SharePoint Online is a powerful cloud-based service from Microsoft that allows your team to share Office 365 files and data. Many companies are now migrating from on-premises Office 365 installations to SharePoint online because of the greater flexibility and agility that cloud storage provides.
Though Microsoft has made huge investments in the security of SharePoint Online, SharePoint security remains a challenge for many administrators. Ensuring security in SharePoint entails that both administrators and users share responsibility for following best practices, whether they are using the system to run an intranet, an extranet, websites for individual teams or public-facing sites.
Is your Office 365 and Teams data as secure as it could be? Find out with our Free Video Course.
SharePoint security is even more critical when you are migrating to SharePoint Online from an on-premises installation. Otherwise, successful migration projects can easily end in disaster if companies fail to apply proper security, compliance, and governance controls to sensitive data in the cloud. Even more interesting, Microsoft Teams is built on SharePoint Online, which just makes security even more important.
In this article, we’ll take you through the basics of securely using SharePoint Online. We’ll briefly look at how sharing in Office 365 works, explain the principles of working with SharePoint Online securely, and show you how to implement these.
We’ll also show you how Varonis can help you to make and keep SharePoint Online secure. At the end of this guide, you’ll have a good understanding of how to manage the security of SharePoint Online, but if you want to know more you can sign up for our course on Office 365 Sharing, where we’ll give you more details on how to keep your data and your team safe.
- Overview of Sharing in Office 365
- SharePoint Security Considerations
- How to Set Up SharePoint Security for a Site
Overview of Sharing in Office 365
Sharing is now a central part of Office 365, and Microsoft has implemented sharing functionality into almost every tool for managing Office 365. Most of the configuration and management of sharing for Office 365 now occurs through the SharePoint admin center, though OneDrive and Microsoft Teams also allow administrators to work on your sharing infrastructure. In this guide, we’ll focus on how sharing can be safely achieved in SharePoint Online.
In SharePoint, sharing is implemented at two levels:
- The Organization level: For any external sharing to be allowed, it has to be enabled at the organization level. You can change the organization-level external sharing setting from the SharePoint admin center.
- The Site level: Once enabled across the organization, external sharing can be restricted on a site-by-site basis. Global or SharePoint admins in Office 365 can change the external sharing setting for a site, but site owners cannot do this.
In some cases, there might be a mismatch between these two levels. In that case, the more restrictive of the two policies is the one applied.
Types of External Users
The next aspect of sharing to understand is that SharePoint supports four basic options when it comes to external sharing and that each option allows your files to be accessed by different types of user:
No External Sharing:
The default option for communication and classic SharePoint sites. If this option is enabled it will prevent any site users from sharing any site content externally. This can be a good option for sites that only your team need to have access to. To use this option, go to your SharePoint admin center, and in the left pane under Sites select Active sites. Select the proper site, and then click Sharing. Select the Only people in your organization option, and select Save.
Authenticated: Existing Guests
Existing Guests allows external sharing with users who already appear in your Azure Active Directory. External users will appear here if they have previously accepted sharing invitations, or if you manually added them in the Azure Portal. To use this option, go to your SharePoint admin center, and in the left pane under Sites select Active sites. Select the proper site, and then click Sharing. Select the Existing guests option, and select Save.
Authenticated: New and Existing Guests
New and Existing Guests allows new users to access your files via an invitation link. To use this option, go to your SharePoint admin center, and in the left pane under Sites select Active sites. Select the proper site, and then click Sharing. Select the New and existing guests option, and select Save. As an administrator, you can share a site with new users, and site users can share any files held on this site. When they share a file, the new user will receive an email invitation with a link. They will then either sign into their Microsoft account or enter a verification code. If they use a Microsoft account, they will be automatically added to your Azure Directory. If they use a verification code, they won’t be, and they will have to use a code every time they want to access files.
If you use this option, anyone with a link will be able to view and edit the relevant files. This can be a quick way of giving external users access to your files, but you should be very careful when using it, because you will have little oversight as to how your files are being accessed, used, and further shared. To enable this option, go to your SharePoint admin center, and in the left pane under Sites select Active sites. Select the proper site, and then click Sharing. Select the Anyone option, and select Save.
