SharePoint site collections. Once enabled you can select the type of external sharing permitted as well:
    • only existing external users (sign-in required)
    • new and existing external users (sign-in required)
    • anyone including anonymous users.
    This control performs the same function as the switch found in Office 365 Admin Center > Settings > Services & Add-Ins > Sites.

    This control also performs the same function as the switch found in SharePoint Admin Center > Sharing.
    If you turn external sharing OFF in any of these 3 locations, you turn it off for all SharePoint Online site collections in the tenant. If you modify sharing settings in any of these consoles, you modify them in all 3 consoles at once and you ultimately affect all SharePoint site collections.

    A reason that this control is replicated in a few locations is that it allows administrators with different roles to have top-level control over external sharing. You can have a global administrator turn it off or modify what is permitted at the tenant level, or you can have a SharePoint Online administrator (who may not have Office 365 Admin Center access) turn it off for all site collections.

  • Next we have a switch for Let users share OneDrive content with external users. This will specifically disable or enable external sharing for OneDrive for Business site collections. It will not alter external sharing settings for SharePoint sites.

    You may also control the type of external sharing permitted specifically for OneDrive for Business sites, with the same settings that are available for SharePoint sites. SharePoint and OneDrive external sharing may have differing settings, so that one is more restrictive than the other. Its important to note that this setting must be at least as restrictive as the SharePoint external sharing settings:
    • If SharePoint external sharing is set to 'Only existing external users', then OneDrive may only have this setting
    • If SharePoint is set to 'New and existing external users', then OneDrive may have either 'Only existing external users' or 'New and existing external users'
    • If SharePoint is set to 'Anyone, including anonymous users', then OneDrive may have any of the 3 settings
    When you modify these settings, you are in effect modifying the sharing settings for your MySite host site collection: https://-my.sharepoint.com. You can modify the settings in the OneDrive for Business admin center, and then check the sharing settings in the SharePoint admin center for the MySite site collection and see the changes reflected there. However, if you do this make sure that when you switch to the SharePoint Online admin center, that you refresh your browser so that the new sharing settings are retrieved for your site collection.

    Its also important to note that for OneDrive for Business external sharing in this admin console, you are select these settings for all OneDrive sites. You cannot change these settings on a site by site basis for OneDrive, like you can for SharePoint sites, unless you use PowerShell (see PowerShell capabilities described below).

The other controls available in the OneDrive admin center are similar to the features we've seen added to the SharePoint Online sharing page.

Default Links and Anonymous Links



  • Next we select the default link type. This defines the type of link which is created when a user selects Get a Link when they share a file or folders. You can select:
    • Direct Links, which are accessible only by users who already have permissions to access the item.
    • Internal Links, which are accessible by anyone within your organization.
    • Anonymous Links, which are accessible by anyone that has the link. You can forward the link to other users, either within or outside your organization and they'll be able to access the item.

    Remember, this only sets the default. You may set the default here to Direct Links so that when a user clicks Get a Link they get a Direct Link by default. But users can select Anonymous Links as an option if the dropdown list below 'Let users share OneDrive content with external users' is set to 'Anyone, including anonymous users'.
  • If we have enabled anonymous links, we can select some controls for those anonymous links, such as:
    • An expiration period for anonymous links (in days), which I highly recommend if you're going to enable anonymous links.
    • The file permissions available to an anonymous user accessing a file, like View or View and Edit.
    • The folder permissions available to an anonymous user accessing a folder, like View or View, Edit and Upload.
  • Its important to note that these settings affect both SharePoint Online and OneDrive for Business external sharing. If you modify these settings, the corresponding settings in the SharePoint Online admin center's Sharing page will also be modified to match:

Control External Sharing Domains and What External Users Can Do



  • You may wish to prevent users in your organization from sharing externally with specific domains. Alternatively, you might decide that you wish to permit external sharing, but to only specific domains. This can be controlled by creating either an Allow List or a Deny List in which you specify the domains. You first select the 'Allow or block sharing with people on selected domains' checkbox, then you click Add Domains, then you select Allow or Deny from the dropdown list and finally you specify one or more domains (separated by spaces). You can only have an allow list or a deny list - you cannot have both at the same time.

