In this article I will take you through things that I often encounter in organizations that you think have it well organized. I will talk about sharing files and more with external parties.
Do you work in an organization that allows external sharing? Then you can stop reading here.
I help many organizations set up their Microsoft 365 governance. No, not just Teams management, not SharePoint governance but across all of Microsoft 365 management. We look at every setting. Often we find the things that people don’t know or don’t want to know.
I regularly encounter organizations that don’t want staff to share externally. When I ask why they don’t want that, the answer often has something to do with their legal or privacy requirements. Or I hear that they are in industry X and therefore have to comply with Y. I also come across identical organizations in the same area (i.e.: government, financial services, education, etc.) that have no problem with external sharing. So why do they share externally and you don’t?
“We have disabled external sharing from SharePoint and OneDrive.”
The problem with this view is that people often talk about external sharing in Microsoft 365 as if it only applies to SharePoint Online and OneDrive.
Wrong!
External sharing consists of much more. In other applications, such as: Sway, Forms, Outlook calendar, Power BI and Bookings, data is also captured. Although the data stored in these is not the same as a shared file, there can still be bits of privacy or information shared that are enough to cause a problem. This is because one thing only has to happen and your data is gone.
“We’ve turned off external sharing for every service in Microsoft 365”
Even if sharing from SharePoint and OneDrive is disabled, you can use Power Automate. So that every time a file is uploaded to location X, a workflow makes a copy and places it in an external service.
Not convinced yet? Check out this template, provided by Microsoft itself:
Head in the sand
You go easy and just disable that app, services, and features; problem solved!
This is an option, but you are definitely not a party animal if you choose to do this. Also, by preventing external sharing, you are also imposing this boring existence on your staff. Plus, if people really want to do something that someone is preventing them from doing, they will find a way around it themselves:
Disable external file sharing = use Dropbox, Box, Google Drive, etc.
Disable forms = use SurveyMonkey
Disable Booking = use Calendly
Everything you disable in Microsoft 365 is provided by an equivalent (and sometimes even better) external service. Plus, I am pretty sure that when someone logs into that external service, the account is not connected to your Azure Active Directory. If they do log in with their Azure AD account, that is just as worrying! Now that external service has access to all your directory, employee data, maybe the user’s mailbox, OneDrive, every SharePoint site they use, etc., etc.
“We are blocking external services at the firewall”
Really? Every single service out there?
And who sits behind a firewall these days? Especially in this COVID-era of working from home?
Either way, files can still be sent as an email attachment, copied to a USB stick, sent to another device via Bluetooth, sent to another computer via Wi-Fi, and so on.
“We block attachments, disable USB storage devices and disable a bunch of other methods”
At this point you have to ask yourself, “Do I want to be in the cloud, especially in a multi-tenant environment?”
No, you don’t. You’re sitting in a dark room with multiple locks on the door. Your window is also locked, you’re writing things down on paper and filing it away in a filing cabinet with a lock and key. People come in if they know the secret handshake, and documents are burned as soon as you’re done with them.
What I’m trying to say is, what’s the point of going digital and using a collaboration platform like Microsoft 365 if you’re going to do everything you can to prevent people from collaborating with external people? Some work requires external people to do it. External people that your colleagues need to communicate with, share information, and collaborate on common files.
Choose where to share externally
This is a better approach. In Microsoft 365, you can indeed choose which site you want to share externally. You can set the allowed sharing level for SharePoint and OneDrive to Everyone (meaning they are anonymous links), and choose what level each site should be able to share at.
Choose who can share externally
Use group membership to control who can share externally if you don’t want everyone in your organization to have full access. This can work alone or in conjunction with site-level sharing.
A better approach: choose what can be shared externally
One safeguard that can be added or used on its own is to control who has access to content, regardless of sharing permissions or location. Using sensitivity labels, we can apply permissions based on content, location, group membership, domain, and more.
This allows you to have a scenario where files can be shared externally by anyone, but only people who are members of a specific group can open those files themselves. This works well for external file sharing, as we can enforce terms like “valid for 30 days” or “commercial in confidence” by actually expiring or revoking access to files.
To do this, go to this link in your Microsoft 365 Admin center https://compliance.microsoft.com/informationprotection?viewid=sensitivitylabels
This scenario uses different site permissions. This allows you to place sensitive files internally on a SharePoint site where a group of people have access, but only a subset of people have access to those specific files. So a user can share them, but the file cannot be opened if the person is not a member of the specific group.
Additionally, organizations can try to use Data Loss Prevention (DLP) to prevent the person from sharing something that should not be shared (as it could be a legitimate accident).
View the audit log and set alerts
The audit log in Microsoft 365 captures almost everything. You open an email – it’s logged. You open a file – it’s logged. More importantly, you share a file – it’s definitely logged. That’s why we can set up alerts to notify admins or compliance administrators when something is shared that shouldn’t be.
What about everything that isn’t SharePoint or OneDrive?
Different apps and services in Microsoft 365 have different levels of control. For example, Sway and Forms have a tenant-wide setting. In Power Automate, it’s possible to create DLP policies that block connections to external services. In Azure AD, it’s possible to prevent users from giving consent to apps that have access to their account and the organization’s environment. The ability to have an approval process is currently in preview. Power BI can leverage information protection and has used group-based access controls to determine who can share externally.
This is where organizations need to look at the big picture. Then the small picture, then the big picture. And especially how they should do things. It’s unrealistic to expect to get it right the first time, especially as technologies evolve and new levels of control are introduced.
Governing external sharing shouldn’t just be considered through tenant-, site-, and group-based controls. Additionally, organizations need to address their policy requirements, understand product capabilities, and train their people.
Let your users share externally. Be smart about it and educate them. Start with yourself and implement the right systems to find a balance between user-friendly and safe.
This blogpost is origineel written by Loryan Strant.
Want to know more about the deployment and use of Teams and Microsoft 365?
On our YouTube channel you will find a whole library of “How to” videos about using Microsoft Teams.
In Dutch, with demos and clear explanations.
top artikel. Ik hou van deze no-nonsens stijl