OneDrive for Business is, from my perspective, one of the most under-utilized but benefit-rich parts of the Office 365 platform, allowing organizations (especially organizations that subscribe to the E3 or higher SKU) virtually unlimited storage, versioning, and recovery capability for their file-based storage.
What’s this mean for you? It means you can transition your users’ home directories from the U:\ or P:\ or H:\ or whatever letter you’ve given them to cloud-based, scalable, open-ended storage that can be accessed from anywhere your organization sees fit, and protected from the entire gamut of crypto-locker and ransomware crap on the internet.
And, as Great Power require frequently bestows Great Responsibility, OneDrive and Office 365 are no different. Frequently, organizations are tasked with controlling access to the data, restricting the types of data that can be stored, securing the data, and restoring or recovering it when necessary. This set of guidelines, assembled largely by my peer Kass Bottini, has a lot of great material to help you establish some solid guidelines for implementing OneDrive in your organization.
- OneDrive for Business Baseline Policies Disclaimer
- Data Governance
- Sharing Controls
- Content Access Restrictions
OneDrive for Business Baseline Policies Disclaimer
Customers who want to adopt OneDrive for Business often ask us for a baseline set of policies to help them get started. While most customers have different end goals or security requirements, educating on what (to borrow Otto Bismarck’s phrase) the art of the possible is will help everyone.
- This guide focuses primarily on OneDrive for Business. There are capabilities discussed in this article that can be used for other applications, but are not discussed.
- Customers should evaluate the policies carefully to ensure they are tested and validated in the environment.
- Though security and governance principles do play a role in these policies, there are likely additional policies that would benefit the organization. These are baseline policies created as recommendations. Customers are strongly urged to build on these policies as they mature with the solution.
For purposes of this discussion:
- A tenant policy applies to all users in the tenant
- A targeted policy can be applied to targeted groups
Furthermore, these are personal recommendations and do not constitute an endorsement or recommendations on the part of Microsoft.
Before you ever put a drop of data (or bit, I suppose) in Office 365, you really should put some thought around data governance. Data governance spans multiple disciplines, but I generally like to group it into four main categories:
- Retention (and destruction)
- Identification (labeling)
- Protection (encryption)
- Discovery (search)
Configure a Retention Policy
Scope: Tenant and targeted
- Determine organizational (and optionally, departmental or agency-level) retention policies. This may involve coordination with legal representatives for your organization.
- Tenant or targeted policy: Configure a policy for all users that retains OneDrive files for appropriate retention period based on organizational policies around data retention. This will prevent files from being permanently deleted during the retention period for both active and inactive (deleted) users. OneDrive sites can have multiple retention policies applied to them; in the event that multiple policies apply, the longest retention period wins. Admins will be able to access the user’s OneDrive site or use Office 365 Content Search to export data. Information on policies is available at https://docs.microsoft.com/en-us/office365/securitycompliance/retention-policies.
- Tenant policy: Set the OneDrive site retention setting to be retained for a minimum of 90 days (maximum 10 years) once the user account is deleted. This will allow Admins and managers to access the departed user’s OneDrive site as needed. For further details, see https://docs.microsoft.com/en-us/onedrive/set-retention.
- Targeted policy: Ensure the manager attribute of the users in Active Directory is populated. This attribute is synchronized via AAD Connect. Once a user’s license has been revoked or the user removed from AAD connect synchronization scope, an email will be generated and sent to the user listed in the manager attribute during the access period defined in the previous step. Any user that doesn’t have a manager attribute will follow the process outlined in https://docs.microsoft.com/en-us/onedrive/retention-and-deletion, but automatic emails will not be sent.
Configure a Labeling Policy
Scope: Tenant or targeted
Configuring some form of identification for content is critical to a data governance policy. You typically do this by identifying content based on some sort of data template or by labeling content that gets stored in certain libraries. In the case of OneDrive for Business, you may want to label content that is being stored related to certain business activities. For this, you’ll likely want to define a custom sensitive information type template. Using a sensitive information type template, you can identify content stored across your enterprise and apply certain labels to it. Labels can be used for a variety of purposes, including data classification and protection.
