Sep 28 2023 04:25 PM
Hi all,
Apologies in advance for the specifics of the question!
We currently set our OneDrive sharing policy to make links for files and folders accessible for 30 days, view-only by default, and the recipient must re-authenticate every 24 hours.
I have noticed that I have around 120,000 file shares showing in Defender (in one of the helpful cards that I now can't find).
The top 10 on this card and the overwhelming majority of file shares listed are from now left users, who shared data prior to us setting up the above policy.
I have found Microsoft guidance on how to find and govern stale externally shared files:
In the Microsoft 365 Defender portal, under Cloud Apps, go to Policies -> Policy management. Create a new File policy.
Select and apply the policy template Stale externally shared files.
Customize the filter Last modified to match your organization's policy.
Optional: Set Governance actions to be taken on files when a violation is detected. The governance actions available vary between services. For example:
Google Workspace: Make the file private and notify the last file editor
Box: Notify the last file editor
SharePoint online: Make the file private and send a policy-match digest to the file owner
Create the file policy.
Source: Information protection policies - Microsoft Defender for Cloud Apps | Microsoft Learn
I ran a search and found a user who left 2 years ago and who had around 1,000 files as shared External, Public, or Public (Internet) for which he was the file owner.
However, when I exported the list of these discovered files for the long-since left user, I found that under Collaborators there were staff who joined well after he left.
I also cannot find those files in OneDrive or our file management system.
My questions are:
1. Does the MCAS file search find actual files that are current in our environment or does this show a historic series of snapshots?
2. Why are recent joiners shown as collaborators on documents and folders for someone who left so long ago?
3. How can I actually find the files the search tells me it found?
4. If I set up a governance action to remove external users from the file share, will this actually work?
5. If I want to test, can I create an admin quarantine site/location on SharePoint and use the option to 'Put in admin quarantine'? If so, what will happen and what are the possible implications/ramifications?
Any help, guidance, or advice is greatly appreciated!
Feb 14 2024 11:37 AM