Everything you need to know about securing SharePoint Online for the MS-500

So, you're set up with SharePoint. Users are accessing SharePoint and everything is going great but now there's a security concern. Everything use to sit on file shares inside your network. The network was secured so you didn't have to worry about your files too much. But that's not the case with SharePoint Online. With SharePoint Online, files can be accessed from anywhere at any time. Files can also be synced to your users' devices (including personal devices). Those devices can get lost, stolen, or hacked. So now we have a big issue. But have no fear, Microsoft is here! There's a ton of ways to secure your SharePoint files. You can limit what users can do. Who they can share files with. You can limit where the files can be accessed from (including IP addresses or countries). You can even limit SharePoint access based on your managed devices! That's right, you can set up SharePoint so only authorized users using authorized devices can access your SharePoint files.

Restrict external user access to your SharePoint tenant

The first way you'll need to secure your SharePoint tenant is with who users can share files. By default, users can share their SharePoint files with anyone. They can set up a sharing link that doesn't require a password. If that link is accidentally shared with someone that it isn't supposed to be, that person can access your SharePoint files. So how do we limit sharing?

1. Open the SharePoint admin center > Policies > Sharing

2. Drag the sliders under Content can be shared with to the appropriate level.

3. Scroll to the bottom of the page and click Save.

SharePoint sharing permissions set to least permissive

From this page, you can edit the SharePoint and OneDrive sharing permissions. You can configure it to allow users to only share documents with internal users or keep it so users can share with anyone.

Limit Sharing by domain

So let's say a question on the MS-500 you may see is "How do you limit external sharing with only people in contoso.com?" Well, it's pretty easy.

1. Open the SharePoint admin center > Policies > Sharing 

2. Click More external sharing settings > Limit external sharing by domain > Add domains.

5. Click Allow only specific domains. Then enter the domain you want to be able to access your SharePoint tenant.

6. Click Save

Limit external sharing by domains in SharePoint Online

7. Then scroll to the bottom of the page and click Save.

Restricting downloading, printing, and syncing from unmanaged devices

Okay, so now sharing is secured and users can only share with specific domains. But users can still access all the files across SharePoint and OneDrive from any device. A user may accidentally go to a shared computer, for example, at a library, and sync your companies files to the shared computer. Uh-oh. How do you prevent users from downloading, printing, and syncing files to unmanaged devices? Well, there are two ways to set it up: from the browser or PowerShell.

1. Go to the SharePoint admin center > Policies > Access Control

2. Click Allow limited, web-only access. Then click Save.

limit SharePoint access from unmanaged devices

We can also make this change from PowerShell.

1. Connect to SharePoint Online using Connect-SPOService.

2. Run the following command: Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess

C:\Users\john.gruber\Downloads\Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess.png

Restricting downloading, printing, and syncing from unmanaged devices per site

Okay, maybe you don't need to limit downloading, printing, and syncing from all your tenants. Maybe there's a couple of SharePoint sites that do need to be limited though. What do you do? First, you need to enable app-enforced restrictions on your SharePoint tenant. Then configure the site to require a managed device.

Enable app enforced restrictions on the tenant

 Before we go enabling it, let's talk about what it does. The app enforced conditional access policy will require Azure AD to pass the device information to the app that you are connecting to. So, in short, SharePoint Online will know if you're on a compliant device or not when you connect. Without further ado, let's set up the conditional access policy.

1. Go to https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies and log in with your admin credentials.

2. Click New policy.

New Conditional Access Policy

3. Set a name, for example, app enforced restrictions.

4. Click 0 users and groups > All users.

Set conditional access policy to all users

5. Click No cloud apps, actions, or authentication contexts selected > Select apps > Type SharePoint in the search box > Click Office 365 SharePoint Online > Select.

C:\Users\john.gruber\Downloads\conditional access policy cloud app SharePoint online

6. Click 0 conditions selected > Not configured (under Click apps) > Yes (under Configure) > Done.

conditional access policy client apps all

7. Click 0 controls selected (under session) > Use app enforced restrictions > Select > On (Under Enable policy) > Create.

conditional access policy use app enforced restrictions

That's it. Now we can configure the SharePoint Online sites that we want to limit 

Restricting access from unmanaged devices per site

Perform the following steps on every SharePoint site you want to limit access to:

1. Open PowerShell and run Connect-SPOService -URL <Your SharePoint Admin URL>

2. Run Set-SPOTSite -Identity <The SharePoint site URL you want to protect> -ConditionalAccessPolicy AllowLimitedAccess

Limit access to SharePoint site

That's it. The site is now protected from downloading, syncing, or printing from unmanaged devices.