I’m an Office 365 consultant and many of my customers are moving from on-premises environments to the Cloud. I field many questions from the IT and business departments of those customers and what I’ve discovered is most questions center around maintaining control and/or mitigating risk. This makes sense and I understand why customers’ focus is on this… it’s important! Not surprisingly, I’ve started to notice a pattern emerging from questions I receive independent of the organization I’m working with.
This post is a running list of the most common questions I receive and my current response to each. To be clear, I will customize my answers depending on the regulatory requirements and culture of the organization, however I always ensure they’re made aware of the consequences and trade-offs being made based on their decisions. Once I’ve done that, it’s up to them to decide what’s the right approach for their organization.
If you have other Office 365 questions you have or hear a lot as customers are making the mind-shift to Office 365, let me know and I’ll include it in this list.
In no particular order…
Can you turn off sync for a site/library in SharePoint? Yes, however ask yourself why you’re wanting to do this. Yes, there may be legitimate reasons such as a large library, sensitive content, etc., however understand the potential productivity impact you may cause by doing this. Working with files thru File Explorer is a comfortable place for information workers to be, particularly in collaboration sites where offline work is required.
How do turn off sync? You can disable it at a site level thru the Search and Offline Availability setting. Set the ‘Allow items from this site to be downloaded to offline clients’ toggle to No. Alternatively, you can disable it at a library level… go to the library’s Advanced settings and set the ‘Allow items from this library to be downloaded to offline clients’ toggle to No.
Can you hide stuff from Delve? Yes, but I challenge the idea of wanting to do this in the first place. If you think content is being surfaced in Delve that is visible by the wrong audience, then you don’t have permissions set up correctly in your environment since Delve only shows content you have permission to see. Address the permission mistakes and this problem goes away.
If you still want to disable content from appearing in Delve, I’ve blogged about 3 ways to do this each with different side-effects. Reference: Hiding from Delve in Office 365. You can also disable the Delve application entirely in the tenant, however there are other features affected when you do this: Discover list in OneDrive, Suggested list on the SharePoint start page,…
Can you selectively allow external sharing at a SharePoint site level? Yes, and this is a great idea! You should also have some governance and training for sites where external sharing is allowed. Ensure information workers understand how to share externally and intentionally set the view/edit rights and expiration date. If you have configured Data Loss Prevention (DLP) and/or Azure Information Protection (AIP) in your environment, this is an added level of control on content and can even have settings specific to external parties. Consider employing these features as well to mitigate some of the risk of sharing data outside to external parties.
How do you do this? The external sharing setting is controlled at a tenant level to determine the default for all SharePoint and OneDrive sites. Additionally, you can selectively change the setting for a specific site collection to a less permissive level (you can’t be more permissive at a site collection level than the tenant level).
Can you stop users from being able to create their own sites thru default UI? Yes. The decision an organization makes to allow this or not is typically a factor of their culture and risk tolerance. You should ensure you have an expeditious process in place to create a site if you’re going to prevent end-users from creating their own. From my experience, this is a critical factor to get information workers engaged using the Office 365 collaboration tools. If you take too long to fulfill their request, they may use other non-sanctioned tools to get their work done.
How can you do this? You can associate an Active Directory group with the allowed members to create a new SharePoint site/Modern Team site/Communication site. You can also build an automated provisioning solution to allow an end-user to request/create a new site when they want, while injecting your own governance and controls as the site is provisioned. Check out my blog post, Auto-provisioning SharePoint Sites and Teams: A blog post list, where I list a number of blog posts from the community on how to build your own provisioning solution.
Can you prevent users from sharing sensitive content outside of your organization? Yes. This can be done several different ways and you may choose to use any/all of them to solve the problem. The first thing to decide on is what you mean by ‘sensitive content’ in your organization by defining your classification scheme. If the content resides on a SharePoint site where external sharing is enabled (see previous point on external sharing), you will want to have some protection controls in place for sensitive content that may be on the site. Azure Information Protection (AIP) can auto-apply a sensitivity label based on sensitive content it finds across your tenant based on your configuration. AIP can also apply rights management based on a label to allow some select trusted external parties you *may* want to share with. Data Loss Prevention (DLP) can be used to stop external sharing based on sensitive content it detects in a document/email.
An additional level of control can be configured using Conditional Access to control what types of devices and apps are allowed to connect to your organization’s resources. This can even be done at a site level if a particular site contains sensitive information. (for example, preventing download to Office Client apps if on a non-domain joined device)
Note: You can classify an entire site with a classification label, however at the time of this writing, no out-of-the-box controls are available to automatically set controls based on this.
As you can see, there are a number of controls you can implement to protect data across your environment, each addressing a different aspect of the problem you’re trying to solve.
