This article is contributed. See the original author and article here.

 

There are lots of new announcements at Ignite’20 and it is the great time to reflect and summarize our journey thus far with security and compliance in SharePoint, OneDrive, and Teams.  We are excited to share with you a roundup of recent new security and compliance controls in SharePoint and OneDrive and Teams. In this new norm of working remotely, safeguarding your business critical data is super important and we are here to help.

 

Click on the links below to learn more about respective scenarios and features.  All the features mentioned below are generally available, except the ones explicitly called out as Public Preview or Private Preview.

 

For our Ignite 2020 announcements in Security and Compliance in SharePoint and OneDrive, check out this blog here.

User & session security

MFA (Multi-factor-authentication) for Users

Multi-factor-authentication is new norm and our recommended scheme to identify and authenticate users accessing content in Microsoft 365. Azure Active Directory offers MFA capabilities that you can turn on for internal and external users. Check out the link above for more details.

 

Unified session sign-out powered by Continuous access evaluation – Public Preview

User has lost his device and you want to sign him/her out across all sessions on all devices? We are providing you a unified session sign-out capability powered by continuous access evaluation. Check out the link above for more details.

 

Figure. Microsoft 365 admin signs out a user across all sessions on all devicesFigure. Microsoft 365 admin signs out a user across all sessions on all devices

 

 

External users, sharing, and access

External sharing policies in SharePoint and OneDrive

Manage external access in Microsoft Teams

Collaborating with partners and clients external to your organization is bread and butter of many businesses. With our continued investments in external collaboration, SharePoint, OneDrive, and Teams is the hub for your external collaboration teamwork. Check the links above for details.

 

Figure. SharePoint admin center external sharing settingsFigure. SharePoint admin center external sharing settings

 

Automatic expiration of external access for content in SharePoint & OneDrive

Managing external users access is important to ensure no loss of organization’s data after the external project is completed. You can now configure a The solution is here, automatic expiration of external access for content. Check out the link above for more details.

 

Figure. SharePoint site collection admin manages external access expirationFigure. SharePoint site collection admin manages external access expiration

 

 

Access governance insights in SharePoint and OneDrive – Private Preview

With growing digital data it becomes important to govern the access policies for your top sites and teams that matter the most. Access governance insights in SharePoint and OneDrive aims to help you on these regards. If interested to be an early adopter, sign-up for the private preview here.

 

Conditional access policies – Devices and Locations security

Granular conditional access policies – Unmanaged device policy

Azure Active Directory offers the coarse grained conditional access policies, and within SharePoint and OneDrive you can do a site specific fine grained device policies. For example, top secret sites you want to block access from unmanaged devices. Check out the above link for more details.

 

Network IP address policy

Control access to the content based on location IP address that user is accessing from.

 

Information Protection with Sensitivity labels

As part of the Microsoft Information Protection (MIP) journey, we have a series of capabilities in SharePoint, OneDrive, and Teams to protect your sensitive content and we call out a few below. We continue to invest in this journey.

 

Microsoft Information Protection for Files

The encrypted files are now treated as first class experience in SharePoint, OneDrive, and Teams, and users can search for them and also co-author in Office Apps in them.

 

Figure. Microsoft information protection sensitivity labels for filesFigure. Microsoft information protection sensitivity labels for files

 

Microsoft Information Protection at scale – Auto classification with sensitivity labels

With the scale at which digital data is growing, it is not sufficient to have manual labelling only and expect the users and administrators to manually label files. Auto classification with sensitivity labels aim to power you to automatically detect sensitive content in your digital estate and label them.

 

Figure. Microsoft 365 compliance center showing auto labelling modesFigure. Microsoft 365 compliance center showing auto labelling modes

 

Sensitivity labels for Teams, SharePoint Sites, and Microsoft 365 Groups

Not only at the Files level, you can also now classify and label a SharePoint site, Team, and Microsoft 365 Group and holistically secure all contents in them.

 

Sensitivity labels with external sharing policies – Public Preview coming soon

We are expanding the policies that can be associated with sensitivity labels, now with external sharing policy settings in SharePoint and OneDrive sites. If interested, sign-up here.

