Microsoft is pushing Teams- part of Office 365 – hard, and they report adoption rates that outpace Slack. You might not realize that Teams lives on top of SharePoint Online, and you could exacerbate an already complicated and risky SharePoint file sharing problem unless you take preventative measures.
However, Office 365 has many great collaboration features, and in a fast-paced digital workplace, collaboration is key. You can share and work on documents with your co-workers simultaneously. You can request feedback and publish links so others can access your content and more collaborative functionality. Since SharePoint Online is part of Office 365, the system is integrated into Azure AD, Exchange Online, and OneDrive.
Is your Office 365 and Teams data as secure as it could be? Find out with our Free Video Course.
But all that sharing, and collaboration comes at a price – users might not even realize what they are sharing with whom.
Over time, Office 365 can become a mess of public-facing links, unfettered access to sensitive data, and a permissions nightmare in desperate need of wrangling.
In this article, we are going to address some specific security issues with SharePoint Online, and discuss some best practices you can implement to manage Office 365 file sharing more effectively.
Learn advanced Microsoft Office 365 settings and earn CPE credits with our free security training courses.
- Office 365 File Sharing Basics
- How to Share Files on Office 365 Step-By-Step
- Office 365 File Sharing Best Practices
File Sharing Tools Included in Office 365
The two file sharing systems in Office 365 are SharePoint Online and OneDrive, and they work in concert with each other to provide the total file sharing functionality of the system.
If you want to think of OneDrive as the backend storage and SharePoint as the frontend interface, you wouldn’t be too far off. That is a good enough way to imagine how the system works.
For example, if you send a sharing link from your OneDrive folder, the URL is a link to SharePoint Online.
Not confusing at all, am I right? Let’s look at the major functionality of each of these systems and see what’s included in OneDrive and what’s included in SharePoint.
Office 365 File Sharing Basics
Here are some of the basic workflows you will follow to access and share files in SharePoint Online and OneDrive.
How to Find Files
You might have OneDrive available as an option in Windows Explorer where you can see the sync status, modified date, and use the Find field to locate your files.
You can also use the OneDrive website to see the same information.
And you can see the same folder in Teams.
How to Co-author Files
To co-author a file you need to have permissions to edit the file. You can have permissions through group membership, or the data owner could send you a link to edit the file.
You can share files with one or more users, with anyone with the link, or you could save the file to a folder that your team can access.
Once you can co-author the file, you need to open the file online in a browser or the client on your computer (i.e., Word Online or Word).
Updating and Syncing Files
Updating and syncing files is usually straightforward in Office 365. When you save a file that you are working on, it will sync to the server and tell you if there are changes you don’t have in your copy. If you save a file to your local OneDrive folder on your laptop the files will get uploaded and synced behind the scenes, assuming you have an internet connection.
It’s best practice to make sure you have the most recent changes before you start editing again. I’ve made that mistake on more than one occasion. One way to avoid that problem is to use Word Online when you are editing. If you use the local copy of the file in Word, you aren’t looking at the file “live.”
How to Share Files on Office 365
This section covers what you need to know about file sharing as well as some extra Office 365 file sharing tips.
Internal File Sharing
Internal file sharing is when you share files within the network to other users that are in the same Azure Active Directory (AD) domain with you with non-guest permissions. In Office 365, you can share files from your personal OneDrive or save them to your SharePoint Team Site.
Configuring Internal Sharing
SharePoint automatically creates a Team Site when you create a group in the Office 365 Admin Center. Use this Team Site to save documents for collaboration within your team. Office 365 creates a OneDrive folder for each user account that users should use for personal files that don’t require collaboration.
How to Share Files Internally
All you need to do to share files internally is save them to your SharePoint Teams folder. You can access this folder from the SharePoint website or in your Teams client.
You can also send users a link to the file you want to share.
- Select the option to share with Specific People, People in your organization, or People with existing access. Use the first to specify one or few people, the second to allow anyone in your entire company, and the last to anyone who already has access to the file – like your team.
- Click the button to allow editing if needed.
- Allow or block download. You might use block download on a sensitive file to make sure there aren’t extra copies of that file floating around.
- Type the name of the person(s) you want to be able to see the file.
- Click “Copy Link”
- Send the link
External File Sharing
External file sharing in Office 365 is when you need to send a file outside of your organization to a person that is not part of your company. External sharing is riskier because you are opening a window to your SharePoint server or potentially sending sensitive data outside of your network.
There are numerous legitimate business reasons to allow external file sharing. Users need to work with partners or customers. Your finance team needs to send documentation to governing bodies. HR needs to send offer letters. You get the idea. You have to be able to share files.
There are several ways to configure external sharing in Office 365. Let’s look at a few options.
Configuring External Sharing
Administrators can enable external sharing from four different applications in Office 365.
- SharePoint Online
- OneDrive for Business
- Microsoft Teams
- Office 365 Groups
One option you have is to enable guest access, and grant external users guest access rights so they can collaborate with your internal resources the same way they would collaborate within their team.
Guests are actual users in your Azure AD. Group owners are the gatekeepers in this case. Group owners can grant guests access to Teams conversations, to SharePoint sites, or data.