Can you change the default permission for a Modern Team site owner? Yes, but please don’t! You are messing with the default behavior of what an Owner means and with the integration of so many apps that leverage the Owner role, I think you’re asking for trouble if you do this since it may not “play well” with future Office 365 features Microsoft rolls out. There is no way to make this change tenant-wide without using a custom solution. Any clients I work with, I STRONGLY urge them not to do this. Alternatively, implement strong governance and training controls to mitigate the risk you perceive by the default Owner role.
Key takeaway on this one… governance, governance, governance (and training)!!
Do you need to backup Office 365 content? This is usually the first question I hear from IT System Administrators. I was very interested to know what others were doing in this space so in August 2019, I put out a Twitter poll asking who was taking Office 365 backups. Here are the results from 260 votes… an overwhelming majority don’t.
When asked whether or not a backup is required, I always answer this question with “What problem are you trying to solve with a backup?”: Retention? Malware/Ransomware? End-user mistake? There are alternatives for all of those reasons across Microsoft 365 you should first be familiar with.
Office 365 collaboration tools are highly integrated with each other (SharePoint, Outlook, Planner, Stream, …) making the notion of a single point-in-time backup problematic at best. Although there are certainly products on the market that will back up components of Office 365, you should first consider the compensating controls either on by default or configurable, to drastically reduce the need for many of the traditional reasons for a backup I hear from customers.
Examples of compensating controls:
- OneDrive self-serve restore (soon-to-come: SharePoint point-in-time restore)
- Document versions default to 500
- First and second-stage recycle bin – content is held for 93 days post-deletion
- Deleted Sites: sites are retained for 93 days
- Deleted Teams: teams are held for 30 days (can be restored from Azure Active Directory)
- Exchange’s Recoverable Items partition allows end-users and administrators to recover deleted/purged messages for a period of time
- Advanced Threat Protection (ATP): if you’re concern is ransomware, invest in ATP instead to quickly detect and isolate a problem before it reaches out across your tenant and causes further damage
- Electronic Holds for eDiscovery cases – hold the content for a particular OneDrive, SharePoint site, Office 365 Group, Mailbox, Teams Chat, Teams Conversations for an eDiscovery case. This is not retroactive however.
- Retention Policies for workloads across your organization. Knowing your regulatory requirements helps here – for example, maybe you need to retain all email for 10 years. Let a Retention Policy do this for you. Then, it’s discoverable!! If it’s in an offsite backup, it’s not (easily anyway). You can apply a retention policy on the same places an electronic hold can be placed.
- Governance, Governance, Governance! Implementing a strong governance program across Office 365 is critical and has an important part to play in your data governance/protection story. E.g. Are you worried if a Team is deleted by a Site Owner that may have important information in it? Set up an alert on the ‘Teams deleted’ activity in the Audit log and follow-up! Do this within 93 days (while it’s still in the recycle bin)
- etc… I’ll be adding more compensating controls as I think of them here… 🙂
An important consideration for backups is its effect on ongoing eDiscovery requests. You may be required to also include content from backups which will exponentially complicate any kind of discovery request. If you keep the data inside Office 365, eDiscovery can find it and therefore report on it.
Can you stop end-users from building their own Flows? Not easily (see below **). If you remove the Flow license from an end-user, they will (currently) still be able to access Flow and, depending on the tenant, the free Flow SKU may automatically be used anyway. Before going down this road, know that a significant drawback of turning off Flow is it also prevents end-users from executing Flows built for them.
Think long and hard before doing this since Microsoft Flow is a Power Tool put in place to enhance the productivity of end-users. Instead, consider implementing some governance around it:
- monitor Flows being built across your tenant
- have Flow Guidance training on an Adoption site where you share some best practises for building Flows in your environment
- implement Data Loss Prevention (DLP) policies to control which connectors end-users are allowed to interact with
**Refer to a recent post, The Problem with Microsoft Flow for Exchange Admins, written by Vasil Michev where he talks about the Admin controls for Flow and techniques to turn off Flow.
I think you’ll agree that many of these questions come from a desire to maintain control. However, the traditional notion of control is being turned on its head in Office 365. We’re going from a “stop them from using it in the first place” approach to a “let them use it, but we’ll monitor, govern and use compensating controls” approach. This is uncomfortable territory for many.
The benefit of this approach is tremendous as it allows end-users to use the tools within Office 365 rather than tempting them to circumvent the IT-sanctioned tools to get their work done. A significant advantage of keeping the content in Office 365 is it can be monitored, governed, and ultimately discovered when you need to.
I’m not endorsing a leap of faith by Administrators with this approach, but instead to make incremental changes and a concerted effort to fundamentally change the way you once “controlled” your environment. Implement controls across the Office 365 workloads and features to strike an acceptable balance between information worker impact and your organization’s data protection, security, and compliance needs.
Thanks for reading.