Working With Links
When users choose to share files or sites using any of the above methods, they will receive a link that can then be copied into an email and sent to the person they want to share files or sites with. These links form the basis of how external users will access your content, and so knowing how to work with them is a critical part of keeping your SharePoint Online installation secure.
SharePoint Online allows administrators to control the way that sharing links are used:
- First, you can control the global settings for sharing in your organization at the Organization Level. To enable advanced external sharing settings, navigate to your SharePoint admin center. In the left pane under Policies, select Sharing. By default, the sharing level of sites is set to “anyone”, but you can make this more restrictive as necessary.
- You can also limit external sharing by domain. This allows you to limit the domains that external users can use to access your files, and can be a good way to limit access to trusted organizations. You can learn more about limiting external sharing by domain in the official Microsoft documentation.
- Another option is to require that guests must sign in using the same account to which sharing invitations are sent. Guests can, by default, receive an invitation email at one account and sign in with another. If this setting is enabled, they will have to use the same account.
- There is also an option to allow guests to share items they don’t own. By default, guests can only share items externally that they have full control permissions for. Check this box, and external users can’t share documents they didn’t create.
- If you decide that your team will be able to use “anyone” links, it’s a good idea to control their use. There are a few options for doing that: you can set a link expiration date that means that links will expire after a certain number of days, and you can limit link permissions so that external users can only view files or folders, rather than being able to edit them.
These are the basic principles of working with sharing in SharePoint, but implementing them in practice can be significantly more complex. In the next section, we’ll look at how to ensure security when sharing sites and files.
SharePoint Security Considerations
Sharing can be scary for many administrators who fear giving access and control of files to untrusted external users. In reality, however, the security tools built into SharePoint Online allow you to lock down access to sites and files, and to implement a secure sharing policy. In this section, we’ll take you through some basic security considerations for using SharePoint.
At the broadest level, there are a couple of key ideas to keep in mind. The first is that you shouldn’t be tempted to turn off external sharing. Instead, you should carefully configure external sharing to your specific business needs, while keeping in mind that your users will need to collaborate with external guests.
You should also ensure that you implement proper governance policies so that everyone in your organization knows your procedures and safeguards when it comes to sharing files and sire, and this should be communicated alongside education on secure external sharing.
For most organizations, turning off anonymous sharing will be a good idea. In most cases, it’s best to only allow authenticated external users, or at the very least to set an expiration date for anonymous links. Whilst you are putting this in place, you should also double-check the permission levels of your site collections to ensure external users don’t inherit permissions that will cause problems.
Use Groups To Manage Permissions
Administrators have long argued about the best way to control and manage access to sites and files held in SharePoint. Assigning individual users individual levels of access allows you granular control, but also gives you a lot more work to do, and this can lead to mistakes.
The native way in which SharePoint understands permissions is the SharePoint Group, and so it makes sense to use this system to control access. By default, site permissions consist of specific SharePoint groups with their default permission levels, making groups a good container for user access control.
Using groups also means that it is easy to update permissions when users leave or join your organization. Removing them from a group automatically removes their access to sites, their subsites, and all files and folders in the hierarchy. In contrast, If you assign access rights at the user level, you may forget to update them, and put your content at risk.
Don’t Use Item-Level Permissions
Item-level permissions are often used as a quick fix to grant access to specific files, but you should avoid using them wherever possible. SharePoint doesn’t offer an intuitive way to see and administer all of the special permissions that you assign in this way, and so it can be easy to lose track of them. Granting special permissions to individual files increases your attack surface area, and puts your data at risk.
Instead, make use of libraries or folders to assign permissions to sets of files. These entities are far more easily tracked in SharePoint than permissions for individual item-level permissions, and using them will allow you to keep track of your access control far more easily.
Use Site Collections for External Sharing
Wherever possible, you should also collect all of the sites that your users will need to share into one site collection. This allows you to easily see which sites and data are being shared externally, and to control the level of external access to them. If you don’t do this, the data you are sharing externally will appear in many different, fragmented areas of SharePoint, and it will be difficult to track and monitor how your users are sharing it.
Classify Your Data
SharePoint also affords you the functionality to classify the data you hold based on type and risk, and you should use this function. The system provides the ability to inspect the content, metadata, and location of data and then apply security policies to protect sensitive data such as personal data, company trade secrets or employee records. Classifying your data in this way not only allows you to more easily see where sensitive data is being held and shared, but it will also help you in achieving compliance with data processing legislation.
Microsoft also provides automated tools for identifying and classifying sensitive data. Data Loss Prevention (DLP) can scan content during the search crawling process, identify sensitive data, and then block or allow access to the content according to the policies you have set. DLP is integrated into all Office 365 services.
Monitoring is critical to ensure the ongoing security of your SharePoint system, but is the step that is most often forgotten about by administrators. You should build a regular audit of your SharePoint logs into your workflow, and scan for changes to user privileges and the sharing of sensitive information.
There are some third-party tools available that will scan for changes in your SharePoint environment, and these can make your monitoring processes more efficient. On the other hand, sometimes there is no replacement for auditing access control manually: having a good understanding of the way that your SharePoint system is being used is the most effective way of keeping it under control.
How to Set Up SharePoint Security for a Site
It might not be immediately obvious how you can apply the principles above when setting up SharePoint security for a particular site. In this section, therefore, we’ll take you through the details of how to properly set up security for an example site. There are ten steps to doing this.
1. Make a Site Collection
As we pointed out above, if you are going to share a site externally, it should be part of a site collection which contains all the sites that your users can share in this way. If you don’t do this, you can easily lose track of which sites are being shared, and in any case SharePoint implements external sharing at the site collection level. If you don’t have a site collection for externally shared sites, make one. If you already have this, add your new site to it. To do that:
- Go to SharePoint Admin Center
- Check the box next to site collection
- Click Sharing button
- Make sure to check the appropriate checkbox if you plan to enable/disable external sharing
2. Decide If Your Site Should Inherit Permissions
When you create a new subsite, you will be asked whether it should inherit permissions from the main site. You should avoid the temptation to do that. In reality, there are very few instances in which a new site will have exactly the same permissions as its parent.
3. Decide Site Members and Access Levels
Once you decide to create unique permissions for your site, you will be prompted to create three groups: site owners, site members, and site visitors. You don’t have to use the roles and levels of access that SharePoint suggests, but they do form a good template for assigning permission levels:
- Site Owners are typically users that have Full Control (admin privileges) to the site
- Site Members are typically users who work with content (add/edit/delete) content
- Site Visitors are typically users who require read-only access (ability to access info, but not necessarily the ability to edit it)
You can use fewer groups, or even make sites with more types of users, depending on how it will be used. The critical issue here, though, is that you should carefully think through which users need access, and to what level.
4. Create Groups
To give a real example of the way you can use these security groups, let’s use the three groups that SharePoint suggests. You will then need to create three groups:
- Site Owners will be users who will maintain the site, change the look and feel, security
- Site Members will be regular project team members who will upload/edit/delete documents present on the site
- Site Visitors might be everyone else in the organization or project executives who just need to access the project site in read-only mode to check on status
There are several ways to create these groups. For an existing site, you can go to Site Settings > Site Permissions to check the existing groups. From this menu, you can click “create group” to make a new user group. Alternatively, if you stop inheriting permissions from a parent site (see above) SharePoint will also prompt you to create them.
5. Assign Permission Levels
With your groups created, you now need to give them the relevant level of permission. There is a pretty basic rule to follow here: don’t give any more access than a particular user group needs, and if in doubt err on the side of restrictive access.
It’s also important to note that, if you are using the default groups mentioned above, SharePoint will try to give the Site Members group edit privileges over your site. Unfortunately, this gives these members a far greater level of control than they require: they can use this level of access to delete parts of your site. If they need to just add, edit, and delete documents, you should assign them “contribute” permissions instead.
To edit the permissions for your user groups:
- Check the box next to the group whose permissions you would like to edit. Click Edit User Permissions
- On the next screen, click the checkbox next to permission level you would like to set for this group (i.e., Contribute), and then click OK
6. Add Users to Groups
Now you have user groups, and relevant permissions set for them, you can start to add users to each group. To do that:
- Go to Site Settings > Site Permissions, and click on a group where you would like to add users to
- Click New > Add Users
- Type in the names of the user(s) you would like to add. You may include an optional message and send them a notification email if you wish. Click Share.
