Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

Microsoft Office 365 File Sharing Guide: OneDrive and SharePoint Tips

Data Security

office 365 file sharing image of Office 365 and files

Microsoft is pushing Teams- part of Office 365 – hard, and they report adoption rates that outpace Slack. You might not realize that Teams lives on top of SharePoint Online, and you could exacerbate an already complicated and risky SharePoint file sharing problem unless you take preventative measures.

However, Office 365 has many great collaboration features, and in a fast-paced digital workplace, collaboration is key. You can share and work on documents with your co-workers simultaneously. You can request feedback and publish links so others can access your content and more collaborative functionality. Since SharePoint Online is part of Office 365, the system is integrated into Azure AD, Exchange Online, and OneDrive.

But all that sharing, and collaboration comes at a price – users might not even realize what they are sharing with whom.

Over time, Office 365 can become a mess of public-facing links, unfettered access to sensitive data, and a permissions nightmare in desperate need of wrangling.

In this article, we are going to address some specific security issues with SharePoint Online, and discuss some best practices you can implement to manage Office 365 file sharing more effectively.

Learn advanced Microsoft Office 365 settings and earn CPE credits with our free security training courses.

File Sharing Tools Included in Office 365

The two file sharing systems in Office 365 are SharePoint Online and OneDrive, and they work in concert with each other to provide the total file sharing functionality of the system.

If you want to think of OneDrive as the backend storage and SharePoint as the frontend interface, you wouldn’t be too far off. That is a good enough way to imagine how the system works.

For example, if you send a sharing link from your OneDrive folder, the URL is a link to SharePoint Online.

Not confusing at all, am I right? Let’s look at the major functionality of each of these systems and see what’s included in OneDrive and what’s included in SharePoint.

office 365 file sharing image of office 365 tools and comparison

Office 365 File Sharing Basics

Here are some of the basic workflows you will follow to access and share files in SharePoint Online and OneDrive.

How to Find Files

You might have OneDrive available as an option in Windows Explorer where you can see the sync status, modified date, and use the Find field to locate your files.

office 365 file sharing screenshot of finding files

You can also use the OneDrive website to see the same information.

office 365 file sharing screenshot of finding files online

And you can see the same folder in Teams.

office 365 file sharing screenshot of finding files teams

How to Co-author Files

To co-author a file you need to have permissions to edit the file. You can have permissions through group membership, or the data owner could send you a link to edit the file.

office 365 file sharing screenshot of creating a co-authored file

You can share files with one or more users, with anyone with the link, or you could save the file to a folder that your team can access.

Once you can co-author the file, you need to open the file online in a browser or the client on your computer (i.e., Word Online or Word).

Updating and Syncing Files

Updating and syncing files is usually straightforward in Office 365. When you save a file that you are working on, it will sync to the server and tell you if there are changes you don’t have in your copy. If you save a file to your local OneDrive folder on your laptop the files will get uploaded and synced behind the scenes, assuming you have an internet connection.

It’s best practice to make sure you have the most recent changes before you start editing again. I’ve made that mistake on more than one occasion. One way to avoid that problem is to use Word Online when you are editing. If you use the local copy of the file in Word, you aren’t looking at the file “live.”

How to Share Files on Office 365

This section covers what you need to know about file sharing as well as some extra Office 365 file sharing tips.

Internal File Sharing

Internal file sharing is when you share files within the network to other users that are in the same Azure Active Directory (AD) domain with you with non-guest permissions. In Office 365, you can share files from your personal OneDrive or save them to your SharePoint Team Site.

Configuring Internal Sharing

SharePoint automatically creates a Team Site when you create a group in the Office 365 Admin Center. Use this Team Site to save documents for collaboration within your team. Office 365 creates a OneDrive folder for each user account that users should use for personal files that don’t require collaboration.

How to Share Files Internally

All you need to do to share files internally is save them to your SharePoint Teams folder. You can access this folder from the SharePoint website or in your Teams client.

office 365 file sharing screenshot of sharing files internally

You can also send users a link to the file you want to share.

  • Select the option to share with Specific People, People in your organization, or People with existing access. Use the first to specify one or few people, the second to allow anyone in your entire company, and the last to anyone who already has access to the file – like your team.
  • Click the button to allow editing if needed.
  • Allow or block download. You might use block download on a sensitive file to make sure there aren’t extra copies of that file floating around.
  • Type the name of the person(s) you want to be able to see the file.
  • Click “Copy Link”
  • Send the link

office 365 file sharing screenshot of sending a link

office 365 file sharing screenshot of link sharing settings

External File Sharing

External file sharing in Office 365 is when you need to send a file outside of your organization to a person that is not part of your company. External sharing is riskier because you are opening a window to your SharePoint server or potentially sending sensitive data outside of your network.

There are numerous legitimate business reasons to allow external file sharing. Users need to work with partners or customers. Your finance team needs to send documentation to governing bodies. HR needs to send offer letters. You get the idea. You have to be able to share files.

There are several ways to configure external sharing in Office 365. Let’s look at a few options.

Configuring External Sharing

Administrators can enable external sharing from four different applications in Office 365.

  • SharePoint Online
  • OneDrive for Business
  • Microsoft Teams
  • Office 365 Groups

One option you have is to enable guest access, and grant external users guest access rights so they can collaborate with your internal resources the same way they would collaborate within their team.