 

Sensitivity labels with MFA Policy – Private Preview

Multi-factor authentication (MFA) is our recommended authentication scheme for user authentication. You can now associate MFA (multi-factor-authentication) policy to sensitivity labels. If interested to try this out, sign up for the private preview here.

 

Data loss prevention (DLP)

 

DLP for SharePoint and OneDrive and Teams

To comply with business standards and industry regulations, organizations must protect sensitive information and prevent accidental leakage of organization’s data. Microsoft 365 Data Loss Prevention policies designed to help you prevent accidental data loss.

 

DLP Block external access by default for sensitive files in SharePoint/OneDrive/Teams

External collaboration is important for business, however, you do want to protect your sensitive files accidentally shared with external users. This feature specifically helps you meet that need. You can now block external sharing and access until a DLP scan is run on a given file that just got uploaded to SharePoint or OneDrive. Check out this feature link for more details.

 

DLP policy for blocking anyone links for sensitive content

Often you want to share sensitive content with external collaborators, however, you want to prevent access and sharing anyone with the link option. This new DLP rule helps you to achieve that granular control, check out the link above.

 

Endpoint data loss prevention (DLP) – Public preview

With remote working and proliferation of devices, end points have exponentially grown, we are helping you to protect and avoid leakage of sensitive content at all end points on Windows devices. Learn more about Endpoint DLP here.

 

Compliance – Information governance

M365 Communication Compliance

Communication compliance is an insider risk solution in Microsoft 365 and they help you with reviewing messages in scanned email, Microsoft Teams, Yammer, or third party communication tools. Check out the above link for more details.

 

M365 Multi-Geo capabilities

More organizations are becoming global and have a need to meet data residency compliance in keeping the users OneDrive and Mailbox in their home geo. Multi-Geo helps you to meet these data residency needs while at the same time offering the modern productivity experience to your global workforce.

 

Figure. SharePoint admin center showing tenant spanned across multiple geo locationsFigure. SharePoint admin center showing tenant spanned across multiple geo locations

 

Information Barriers (IB) for SharePoint & OneDrive

You may have compliance need to put barriers in collaboration and communication between certain set of users in your organization to avoid conflict of interest.  You can now achieve these controls in Microsoft 365, checkout the Information Barriers scenario link above.

 

Figure. SharePoint site owner manages information segments for a siteFigure. SharePoint site owner manages information segments for a site

 

Retention labels

You can meet your governance needs for retaining or deleting the content after certain period of time, check out the retention labels and policies link above.

 

Records management

Organizations of all types require a records management solution to meet their regulatory, legal, and business requirements. Microsoft 365 records management is designed to help you meet these requirements. Check out the link above.

 

Check out Microsoft 365 compliance solutions page for many more compliance features available in Microsoft 365.

 

Other security controls

Global reader role in SharePoint

To reduce the number of administrators with privileged global admin roles, Azure Active Directory introduced Global Reader role. This role is now supported in SharePoint admin center so that they have only read access to all things SharePoint administration. Check out the link above for more details.

 

Customer key

Microsoft 365 has additional layer of encryption called service encryption on top of volume-level encryption thru BitLocker. Customer key is built on service encryption and enhances the ability to meet the demands of compliance requirements. To learn more, check out the link above.

Customer key for Exchange and SharePoint is already generally available. Customer key for Teams will come to private preview later calendar year 2020.

 

For licensing related information, check out the Microsoft 365 licensing guidance for security and compliance.

 

We hope this compilation of security and compliance controls was useful and informative for you.

 

Check out many more Ignite sessions in the Ignite website and Microsoft 365 Adoption Center: Virtual Hub. If you are new to Microsoft 365, learn how to try or buy a Microsoft 365 subscription.

 

As you navigate this challenging time, we have additional resources to help. For more information about how we are responding together to COVID-19, visit our Remote Work site. We’re here to help in any way we can.

 

Thank you!

 

Sesha Mani – Principal Group Product Manager (GPM)

Microsoft 365, SharePoint and OneDrive

 

Praveen Vijayaraghavan, Principal PM Manager

Microsoft 365, Teams

Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.