There are lots of new announcements at Microsoft Ignite 2020 and it is the great time to reflect and summarize our journey thus far with security and compliance in SharePoint, OneDrive, and Teams. We are excited to share with you a roundup of recent security and compliance controls in SharePoint and OneDrive and Teams. In this new norm of working remotely, safeguarding your business critical data is super important and we are here to help.
Click on the links below to learn more about respective scenarios and features. All the features mentioned below are generally available, except the ones explicitly called out as Public Preview or Private Preview.
For our Ignite 2020 announcement in Security and Compliance in SharePoint and OneDrive, check out this blog here.
Users (Internal & External) related security controls
MFA (Multi-factor-authentication) for Users
Multi-factor-authentication is new norm and our recommended scheme to identify and authenticate users accessing content in Microsoft 365. Azure Active Directory offers MFA capabilities that you can turn on for internal and external users. Check out the link above for more details.
Unified session sign-out powered by Continuous access evaluation – Public Preview
User has lost his device and you want to sign him/her out across all sessions on all devices? We are providing you a unified session sign-out capability powered by continuous access evaluation. Check out the link above for more details.
External sharing policies in SharePoint and OneDrive and Manage external access in Microsoft Teams
Collaborating with partners and clients external to your organization is bread and butter of many businesses. With our continued investments in external collaboration, SharePoint, OneDrive, and Teams is the hub for your external collaboration teamwork. Check the links above for details.
Automatic expiration of external access for content in SharePoint & OneDrive
Managing external users access is important to ensure no loss of organization’s data after the external project is completed. You can now configure a The solution is here, automatic expiration of external access for content. Check out the link above for more details.
Access governance insights in SharePoint and OneDrive – Private Preview
With growing digital data it becomes important to govern the access policies for your top sites and teams that matter the most. Access governance insights in SharePoint and OneDrive aims to help you on these regards. If interested to be an early adopter, sign-up for the private preview here.
Conditional access policies for devices & network locations
Granular conditional access policies - Unmanaged device policy
Azure Active Directory offers the coarse grained conditional access policies, and within SharePoint and OneDrive you can do a site specific fine grained device policies. For example, top secret sites you want to block access from unmanaged devices. Check out the above link for more details.
Control access to the content based on location IP address that user is accessing from.
Information protection
As part of the Microsoft Information Protection (MIP) journey, we have a series of capabilities in SharePoint, OneDrive, and Teams to protect your sensitive content and we call out a few below. We continue to invest in this journey.
Microsoft Information Protection for Files
The encrypted files are now treated as first class experience in SharePoint, OneDrive, and Teams, and users can search for them and also co-author in Office Apps in them.
Microsoft Information Protection at scale - Auto classification with sensitivity labels
With the scale at which digital data is growing, it is not sufficient to have manual labelling only and expect the users and administrators to manually label files. Auto classification with sensitivity labels aim to power you to automatically detect sensitive content in your digital estate and label them.
Sensitivity labels for Teams, SharePoint Sites, and Microsoft 365 Groups
Not only at the Files level, you can also now classify and label a SharePoint site, Team, and Microsoft 365 Group and holistically secure all contents in them.
Sensitivity labels with external sharing policies – Public Preview coming soon
We are expanding the policies that can be associated with sensitivity labels, now with external sharing policy settings in SharePoint and OneDrive sites. We will be announcing public preview soon.
Sensitivity labels with MFA Policy – Private Preview
Multi-factor authentication (MFA) is our recommended authentication scheme for user authentication. You can now associate MFA (multi-factor-authentication) policy to sensitivity labels. If interested to try this out, sign up for the private preview here.
Data loss prevention (DLP)
DLP for SharePoint and OneDrive and Teams
To comply with business standards and industry regulations, organizations must protect sensitive information and prevent accidental leakage of organization’s data. Microsoft 365 Data Loss Prevention policies designed to help you prevent accidental data loss.
DLP Block external access by default for sensitive files in SharePoint/OneDrive/Teams
External collaboration is important for business, however, you do want to protect your sensitive files accidentally shared with external users. This feature specifically helps you meet that need. You can now block external sharing and access until a DLP scan is run on a given file that just got uploaded to SharePoint or OneDrive. Check out this feature link for more details.
DLP policy for blocking anyone links for sensitive content
Often you want to share sensitive content with external collaborators, however, you want to prevent access and sharing anyone with the link option. This new DLP rule helps you to achieve that granular control, check out the link above.
Endpoint data loss prevention (DLP) - Public preview
With remote working and proliferation of devices, end points have exponentially grown, we are helping you to protect and avoid leakage of sensitive content at all end points on Windows devices. Learn more about Endpoint DLP here.
Information governance
Communication compliance is an insider risk solution in Microsoft 365 and they help you with reviewing messages in scanned email, Microsoft Teams, Yammer, or third party communication tools. Check out the above link for more details.
More organizations are becoming global and have a need to meet data residency compliance in keeping the users OneDrive and Mailbox in their home geo. Multi-Geo helps you to meet these data residency needs while at the same time offering the modern productivity experience to your global workforce. For more details, check out the link above.
Information Barriers (IB) for SharePoint, OneDrive and Teams
You may have compliance need to put barriers in collaboration and communication between certain set of users in your organization to avoid conflict of interest. You can now achieve these controls in Microsoft 365, checkout the Information Barriers scenario link above.
You can meet your governance needs for retaining or deleting the content after certain period of time, check out the retention labels and policies link above.
Organizations of all types require a records management solution to meet their regulatory, legal, and business requirements. Microsoft 365 records management is designed to help you meet these requirements. Check out the link above for more details.
Insider risks is a critical compliance need for many organizations and Microsoft 365 helps you to meet that need thru our insider risk management solution. Insider risk policies allow you to define the types of risks to identify and detect in your organization, including helping your risk analysts to take appropriate actions. Check out the link above for more details.
Check out Microsoft 365 compliance solutions page for many more compliance features available in Microsoft 365.
Administrative roles and service level controls
To reduce the number of administrators with privileged global admin roles, Azure Active Directory introduced Global Reader role. This role is now supported in SharePoint admin center so that they have only read access to all things SharePoint administration. Check out the link above for more details.
Microsoft 365 has additional layer of encryption called service encryption on top of volume-level encryption thru BitLocker. Customer key is built on service encryption and enhances the ability to meet the demands of compliance requirements. To learn more, check out the link above.
Customer key for Exchange and SharePoint is already generally available. Customer key for Teams will come to private preview later calendar year 2020.
For licensing related information, check out the Microsoft 365 licensing guidance for security and compliance.
We believe this compilation of security and compliance controls is useful and informative for you.
Here are two Ignite'20 videos to watch and learn some of the above controls:
Microsoft 365 administrators - Enable secure and compliant work from anywhere
What's new in security and compliance in SharePoint and OneDrive:
Check out many more Ignite sessions in the Ignite website and Microsoft 365 Adoption Center: Virtual Hub. If you are new to Microsoft 365, learn how to try or buy a Microsoft 365 subscription.
As you navigate this challenging time, we have additional resources to help. For more information about how we are responding together to COVID-19, visit our Remote Work site. We’re here to help in any way we can.
Thank you!
Sesha Mani - Principal Group Product Manager
Microsoft 365, SharePoint and OneDrive
Praveen Vijayaraghavan, Principal PM Manager
Microsoft 365, Teams