You can learn more about labels: https://docs.microsoft.com/en-us/microsoft-365/enterprise/infoprotect-configure-classification
- Determine an organizational policy for identifying and classifying content.
- Configure and publish labels. If you have E3, you’ll be able to deploy labels to users, and users will be able to manually classify content. If you have an advanced SKU, such as E5 or M365 E5, you’ll have the ability to automatically apply those same labels.
Configure a Protection Policy
Scope: Tenant or targeted
Protection policies are really just labels with protection (encryption) applied. You’d probably use the same configurations (sensitive information types, for example) to identify content and apply encryption or controls to it. You can start off with the same link as above (https://docs.microsoft.com/en-us/microsoft-365/enterprise/infoprotect-configure-classification), and then configure encryption actions when content meeting a sensitive information type is discovered.
- Determine an organizational policy for identifying and classifying content, and what associated encryption or protection actions should be taken.
- Configure document encryption policies to identify and encrypt content matching personally identifiable information templates, such as Social Security Numbers, Credit Card numbers, and Drivers License Numbers. You can use the default templates in Office 365, custom rule packages such as the one I published here or create your own using this blog post.
Scope: Tenant or targeted
All eDiscovery actions take place in the Security and Compliance Center. When it comes to OneDrive for Business eDiscovery, there are a few additional things to keep in mind:
- eDiscovery managers must be assigned permissions to the OneDrive for Business sites. This means you’ll need to run a script (such as the very useful, if I do say so myself, OneDrive for Business Admin Tool) or grant automatic secondary site admin privileges to the eDiscovery managers. You can learn more about delegating permissions at https://docs.microsoft.com/en-us/office365/securitycompliance/assign-ediscovery-permissions.
- Compliance boundaries (the new name we’ve given Compliance Filters) or ethical walls are further restrictions that can be used to limit the scope of eDiscovery searches. For example, you may determine you want to create a set of boundaries to enforce ethical walls in your organization. I go into some detail here and here, and we have some additional documentation here.
- Identify eDiscovery management strategy (global eDiscovery vs delegated search capabilities).
- Configure compliance boundaries to meet your organization’s search requirements.
So much sharing, so many ways.
Configure External Sharing Policy
Scope: Tenant, though some security group restrictions are configurable
- Determine a policy for externally sharing content. This policy should address, at a minimum, the following items:
- Allowing sharing with external users
- Determining actions to take on sensitive data types, such as personally identifiable information (PII), personal health information (PHI), or proprietary organizational information (trade secrets)
- Determining notification actions to be taken when information is shared
- Determining expiration policies for shared content
- Determining if users have the ability to override data loss prevention policies
- Configure a policy to allow external sharing for “New and existing external users” and set a security group approved for external sharing. This will allow external sharing for members in the security group. While all users will be able to take advantage of sharing capabilities internally, only members in the security group will be able to share folders or files externally.
- In the advanced sharing options, check the box to enforce external users to accept sharing invitations using the email address sent and uncheck the option to allow external users to share items they do not own (https://docs.microsoft.com/en-us/onedrive/manage-sharing). Once the toggle is set in the OneDrive Admin Center, it’s necessary to finish the policy configuration by accessing the Sharing options under the SharePoint Online Admin Center. Under this section, the following steps configurations are recommended:
- Set the security group that can share externally under “Who can share outside your organization”
- Set the default link permission to View under “Default Link Permissions”
- Require recipients to continually prove account ownership when they access shared items for a minimum of 30 days under “Additional settings.”
NOTE: To configure the security group for external sharing you’ll need to access the Sharing settings under the SharePoint Online Admin Center. There are some additional things to take into consideration. As this option relies upon who can create Guest Users, you need to ensure that other services which utilize Guest Users are managed appropriately. See my post about some of the new sharing restrictions. Guest Users, once they are created in the directory, qualify as “existing users,” so if you restrict someone from creating them in one interface, you may need to undertake additional steps to ensure they don’t create them in another interface. Other interfaces can include Teams, PowerBI, and guest invitations created by third-party applications in your tenant.
