External Sharing Best Practices for SharePoint Online & O365

The policy of ‘Data protection by design and by default’ in article 25 of the GDPR is driving vendors like Microsoft to align data security with innovation to not only develop better products but also more secure products. Along these lines organizations should adopt the policy of Privacy by Design, that is, organizational processes that are designed with protecting privacy in mind.

Just as external sharing is a critical and unavoidable piece of business success, so too is achieving compliance within a regulatory framework. Last year U.S Fortune 500 and U.K FTSE 350 companies spent nearly 9 billion dollars in efforts to avoid the multi-million dollar fines associated with failing to be GDPR compliant. The purpose of this article is to show you the settings Microsoft provides to control external sharing and how they can benefit your organization.

External Sharing: Organization-Wide Settings (O365 Admin Center)

Starting at the top, these tenant or organizational level settings will determine what options are available to your users throughout your environment in both SharePoint Online and OneDrive for business. In order to control how your data is shared externally, the organization needs to allow it to happen in a place where the organization has control. This is why you should deeply consider allowing external sharing at the tenant level.

To expose the tenant level external sharing settings for your organization in the O365 admin center navigate to:

Settings –> Services & add-ins –> Sites

Whichever option you choose, the more restrictive settings are still available on Site Collections and OneDrives.

The second option is recommended because it doesn’t restrict users from the ability to share with new users while the last option is unlikely to be used in most organizations and comes with some risks and less control after a file or folder is shared. 

What Policy Makes Sense for Your Organization?

Choose this option:	If you want to:
Only existing external users (sign-in required)	Allow sharing to external users who already exist in your directory because they were either already shared to or manually imported.
New and existing external users (sign-in required)	Require external users to sign in with a Microsoft account before accessing content. Allow only site owners or others with full control permission to share sites or documents with external users.
Anyone, including anonymous users (Optionally, you can set links to expire in a specific number of days, and how recipients can use the links)	Allow use of anonymous links which do not require sign-in or an authenticated user to access.

External Sharing: Top Level Site Collection & OneDrive for Business Settings

After you’ve set the tenant-wide sharing settings for SPO and OneDrive, you can further configure the top-level external sharing settings for SPO and ODfB in their respective admin centers. 

These settings affect what options are available to your users when sharing links in OneDrive or in SharePoint respectively.

Choose this option:	If you want to:
Anyone
New and existing external users (Recommended)	Require external users to sign in with a Microsoft account before accessing content. Allow only site owners or others with full control permission can share sites or documents with external users. Best for site collections which have external collaborators, especially if you’re in the process of migrating to a newer version of SharePoint.
Existing external users	Allow sharing to external users who already exist in your directory because they were either already shared to or manually imported.
Only people in your organization	Not allow any external sharing.

An important difference between allowing anyone and allowing new/existing users is that the latter requires a sign-in. This requirement gives users more control over how their file is accessed and who it is accessed by. But potentially the most important control you gain, is what happens to the file after it’s been shared. Since users have to sign-in to access the link, we can further control how the file is interacted with and choose what kind of rights they have to it and even block them from downloading it.

In the OneDrive admin center, you can further restrict external sharing settings for ODfB, however, you cannot configure settings to be less restrictive than those set in SharePoint. In this section I will touch upon what you get by allowing ‘Anyone’ but focuses on available options if you were to allow external sharing to New and Existing users as this policy is best practice in most cases.

The screenshot below shows some additional options for what’s considered an ‘Anonymous link’ if you were to allow sharing with ‘Anyone’ in OneDrive. (Its anonymous because it doesn’t require a sign-in.)

Otherwise that option is unavailable.

An important difference between allowing anyone and allowing new/existing users is that the latter requires a sign-in. This requirement gives users more control on how their file is accessed and who it is accessed by.

But potentially the most important control you gain, is what happens to the file after it’s been shared. Since users have to sign-in to access the link, we can further control how the file is interacted with and choose what kind of rights they have to it and even block them from downloading it.

Since I decided to allow new and existing (authenticated) users, the link settings in the screenshot to the below are available when sharing a link to OneDrive.

Consider setting more restrictive settings for OneDrive than SharePoint, I think of OneDrive as a place for personal documents whether that relate to storing company information or personally identifiable information.

SharePoint Admin Center

In the classic SPO admin center there are two categories for sharing settings. The first options are in the ‘site collections’ section and the second are in the ‘sharing’ section. I’ll cover the site collection sharing section first.

Classic SharePoint Admin Center

Sharing options can be configured for each  SharePoint site in this section when a site is selected, the options on the top become available and the options to the right are displayed.

The default setting is ‘no external sharing allowed’ so a conscious decision must be made on which sites allow sharing, and what type of sharing is allowed.

This is where you can tighten control on sites which contain sensitive data or alternatively allow more permissive controls for sites that are more collaboration oriented.

Note that you can also choose who is allowed to invite new users to a site, in general I recommend leaving that privilege to site owners.

Modern SharePoint Admin Center

The modern SharePoint admin center is simplified and the settings have been changed to reflect the same options as previously described.

I suspect some of the other options you saw above (like setting the default link type for a site) will be merged to the modern admin center once it’s fully released. For now there’s no mention of those options in Microsoft’s documentation so we’re stuck with the classic experience for those settings for the time being.

Access control settings:

Unmanaged devices

Restrict access from devices that aren’t compliant or joined to a domain. Options range from allowing full access, web only (not desktop or mobile), and blocking access entirely.

Idle session sign-out

Automatically sign out users from inactive browser sessions.

Network Location

Limit access to only from specific IP addresses.

Apps that don’t use modern authentication

More security controls

In addition to all the above settings, there are a range of additional controls available:

• All user activities related to SPO and ODfB, including who accessed, viewed, edited, deleted, or shared files are viewable in the audit logs. In the new admin center, a high-level view of activity for a site can be highlighted in the ‘Insights’ section as well if enabled on a site.
• SPO and ODfB content are subject to Data Loss Prevention (DLP) policies which depending on the policy may prevent users from sending it externally. This is dependent on the DLP policies ability to identify the content correctly which may cause frustration for end users.
• SPO and ODfB content may be subject to records retention policies set by preservation policies. These may impact on the ability to send documents externally.
• SPO and ODfB content may be subject to an eDiscovery case.
• Administrators can be notified when users perform specific activities in both SPO and ODfB.
• Sharing (and access to the documents once shared) may be subject to security controls enforced through Microsoft Information Protection.

Summary

In conclusion, understanding and implementing the settings above will give an organization a strong control of what and how things can be shared both internally and externally. These additional controls are only available if you allow sharing through SharePoint Online and OneDrive for Business. If you choose to allow sharing, the settings described in this article will provide further control on how internal users can share information and what external users can do with it.

For a glimpse at some of your tenant’s settings, today check out some of the PowerShell scripts below, for the full picture of your environment check our STEALTHbits SharePoint Data Collector.

Handy PowerShell Scripts

Use this PowerShell script to return all your tenants external users (requires SharePoint Admin)

The output will look like this:

Use these PowerShell scripts for additional details on your current SharePoint Online and OneDrive tenant settings:

---

Don’t miss a post! Subscribe to ‘The Insider Threat Security’ Blog here: