Office 365 groups lockdown best practices / recomandations

%3CLINGO-SUB%20id%3D%22lingo-sub-135874%22%20slang%3D%22en-US%22%3EOffice%20365%20groups%20lockdown%20best%20practices%20%2F%20recomandations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-135874%22%20slang%3D%22en-US%22%3E%3CP%3EHey%20guys%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWondering%20if%20there%20is%20any%20recommendations%2Fchecklist%2C%20etc.%20to%20hardening%20security%20on%20Office%20365%20groups%20when%20working%20externals.%20My%20scenario%20is%20having%20hundreds%20of%20people%20(mostly%20external)%20having%20to%20contribute%20with%20content%20that%20is%20highly%20classified%20and%20we%20are%20trying%20to%20lockdown%20and%20control%20access%2C%20while%20tracking%20what%20is%20going%20on.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESo%20far%20our%20measures%20have%20gone%20from%20making%20Private%20groups%2C%20restrictions%20for%20reception%20of%20mail%20from%20designated%20recipients%20only%2C%20enabling%20auditing%20for%20content%20access%20(read%2Fupdate%2C%20check-in%2C%20etc.)%2C%20up%20to%20conditional%20access%20and%20Intune%20control%20to%20forbid%20access%20from%20non-managed%20devices%2C%20DLP%20%2B%20AIP%20and%20RMS%20for%20documents%20tracking%20as%20they%20travel%20outside%20our%20organisation%2C%20etc.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWhat%20else%20(besides%20Nespr.....)%3F%20I'm%20taking%20suggestions%20%3A)%3C%2Fimg%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-135874%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Groups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EStorage%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-138239%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20groups%20lockdown%20best%20practices%20%2F%20recomandations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-138239%22%20slang%3D%22en-US%22%3E%3CP%3EI'd%20consider%20segmenting%20the%20confidential%20material%20across%20multiple%20groups%20to%20give%20some%20extra%20granularity%20in%20access%20control.%20In%20other%20words%2C%20consider%20each%20group%20as%20a%20%22bucket%22%20of%20information%20and%20only%20allow%20certain%20users%20access%20to%20that%20bucket.%20I%20know%20people%20don't%20like%20the%20idea%20of%20creating%20multiple%20groups%20because%20this%20makes%20email%20communication%20harder%20(solution%3A%20create%20a%20DL%20composed%20of%20nested%20Office%20365%20Groups)%2C%20but%20it%20does%20help%20control%20access.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETR%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-136085%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20groups%20lockdown%20best%20practices%20%2F%20recomandations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-136085%22%20slang%3D%22en-US%22%3E%3CP%3Equite%20a%20list%20already%2C%20I%20would%20add%20implementing%20guest%20re-attestation%20using%20this%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-azure-ad-controls-perform-access-review%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-azure-ad-controls-perform-access-review%3C%2FA%3E%20(still%20in%20public%20preview)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-135875%22%20slang%3D%22en-US%22%3ERe%3A%20Office%20365%20groups%20lockdown%20best%20practices%20%2F%20recomandations%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-135875%22%20slang%3D%22en-US%22%3E...and%20yeah%20we%20also%20added%20email%20hardening%20into%20forcing%20people%20to%20submit%20content%20only%20when%20TLS%20is%20available%2C%20and%20particularly%20to%20use%20specific%20mail%20clients%20(e.g.%20Outlook%20on%20mobiles%2F%20desktop).%3C%2FLINGO-BODY%3E
Occasional Contributor

Hey guys,

 

Wondering if there is any recommendations/checklist, etc. to hardening security on Office 365 groups when working externals. My scenario is having hundreds of people (mostly external) having to contribute with content that is highly classified and we are trying to lockdown and control access, while tracking what is going on.

 

So far our measures have gone from making Private groups, restrictions for reception of mail from designated recipients only, enabling auditing for content access (read/update, check-in, etc.), up to conditional access and Intune control to forbid access from non-managed devices, DLP + AIP and RMS for documents tracking as they travel outside our organisation, etc.

 

What else (besides Nespr.....)? I'm taking suggestions :)

 

3 Replies
...and yeah we also added email hardening into forcing people to submit content only when TLS is available, and particularly to use specific mail clients (e.g. Outlook on mobiles/ desktop).

quite a list already, I would add implementing guest re-attestation using this: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-azure-ad-controls-perform-a... (still in public preview)

I'd consider segmenting the confidential material across multiple groups to give some extra granularity in access control. In other words, consider each group as a "bucket" of information and only allow certain users access to that bucket. I know people don't like the idea of creating multiple groups because this makes email communication harder (solution: create a DL composed of nested Office 365 Groups), but it does help control access.

 

TR