[BIG, BIG DISCLAIMER]: We introduced additional sharing controls for OneDrive and SharePoint, and, when you configure any group to allow Sharing with External users, the sharing invitation creates a guest user in your Azure AD Tenant. This means that even individuals who cannot initiate an external sharing request to a *new* external user are allowed to send a sharing request to an existing directory guest. You can read more about this here: OneDrive Sharing Policies
The “default sharing link” is, like it sounds, the default selection for documents that are shared. Possible choices include internal only, specific recipients, and anonymous.
- Set the default sharing link to “Direct: Specific People.” When a user creates a sharing link, this setting would default the link to the most restrictive setting and help minimize the risk of sharing files and/folders en masse. Users will still have the ability to change the link type to less restrictive options (e.g. share with everyone in the organization), but that won’t be the default behavior. https://docs.microsoft.com/en-us/onedrive/manage-sharing#change-your-sharing-link-settings
Content Access Restrictions
Once you have policies around data governance and sharing, the last area is going to be access. There are a number of ways OneDrive for Business content can be accessed:
- Web browser
- Sync client
- Mobile devices
- Third-party applications
We’ll walk through some scenarios that you should probably think about, and some recommendations around them.
This is the simplest form of access, and pertains to access via a supported web browser. This can be from AD domain-joined machines, Azure AD-joined machines, or non-managed devices.
Browser-based access can be managed through one of three ways:
- SharePoint IP network restrictions
- AD FS Client Access Policies
- Conditional Access Policies
Allow sync to only specific domain joined devices (Windows)
Scope: tenant policy if using OneDrive Admin Center. Targeted policy if using Azure AD Conditional Access
Recommended baseline policy: allow sync only to managed devices. File sync is the capability to access and navigate the user’s OneDrive folder structure using Windows or Mac. Syncing also allows files to be downloaded to those devices. Organizations typically don’t allow this type of activity on devices that are unmanaged.
Obtain the domain GUIDs and follow the procedures outlined in the article to restrict file sync to domain joined PCs only: https://docs.microsoft.com/en-us/onedrive/allow-syncing-only-on-specific-domains.
Alternatively, use Azure AD Conditional Access to create such policies instead of OneDrive admin center. Conditional Access policies allows for specific user targeting and exceptions. Using the OneDrive Admin Center option does not allow for this flexibility. https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
NOTE: prior to creating policy, ensure domain joined Windows devices are automatically registered in Azure https://docs.microsoft.com/en-us/azure/active-directory/devices/overview. Conditional Access does not block Mac OS from sync and requires additional regkey entries to OneDrive sync client.
Configure a network access policy for unmanaged devices
Scope: Tenant policy if using OneDrive Admin Center. Targeted policy if using Azure AD Conditional access.
Recommended baseline policy: restrict access based on network IP range to ensure unmanaged devices cannot access OneDrive. https://docs.microsoft.com/en-us/onedrive/control-access-based-on-network-location-or-app.
NOTE: this would impact mobile devices accessing OneDrive. Customer with Azure AD Premium and Intune can use conditional access to avoid conflicts with mobile device access.
Customers with Intune and Azure Active Directory Premium should consider using a limited access policy for OneDrive. This option would restrict access to a browser only session – https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices?redirectSourcePath=%252farticle%252f5ae550c4-bd20-4257-847b-5c20fb053622.
Configure a mobile application management policy (InTune customers)
Scope: Targeted policy
Recommended baseline policy: don’t restrict access to mobile apps, but configure a mobile app protection policy for data governance. Using OneDrive Admin Center, customers can create a global policy targeting at OneDrive and SharePoint Online mobile apps. https://docs.microsoft.com/en-us/onedrive/control-access-to-mobile-app-features
Customers with InTune should create InTune App Protection policies instead to take advantage of the same options plus extend such policies to other mobile applications. These policies can be implemented without having to enroll mobile devices in a management solution – https://docs.microsoft.com/en-us/intune/app-protection-policy.
Once InTune policies are created and applied, customers should enforce policies with Azure AD Conditional Access (CA). A CA policy would need to be created so that users would only use the approved OneDrive application to access the service – https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview.
That’s a lot of things to consider. I’d love to hear your feedback as you develop policies for your customers and users.
I’d also like to thank Kass Bottini for his help in coming putting together this content. Go buy that man a beer!