Forum Discussion
How you control OneDrvie sync to personal devices?
Thanks for the feedback, the policies for Microsoft services are plain and simple.
The organization in question needs service only Intune can provide and with the services comes certain policies which can't be mitigated.
The Zero Trust model is a security strategy that assumes no connection can be trusted, even if the user or account was previously authenticated. It seeks to address the following:
- Continuous verification: Always verify access, all the time, for all resources.
- Limit the “blast radius”: Minimize impact if an external or insider breach does occur.
- Automate context collection and response: Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc.) for the most accurate response.
- Verify explicitly.
- Use least privilege access.
- Assume breach.
Regarding your concern about allowing OneDrive sync to personal PC/Mac without robust mitigation controls in place, it’s important to note that containerization and encryption are just two of many mitigation controls that should be in place to protect your content. While DLP scans and event logging are useful reactive measures, they do not provide complete protection against cyberattacks.
I would recommend that you consider implementing additional proactive measures such as:
1.Conditional Access: This feature allows you to control access to your organization’s resources based on specific conditions such as location, device compliance, and risk level.
2.Data Loss Prevention (DLP): This feature helps you identify and protect sensitive information across Microsoft 365 apps and services.
Microsoft Defender for Endpoint: This feature provides endpoint protection against cyber threats.3.Microsoft Cloud App Security: This feature provides visibility into cloud applications and services used in your organization.
If I have answered your question, please mark your post as Solved
If you like my response, please give it a Like
Appreciate your Kudos! Proud to contribute! 🙂
The policy is mainly to control 'sync settings', because by default users are allowed to sync personal OneDrive accounts.
It is important for organizations to have policies in place to control the 'syncing of OneDrive' for Business content to personal devices.
OneDrive policies can be used to control sync settings, and administrators can configure these policies using Group Policy or administrative templates in "Microsoft Intune".
Additionally, it is possible to restrict OneDrive so that it only synchronizes files to domain-joined computers. In this case, a policy named “Allow syncing only on PCs joined to specific domains” would be activated in the OneDrive admin module.
The best solution is to get a Microsoft Intune license and reach out to the Intune support team for further assistance.
https://intune.microsoft.com
If I have answered your question, please mark your post as Solved If you like my response, please give it a Like Appreciate your Kudos! Proud to contribute! 🙂 |
I was told that content in OneDrive is already containerized and encrypted, and we have DLP scan looking for sensitive data. Since we have E5 so there are advanced event logging and logs are kept for one year. Additionally we have other 3rd party tool to monitor bulk data transfer so we should be protected.
I am not sure all those mitigation controls will help protect our content. Seems to me they are more reactive approaches. This is why I'd like to ask the community members' experiences at different organizations. Any feedback is appreciated.
Thanks once again!
Thanks for the feedback, the policies for Microsoft services are plain and simple.
The organization in question needs service only Intune can provide and with the services comes certain policies which can't be mitigated.
The Zero Trust model is a security strategy that assumes no connection can be trusted, even if the user or account was previously authenticated. It seeks to address the following:
- Continuous verification: Always verify access, all the time, for all resources.
- Limit the “blast radius”: Minimize impact if an external or insider breach does occur.
- Automate context collection and response: Incorporate behavioral data and get context from the entire IT stack (identity, endpoint, workload, etc.) for the most accurate response.
- Verify explicitly.
- Use least privilege access.
- Assume breach.
Regarding your concern about allowing OneDrive sync to personal PC/Mac without robust mitigation controls in place, it’s important to note that containerization and encryption are just two of many mitigation controls that should be in place to protect your content. While DLP scans and event logging are useful reactive measures, they do not provide complete protection against cyberattacks.
I would recommend that you consider implementing additional proactive measures such as:
1.Conditional Access: This feature allows you to control access to your organization’s resources based on specific conditions such as location, device compliance, and risk level.
2.Data Loss Prevention (DLP): This feature helps you identify and protect sensitive information across Microsoft 365 apps and services.
Microsoft Defender for Endpoint: This feature provides endpoint protection against cyber threats.3.Microsoft Cloud App Security: This feature provides visibility into cloud applications and services used in your organization.
If I have answered your question, please mark your post as Solved
If you like my response, please give it a Like
Appreciate your Kudos! Proud to contribute! 🙂