When you are doing this, it will be tempting to add users directly to a site, and not to a security group. DO NOT do this. At some point, you will probably have to update the security permissions for all users for a site collection, and if their permissions are assigned individually, this will be a slow and annoying process. You may also lose track of the permissions you have given to individual users, which will eventually lead to unnecessary risk.
7. Access Request Settings
At this point, you will have a number of security groups with tightly controlled access to your site. You might think, therefore, that the site is now secure. This is definitely not the case. It’s very important to take a few extra steps to ensure the security of your site, and one of the most important is to control the way that your existing users can invite other users to access your site.
Here’s the problem: by default, the users already in your security groups can invite anyone else (inside your organization or outside it) to access your site, and these new users will automatically be added into your security groups without you being able to control this. This is a security risk.
In order to improve site security, you need to look at the access request settings for your new site. To do that:
- Go to Site Settings > Site Permissions
- On the top ribbon, click on Access Request Settings
- You will see the pop-up below appear, with three check boxes. You will need to decide which of these boxes to leave checked, and which to disable.
To help you decide, here is what these buttons do:
- Allow members to share the site and individual files and folders. If this box is checked, this will allow users to share individual files with people outside of your security groups. Any user who has access to the site will be able to click on “Share document” and share a file with someone outside of the department.
- Allow members to invite others to the site members group, [Name of Members Group]. This setting must be enabled to let members share the site. If this box is checked, this will allow any user in the Site Members group to share the whole site with other users who are not originally part of the group. Even worse, these new members will be automatically added to the members’ security group without your permission.
- Allow access requests. This allows you to approve or reject site access requests. If this box is checked and an email address has been provided, you will get an email notification asking you to approve access to the site when someone lands on the site URL.
8. Implement Security Settings
At this point, you have essentially two approaches open to you. You can either allow your users to share the site and its content by leaving the boxes mentioned above enabled, or you can uncheck them and control access to your site via your security groups. Which of these approaches you choose will depend on the size of your organization, and your level of trust in your staff. If you work in a small team and can check regularly on who has been invited to your site, you can leave the default settings in place.
If, on the other hand, you want more control over the security of your site, uncheck all three of the buttons in the Access Request Settings menu. This will make it impossible for existing members to invite new members: it essentially disables sharing. This means that your users will get an error message when they click “share document”, so you will need to educate them about the best way to share documents. They should send the URL of a whole site to the user they are trying to share with, or send the URL of individual documents to the recipient.
9. Page Permissions
Next, a small step that is nonetheless very important for the security of your new site. By default, SharePoint gives users with the Contribute permission level the ability to click on the Page Tab, Edit button and start moving around (or deleting) elements on your pages. Whilst they cannot delete your whole site, they can certainly cause trouble by doing this.
To limit this ability, you need to edit Page Permissions:
- Click on Page > Page Permissions
- On the next screen, it shows you permissions for this page. Note that Members Group has Contribute access to the page
- Break the inheritance from Site to Page by clicking on Stop Inheriting Permissions
- Once the inheritance is broken, change the permissions for the Members Group from Contribute to Read
10. Manage Multi-Site Access
Finally, you should recognize that sometimes your subsite will contain material from its parent site, and that this might cause access issues. If you’ve broken the inheritance relationship between your subsite and its parent, this material will not be accessible on the subsite. This might be the case, for instance, if images for your subsite are being pulled from its parent.
The way to securely solve this issue is either to give users access to the parent site as well (not an ideal solution), or (better) to store all of the data that your subsite needs within it. This second approach will allow you more granular control over the security of your site, and so it is the approach that we recommend.
A Final Word
Managing security in SharePoint online can be confusing, but in truth the system gives you all the tools that you need in order to tightly control user access and permissions. The key is learning how to use the tools that are available to you, and a clear understanding of who needs which level of permission for your organization.
The information, steps, and principles above will allow you to keep your SharePoint security strong, but as your system develops it might be that you will need to deploy more complex systems and tools to manage user access. At this point, you can check out our course on implementing Office 365 Sharing for a more detailed look at how to keep your sharing systems secure, your data safe, and your users happy.