    The domain settings selected here are also the same as those selected for SharePoint Online. As with earlier settings, if you modify these settings, you will also modify those in the SharePoint Online admin center's Sharing page:
  • You may select if external users must accept a sharing invitation (and authenticate to Office 365) using the same email account that the invitation was sent to. I highly recommend this setting be checked ON. Having this on prevents external users from forwarding a sharing invitation to other Microsoft accounts, like their own personal account and helps you better control who can access content that's shared externally.

    As with other settings, changing this setting here affects the same setting for SharePoint Online site collections. The same setting is available on the SharePoint Online admin center's Sharing page.
  • You may select if external users can share items that they don't own with others. This setting is specific to OneDrive for Business sites - modifying this setting here does not change a similar setting for SharePoint Online


Once all settings have been configured, you click Save and the changes take effect immediately. If sites were previously externally shared, and external sharing is turned off on this page then external sharing will immediately stop being permitted for those sites. If it is subsequently turned on, then all previous external sharing settings that were previously set will be immediately re-enabled.

Sync Settings

If we move onto the 3rd page in the OneDrive for Business admin center, we're provided with controls that allow us to control how files are sync'ed to OneDrive and SharePoint.


  • The first option is pretty simple - determining if the Sync button is availalbe on the OneDrive web interface
  • Next we determine if syncing is only permitted from PCs that are domain joined. This is useful if you want to ensure that only corporate managed PCs are syncing content to OneDrive for Business in your tenant.

    If you select this option you must specify the allowed domains, and you specify them by their GUID. You can find more information on how to do this using the Active Directory module for PowerShell here: . You can also select if you wish to block syncing from Mac OS.
  • Finally we can block specific file types from syncing to OneDrive by selecting the 3rd option, and specifying the file types you wish to block (one per line).
Another interesting security related scenario is the one in which we wish to prevent users from syncing content from a corporate computer to a personal OneDrive for Business site. This can be done by configuring a specific registry setting on each user's PC, and pushing that out to all computers using Group Policy (GPO). More information on how to configure this scenario can be found here: Prevent Users from Synchronizing Personal OneDrive Accounts.

Notifications

Lets jump ahead to the final administration page on this console and review the options for notifications that can be sent to OneDrive for Business users and site owners. We highly recommend that external sharing notifications be enabled here so that owners can monitor and control the external users that have access to their files and folders.


  • The 1st large switch determines if device notifications are displayed to users when OneDrive files are shared with them. This option is pretty self-explanatory and refers to the alerts, sounds and banners that can be displayed on our mobile devices.
  • The next options refer specifically to how owners are notified by email when other external users access or share their files:
    • Other users invite additional external users to shared files - When you share files from OneDrive with users, either internal or external to your organization, depending on they configuration they may in turn share those files with other users, again either internal or external to your organization. Receiving negotiations when this occurs allows the owner of a OneDrive for Business site to take appropriate action if a file is shared with people outside of the intended audience.
    • External users accept invitations to access files - Although files and folders may be shared externally as we've discussed, its really the date and time that they accept that sharing invitation that they'll in fact start to access those files/folders. If files were shared at one point in time, but an external user doesn't access them for several months, having a notification sent to the owner at that time allows them to monitor access and can also alert them if action is necessary to remove a particular users access at that time.
    • An anonymous access link is created or changed - This option allows an owner to further monitor if additional users are invited to access content that they've previously shared with a particular audience, and take action if those additional users are not part of the intended audience.
    Its important to note that these settings are specific to OneDrive for Business, but they are the same settings that we see in the SharePoint Online admin center's Sharing page. Changing this setting in one console will also modify it in the other.

PowerShell for Sharing in SharePoint Online and OneDrive for Business

When it comes to controlling external sharing on individual OneDrive for Business sites, we must still use PowerShell. First a few basics and we'll build upon that to get to the cmdlets we want:
  • Once you've connected to your SharePoint Online tenant using Connect-SPOService, the following cmdlet will return a list of all SharePoint site collections:

    Get-SPOSite

  • I like to include | select-object url at the end of that cmdlet so I only get back a list of URLs for the sites I'm looking for. So our cmdlet becomes:

    Get-SPOSite | select-object url

  • However, the list returned does not include OneDrive for Business sites by default. To also include those we need to use the additional parameter -IncludePersonalSite. So, our PowerShell cmdlet is now:

    Get-SPOSite -IncludePersonalSite:$true | select-object url

  • This provides us a list of URLs for all SharePoint Online site collections, both those that are typical sites and those that are OneDrive for Business sites. If we want a list of only OneDrive for Business sites we need to modify our cmdlet a little more to include a filter to look only for URLs containing 'my.sharepoint.com':

    Get-SPOSite -IncludePersonalSite:$true -filter{url -like "my.sharepoint.com"} | select-object url

    Now we have a list of all OneDrive for Business site collections in our tenant:

  • You'll notice that the URL for OneDrive sites is formatted with _ in place of spaces and the tenant name at the end of the URL. We have URLs ending like this automatically created when a OneDrive site is provisioned: frodo_baggins_maiolabs_com. We'll need to use these URLs when referring to OneDrive for Business sites.

  • To change the external sharing settings on individual sites we'll need to use the Set-SPOSite cmdlet along with the -SharingCapability parameter. The Sharing capability parameter has the following possible values:
    • Disabled – external user sharing and guest link sharing are both disabled
    • ExistingExternalUserSharingOnly - external user sharing is only enabled for external users that already exist in the organization, but guest link sharing is disabled
    • ExternalUserSharingOnly – external user sharing is enabled for new and existing external users, but guest link sharing is disabled
    • ExternalUserAndGuestSharing - external user sharing and guest link sharing are both enabled

  • We can now disable external sharing on a specific OneDrive for Business site using the following:

    Set-SPOSite https://maiolabs-my.sharepoint.com/personal/frodo_baggins_maiolabs_com -SharingCapability Disabled

  • Alternatively, we can enable a particular type of external sharing for a specific OneDrive for Business site using the following:

    Set-SPOSite https://maiolabs-my.sharepoint.com/personal/balin_dwarf_maiolabs_com -SharingCapability ExternalUserSharingOnly

  • Now you can go OneDrive site by OneDrive site enabling and disabling different external sharing settings as needed. You can also loop through these cmdlets for all OneDrive sites to modify your settings. However, if you return to the OneDrive for Business admin center and modify sharing settings there, they will not affect your existing OneDrive sites unless you completely disable external sharing for OneDrive. Once you start modifying sharing settings using PowerShell, it can become difficult to keep track of who was which settings because its not visible in the admin center on a user by user basis. So, before you start using PowerShell to modify these settings, ensure that you have a well-defined plan or governance model for how your organization will managed external sharing for OneDrive for Business sites.

    You can view the current external sharing settings for all OneDrive for Business sites using the following:

    Get-SPOSite -IncludePersonalSite:$true -filter{url -like "my.sharepoint.com"} | select-object url, sharingcapability | fl

    This will produce a list like the following, where we can see the URL of the site and the current sharing configuration:

  • Finally, there are other PowerShell parameters related to external sharing which you can use with Set-SPOSite. They are: SharingAllowedDomainList, SharingBlockedDomainList and SharingDomainRestrictionMode. You can learn more about how to use these at the TechNet article: Set-SPOSite.


There are several other controls built into the OneDrive for Business admin center related to data retention, controlling device access and compliance. You can easily explore them by trying out the new admin center.

Enjoy.
-Antonio

2 comments:

  1. The layout for the posts are very impressive. I like your blog for these creative writing style. Thanks a lot for sharing this post with us. It's unique and also attractive. I always read your blog to get updated with new information. I have visited best essay writing service and I got good writing style.

    ReplyDelete
  2. Thank God, Microsoft is finally making new changes to their stuff, but why they just can't make the applications free for students? MS office should be free for students at least.

    ReplyDelete