Everything you need to know about securing SharePoint Online for the MS-500
So, you're set up with SharePoint. Users are accessing SharePoint and everything is going great but now there's a security concern. Everything use to sit on file shares inside your network. The network was secured so you didn't have to worry about your files too much. But that's not the case with SharePoint Online. With SharePoint Online, files can be accessed from anywhere at any time. Files can also be synced to your users' devices (including personal devices). Those devices can get lost, stolen, or hacked. So now we have a big issue. But have no fear, Microsoft is here! There are a ton of ways to secure your SharePoint files. You can limit what users can do. Who can share files. You can limit where the files can be accessed (including IP addresses or countries). You can even limit SharePoint access based on your managed devices! That's right, you can set up SharePoint so only authorized users using authorized devices can access your SharePoint files.
Restrict external user access to your SharePoint tenant
The first way you'll need to secure your SharePoint tenant is with who users can share files. By default, users can share their SharePoint files with anyone. They can set up a sharing link that doesn't require a password. If that link is accidentally shared with someone that it isn't supposed to be, that person can access your SharePoint files. So how do we limit sharing?
1. Open the SharePoint admin center > Policies > Sharing
2. Drag the sliders under Content can be shared with to the appropriate level.
3. Scroll to the bottom of the page and click Save.
From this page, you can edit the SharePoint and OneDrive sharing permissions. You can configure it to allow users to only share documents with internal users or keep it so users can share with anyone.
Limit Sharing by domain
So let's say a question on the MS-500 you may see is "How do you limit external sharing with only people in contoso.com?" Well, it's pretty easy.
1. Open the SharePoint admin center > Policies > Sharing
2. Click More external sharing settings > Limit external sharing by domain > Add domains.
5. Click Allow only specific domains. Then enter the domain you want to be able to access your SharePoint tenant.
6. Click Save
7. Then scroll to the bottom of the page and click Save.
Restricting downloading, printing, and syncing from unmanaged devices
Okay, so now sharing is secured and users can only share with specific domains. But users can still access all the files across SharePoint and OneDrive from any device. A user may accidentally go to a shared computer, for example, at a library, and sync your company's files to the shared computer. Uh-oh. How do you prevent users from downloading, printing, and syncing files to unmanaged devices? Well, there are two ways to set it up: from the browser or PowerShell.
1. Go to the SharePoint admin center > Policies > Access Control
2. Click Allow limited, web-only access. Then click Save.
We can also make this change from PowerShell.
1. Connect to SharePoint Online using Connect-SPOService.
2. Run the following command: Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess
Restricting downloading, printing, and syncing from unmanaged devices per site
Okay, maybe you don't need to limit downloading, printing, and syncing from all your tenants. Maybe there are a couple of SharePoint sites that do need to be limited though. What do you do? First, you need to enable app-enforced restrictions on your SharePoint tenant. Then configure the site to require a managed device.
Enable app enforced restrictions on the tenant
Before we go about enabling it, let's talk about what it does. The app-enforced conditional access policy will require Azure AD to pass the device information to the app that you are connecting to. So, in short, SharePoint Online will know if you're on a compliant device or not when you connect. Without further ado, let's set up the conditional access policy.
1. Go to https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/ConditionalAccessBlade/Policies and log in with your admin credentials.
2. Click New policy.
3. Set a name, for example, app enforced restrictions.
4. Click 0 users and groups > All users.
5. Click No cloud apps, actions, or authentication contexts selected > Select apps > Type SharePoint in the search box > Click Office 365 SharePoint Online > Select.
6. Click 0 conditions selected > Not configured (under Click apps) > Yes (under Configure) > Done.
7. Click 0 controls selected (under session) > Use app enforced restrictions > Select > On (Under Enable policy) > Create.
That's it. Now we can configure the SharePoint Online sites that we want to limit
Restricting access from unmanaged devices per site
Perform the following steps on every SharePoint site you want to limit access to:
1. Open PowerShell and run Connect-SPOService -URL <Your SharePoint Admin URL>
2. Run Set-SPOSite -Identity <The SharePoint site URL you want to protect> -ConditionalAccessPolicy AllowLimitedAccess
That's it. The site is now protected from downloading, syncing, or printing from unmanaged devices.