SharePoint administrators have four different options of sharing they can enable:
- No external sharing – prevents internal users from sharing any content externally
- Authenticated: Existing guests – allows sharing with users in your Azure AD, you have to add them to Azure AD before they can access data
- Authenticated: New and existing guests – allows sharing with any user authenticated to any Office 365 or Microsoft account. Guests that aren’t in Azure AD get added as guests.
- Anonymous sharing – anyone can share via a link
How to Share Files Externally
Sharing files externally is exactly the same process as sharing them internally. You create a share link, grant the external user access to edit the file or not, and send them the link. They click the link and open the file in their browser.
Office 365 File Sharing Security Best Practices
Here are the top six best practices you can implement to keep your data safe and accessible in Office 365.
1. Require Multi-Factor Authentication
Multi-factor authentication (MFA) is a pretty basic protection method in 2019 and a common cybersecurity tip but still worth mentioning in a list of Office 365 file sharing and security best practices. MFA helps you verify that your users are who they say they are, but it is by no means foolproof.
Check out our Office 365 Man-in-the-middle attack, where we show you how attackers can quickly work around MFA.
2. Enforce Least Privileged Access to SharePoint Online
The principle of least privilege says that each user only gets the minimum access they need to do their job. Getting your Office 365 permissions to a least privileged state will go a long way to keeping your data safe.
Organize user accounts in your company into groups of similar job functions (e.g., IT, HR, Finance, Dev, etc.) and those groups are granted permissions to access their data in Office 365.
Do not allow individual user accounts on access control lists (ACL) in Office 365.
Assign a Data Owner, or in this case, a “Group Owner,” for each group who’s responsible for approving new group members and audits the group on a regular schedule. The Group Owner is the gatekeeper of their group membership and therefore, their data.
Deny all non-group members any access to data via ACLs. Don’t use Limited Access or View Only permissions. Non-members have to request access from a group member using the file sharing rules. Create separate Public SharePoint sites for public-facing documents. Keep Public sites separate from your Team sites.
3. Classify Sensitive Data that lives in SharePoint Online
You need to scan and identify the data in Office 365 for PII, HIPAA, GDPR, CCPA, intellectual property, and anything else that could cause either a fine or competitive disadvantage.
Once you have tagged the files correctly, you can make sure they are not over-permissive (see Least Privilege above) and tagged or labeled so other security tools can also identify the data as sensitive and treat it appropriately. For example, encrypt sensitive files, and set up a rule to prevent the file from download to unmanaged devices.
4. Prevent Download to Unmanaged Devices
Speaking of, you need to keep your Team data in house as much as possible. One way to do this is to prevent any download of data to devices that your IT team doesn’t manage. If you have the appropriate authorization, viewing the data in a browser from an unmanaged system is OK – if you have the link and approval of the Group Owner.
5. Limit and Audit External Sharing
OK, this is the big one – and the penultimate best practice in this article.
You need to do what you can to limit the exposure of your data to the outside world, but balance that need with the needs of your users to share and collaborate internally and externally. Here are a few different ways you can do both.
In Office 365, users can create a sharing link that they will send to other users so they can see the same document. When users create sharing links, they might grant anyone with the link permission to access the file. Those links can get stolen, intercepted, or potentially brute-forced to allow access to those files — or folders if users create links at that level.
So there are a few things you should do to keep your data as safe as possible.
First, prevent users from creating folder-sharing links that add access to multiple files, either externally or internally. If a user needs to access files owned by another group, they should request access from the Group Owner. External sharing is only available for non-sensitive files. If you need to share sensitive files to third parties, add them as Guests in your Azure AD, and grant them appropriate access that way. Because they are guests and listed in the Group membership, the Group Owners will audit the list and remove any extra users when appropriate.
Next, set all user-created links to expire after a few days to a week. While this means that your users might have to generate more than one link to collaborate on a file, it also means that the number of links to your data doesn’t grow infinitely. If those links expire organically, you effectively remove risk of infiltration continuously. To learn more check out this free Office 365 course with hidden settings and secrets to improve your 365 experience.
6. Monitor SharePoint Online for Shenanigans
Lastly, monitor Office 365 for any potential data breaches or other shenanigans that internal or external bad actors perpetrate on your system. Track file and folder activity, group membership changes, admin activity, and more. Correlate network traffic with that monitored data to detect possible cyberattacks in progress.
Varonis monitors Office 365 to protect your data in OneDrive, SharePoint sites, and Teams, as well as Exchange Online. You can classify your Office 365 data for GDPR, CCPA, HIPAA, and more to identify your sensitive data. You can build a complete workflow to approve, deny, and manage access to your data that makes the Group Owners the true keepers of their data. Varonis creates individual user behavior baselines to detect abnormal Office 365 activity that indicates a potential insider or external attack.
“We wouldn’t even be considering OneDrive if we didn’t have Varonis in place.” –Varonis customer in the Airline industry
What you should do now
Below are three ways we can help you begin your journey to reducing data risk at your company:
- Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
- Download our free report and learn the risks associated with SaaS data exposure.
- Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.