🔐 Authentication & identity management

Q: How does SharePoint Embedded integrate with Microsoft Entra ID?

A: SharePoint Embedded requires all users to authenticate through Microsoft Entra ID

• Single sign-on (SSO): Seamless authentication across Microsoft 365 services
• Multi-factor authentication (MFA): Configurable per-organization security policies
• Guest access: Secure B2B collaboration using Entra ID B2B guest accounts

Key requirement: All users accessing SharePoint Embedded containers must exist as either:

• Member users in your Entra ID tenant
• Guest users invited through Entra ID B2B collaboration

 

Q: What's the difference between delegated and application permissions?

A: Understanding these permission models is critical for security and auditability:

Delegated permissions (recommended):

• Application acts on behalf of an authenticated user
• User context preserved in audit logs
• Users must authenticate before accessing containers
• Enables file search capabilities within containers
• Use case: Interactive applications where user identity matters

Application-only permissions (restricted Use):

• Application acts without user context
• No user tracking in audit logs (shows as application)
• Search capabilities are limited
• Use case: Background jobs, system integrations, automated processes

Best practice: Use delegated permissions whenever possible to maintain proper audit trails and security accountability.

 

Q: How do we secure service principals and application secrets?

A: SharePoint Embedded supports multiple secure authentication methods:

1.  Managed identities (Most Secure):

• No secrets or certificates to manage
• Identity tied to Azure resources
• Cannot be used outside your Azure environment
• Eliminates credential exposure risk

2.  Certificate-based authentication:

• More secure than client secrets
• Longer validity periods
• Can be stored in Azure Key Vault

3.  Client secrets (use with caution):

• Store in Azure Key Vault, never in code or config files
• Enable automatic rotation (recommended: 90-day rotation)
• Configure expiration alerts

4.  Security hardening:

• Apply Conditional Access policies to service principals
• Restrict to corporate IP ranges using Named Locations
• Implement Privileged Identity Management (PIM) for credential access
• Enable Azure Policy to enforce certificate-based authentication
• Domain limitations if applicable

 

🛡️ Container-level security features

Q: What security controls are available at the container level?

A: SharePoint Embedded provides granular security controls for each container:

1.  Sensitivity labels:

• Enforce encryption and access policies
• Automatically applied to all content in container
• Integrated with Microsoft Purview Information Protection

2.  Block download policy:

• View-only access for high-sensitivity content
• Prevents data exfiltration
• Supports watermarking in Office web apps

3.  Container permissions: Four permission levels available:

• Owners: Full control including container deletion
• Managers: Manage content and permissions (cannot delete container)
• Writers: Add, update, and delete content
• Readers: View-only access

 

Q: How does SharePoint Embedded handle external user collaboration?

A: SharePoint Embedded supports secure external collaboration through multiple mechanisms:

Authentication options:

• Entra ID guest users: External users invited as B2B guests
• Email-based sharing: Send secure access links with expiration
• Anonymous links: View-only or edit links without authentication (configurable)

Security controls:

• Container-level sharing policies may supersede tenant default settings; however, they do not impact other configurations within the tenant.
• Link expiration dates and access revocation
• Audit trail for all external user activities
• Integration with Data Loss Prevention (DLP) policies

Sharing configuration best practices:

1. Enable guest sharing only for required applications
2. Require email verification for sensitive content
3. Monitor external access through Microsoft Purview audit logs

Real-world scenarios:

• Legal firms: Share case documents with external counsel using time-limited guest access
• Construction projects: Collaborate with subcontractors while maintaining security boundaries
• Financial services: Enable secure document exchange with clients using DLP policies

 

📋 Compliance & data governance

Q: What Microsoft Purview features are supported?

A: SharePoint Embedded integrates with the full Microsoft Purview compliance suite:

1.  Audit logging:

• All user and admin operations captured in unified audit log
• Enhanced with ContainerTypeId for filtering
• Search and export capabilities through Microsoft Purview
• Retention up to 10 years (with E5 license)

2. eDiscovery:

• Search across all SharePoint Embedded containers
• Place legal holds on container content
• Review content to determine if it should be tagged and included in the case
• Export content for litigation or investigation

3.  Data lifecycle management (DLM):

• Apply retention policies to containers
• Automatic deletion after retention period
• Hold policies for litigation or investigation
• Label-based retention rules

Implementation:

• Retention policies apply to "All Sites" automatically to include SPE containers
• Selective enforcement using container URLs
• Graph API for programmatic label application

4.  Data loss prevention (DLP):

• Identify and protect sensitive information
• Prevent external sharing of classified content
• Policy tips and user notifications
• Automatic encryption and access restrictions

DLP policy enforcement:

• Real-time scanning of uploaded content
• Block external sharing based on content type
• Business justification workflows (app-dependent)
• Integration with sensitivity labels

 

Q: How are DLP policies enforced in SharePoint Embedded?

A: DLP works similarly to SharePoint Online with some considerations:

Supported scenarios:

• Automatic detection of sensitive information (PII, financial data, etc.)
• Policy enforcement on upload, download, and sharing
• Alert generation for policy violations
• Integration with Microsoft Purview compliance center

Application responsibilities: Since SharePoint Embedded has no built-in UI, applications must:

1. Display policy tips to users when DLP flags content
2. Handle business justification workflows for policy overrides
3. Implement sharing restrictions when DLP blocks external access
4. Use Graph APIs to retrieve DLP policy status

Best practice: Test DLP policies on pilot containers before organization-wide deployment.

 

🔒 Advanced security scenarios

Q: How do we implement least-privilege access for SharePoint Embedded?

A: Follow these principles for robust security architecture:

 

Q: What are common security misconfigurations to avoid?

A: Learn from real customer experiences:

❌ Common Mistake 1: Assigning application permissions to user activities

• Problem: No audit trail, all actions appear as "application"
• Solution: Use delegated permissions for interactive scenarios

❌ Common Mistake 2: Storing secrets in application code

• Problem: Credential exposure in version control
• Solution: Use Azure Key Vault with managed identities

❌ Common Mistake 3: Ignoring conditional access configuration

• Problem: Service principals accessible from any network
• Solution: Configure named locations and conditional access policies

❌ Common Mistake 4: Not testing admin consent flow

• Problem: Consuming tenant onboarding failures
• Solution: Use admin consent URL method:

https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id={client-id}&redirect_uri={redirect-uri}

 

🏢 Enterprise security best practices

Q: What security hardening steps should we implement?

A: Follow this layered security approach:

Level 1: Basic hardening

1. Access controls:
• [ ] Implement least privilege principles
• [ ] Use delegated permissions for user-facing operations
• [ ] Regular permission audits (quarterly)
• [ ] Remove unused API permissions
2. Authentication:
• [ ] Enable certificate-based authentication
• [ ] Configure MFA for all admin accounts
• [ ] Implement password-less authentication where possible
• [ ] Use managed identities for Azure-hosted apps
3. Network security:
• [ ] Configure Conditional Access policies
• [ ] Define trusted IP ranges (Named Locations)
• [ ] Block legacy authentication protocols
• [ ] Enable sign-in risk policies

Level 2: Advanced hardening

1. Monitoring & alerting:
• [ ] Enable Microsoft Defender for Cloud Apps
• [ ] Configure alerts for suspicious activities:
• Unusual download volumes
• Access from unexpected locations
• Permission changes
• Guest user additions
• [ ] Integrate audit logs with SIEM (Sentinel, Splunk)
• [ ] Establish baseline for normal activity
2. Compliance:
• [ ] Apply sensitivity labels to containers
• [ ] Implement DLP policies for sensitive data
• [ ] Configure retention policies
• [ ] Regular compliance assessments
3. Incident response:
• [ ] Document container emergency access procedures
• [ ] Define escalation paths for security incidents
• [ ] Test access revocation processes
• [ ] Maintain audit log retention for forensics

Level 3: Zero trust architecture

1. Continuous verification:
• [ ] Device compliance requirements
• [ ] Session-based access controls
• [ ] Real-time risk assessment
• [ ] Automated response to anomalies

 

📚 Additional resources

Official documentation

• Security and Compliance Overview
• Container Permissions API
• Microsoft Purview DLP
• Conditional Access Policies

Security best practices

• SharePoint Embedded Admin Guide
• Entra ID Application Security
• Zero Trust Security Model

 

Have more questions or want to talk to the team, contact us: SharePointEmbedded@microsoft.com