Guests are actual users in your Azure AD. Group owners are the gatekeepers in this case. Group owners can grant guests access to Teams conversations, to SharePoint sites, or data.

SharePoint administrators have four different options of sharing they can enable:

  1. No external sharing – prevents internal users from sharing any content externally
  2. Authenticated: Existing guests – allows sharing with users in your Azure AD, you have to add them to Azure AD before they can access data
  3. Authenticated: New and existing guests – allows sharing with any user authenticated to any Office 365 or Microsoft account. Guests that aren’t in Azure AD get added as guests.
  4. Anonymous sharing – anyone can share via a link

How to Share Files Externally

Sharing files externally is exactly the same process as sharing them internally. You create a share link, grant the external user access to edit the file or not, and send them the link. They click the link and open the file in their browser.

Office 365 File Sharing Security Best Practices

office 365 file sharing image of best file sharing practices

Here are the top six best practices you can implement to keep your data safe and accessible in Office 365.

1. Require Multi-Factor Authentication

Multi-factor authentication (MFA) is a pretty basic protection method in 2019 and a common cybersecurity tip but still worth mentioning in a list of Office 365 file sharing and security best practices. MFA helps you verify that your users are who they say they are, but it is by no means foolproof.

Check out our Office 365 Man-in-the-middle attack, where we show you how attackers can quickly work around MFA.

2. Enforce Least Privileged Access to SharePoint Online

The principle of least privilege says that each user only gets the minimum access they need to do their job. Getting your Office 365 permissions to a least privileged state will go a long way to keeping your data safe.

Organize user accounts in your company into groups of similar job functions (e.g., IT, HR, Finance, Dev, etc.) and those groups are granted permissions to access their data in Office 365.

Do not allow individual user accounts on access control lists (ACL) in Office 365.

Assign a Data Owner, or in this case, a “Group Owner,” for each group who’s responsible for approving new group members and audits the group on a regular schedule. The Group Owner is the gatekeeper of their group membership and therefore, their data.

Deny all non-group members any access to data via ACLs. Don’t use Limited Access or View Only permissions. Non-members have to request access from a group member using the file sharing rules. Create separate Public SharePoint sites for public-facing documents. Keep Public sites separate from your Team sites.

3. Classify Sensitive Data that lives in SharePoint Online

You need to scan and identify the data in Office 365 for PII, HIPAA, GDPR, CCPA, intellectual property, and anything else that could cause either a fine or competitive disadvantage.

Once you have tagged the files correctly, you can make sure they are not over-permissive (see Least Privilege above) and tagged or labeled so other security tools can also identify the data as sensitive and treat it appropriately. For example, encrypt sensitive files, and set up a rule to prevent the file from download to unmanaged devices.

4. Prevent Download to Unmanaged Devices

Speaking of, you need to keep your Team data in house as much as possible. One way to do this is to prevent any download of data to devices that your IT team doesn’t manage. If you have the appropriate authorization, viewing the data in a browser from an unmanaged system is OK – if you have the link and approval of the Group Owner.

5. Limit and Audit External Sharing

OK, this is the big one – and the penultimate best practice in this article.

You need to do what you can to limit the exposure of your data to the outside world, but balance that need with the needs of your users to share and collaborate internally and externally. Here are a few different ways you can do both.

In Office 365, users can create a sharing link that they will send to other users so they can see the same document. When users create sharing links, they might grant anyone with the link permission to access the file. Those links can get stolen, intercepted, or potentially brute-forced to allow access to those files — or folders if users create links at that level.

So there are a few things you should do to keep your data as safe as possible.

First, prevent users from creating folder-sharing links that add access to multiple files, either externally or internally. If a user needs to access files owned by another group, they should request access from the Group Owner. External sharing is only available for non-sensitive files. If you need to share sensitive files to third parties, add them as Guests in your Azure AD, and grant them appropriate access that way. Because they are guests and listed in the Group membership, the Group Owners will audit the list and remove any extra users when appropriate.

Next, set all user-created links to expire after a few days to a week. While this means that your users might have to generate more than one link to collaborate on a file, it also means that the number of links to your data doesn’t grow infinitely. If those links expire organically, you effectively remove risk of infiltration continuously. To learn more check out this free Office 365 course with hidden settings and secrets to improve your 365 experience.

6. Monitor SharePoint Online for Shenanigans

Lastly, monitor Office 365 for any potential data breaches or other shenanigans that internal or external bad actors perpetrate on your system. Track file and folder activity, group membership changes, admin activity, and more. Correlate network traffic with that monitored data to detect possible cyberattacks in progress.

Varonis monitors Office 365 to protect your data in OneDrive, SharePoint sites, and Teams, as well as Exchange Online. You can classify your Office 365 data for GDPR, CCPA, HIPAA, and more to identify your sensitive data. You can build a complete workflow to approve, deny, and manage access to your data that makes the Group Owners the true keepers of their data. Varonis creates individual user behavior baselines to detect abnormal Office 365 activity that indicates a potential insider or external attack.

“We wouldn’t even be considering OneDrive if we didn’t have Varonis in place.” –Varonis customer in the Airline industry

Check out the entire Office 365 Case Study and then contact us to see how Varonis can help you with Office 365 security.

Jeff Petters

Jeff Petters

Jeff has been working on computers since his Dad brought home an IBM PC 8086 with dual disk drives. Researching and writing about data security is his dream job.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.