1 / 42

External Sharing in Office 365

External Sharing in Office 365. Cory Williams Teams Technical Specialist. For the TEAMS EXTERNAL SHARING VIDEO check out https://youtu.be/tFeZaGuh9qk. Diamond. Platinum. Gold. Silver. What Services. *Those invited to your organization. Control External Sharing in Office 365.

ewayne
Download Presentation

External Sharing in Office 365

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. External Sharing in Office 365 Cory Williams Teams Technical Specialist For the TEAMS EXTERNAL SHARING VIDEO check out https://youtu.be/tFeZaGuh9qk

  2. Diamond Platinum Gold Silver

  3. What Services *Those invited to your organization

  4. Control External Sharing in Office 365 Multiple administrative control points exist for the sharing of information (by various types of users) Admin Outside Inside Azure Active Directory (AAD) B2B settings Office 365 Tenant-level settings Other (related) control technologies Automation, tooling and control processes Members Control Groups settings Teams settings SharePoint Online (SPO) settings OneDrive for Business (ODfB) settings Auth’d guests Group specific settings Site collection settings External sharing Unauth’d guests Guest access/external sharing can also be impacted by other Office 365 and AAD control capabilities (e.g. DLP and CA/MFA) Owners

  5. Control External Sharing in Office 365 Azure Active Directory (AAD) B2B settings Least Restrictive Office 365 Tenant-level settings Groups settings Teams settings SharePoint Online (SPO) settings OneDrive for Business (ODfB) settings Group specific settings Site collection settings Most Restrictive

  6. Policies for Guest Access - Best Practices • User managed • Guest inviter role - Setup a policy so that users with this role can only invite guest • This can be set using user AD properties such - Title, Job Description • Guest Inviter Role • Domain managed • Admins can create an allow/deny list of external partner domains that can be added as guests. • Allow or block specific domains • IT managed • Admin can be approved and added to groups.. • Add guests through B2B portal and turn off sharing for tenant • Add no one to guest inviter role IT approved list of domains Reach Guests Guests Title = Manager User Only IT admin Guests Group-LevelManage guest access at the individual Group levelUpdate settings for a specific group

  7. Group Guest Access Benefits Enables safe teamwork outside the firewall Works with any email addresses Based on common Azure B2B platform Guidance Enable guest access! Govern using: allow/block guest domains guest inviter role terms of use access reviews Track guest user activity via audit logs • Documentation • Guest access in Office 365 groups • Guest access in Office 365 groups – Admin Help • Azure AD access reviews • Guest inviter role • Azure Active Directory Terms of Use feature • Google Federation

  8. Business to Business (AAD) By default, all users and guests in your directory can invite guests even if they're not assigned to an admin role. External collaboration settings let you turn guest invitations on or off for different types of users in your organization. You can also delegate invitations to individual users by assigning roles that allow them to invite guests. Azure Active Directory (AAD) B2B settings Azure Portal > Azure Active Directory > User settings> Manage external collaboration settings https://aka.ms/b2b-invitations

  9. LinkedIn Integration Send emails and coauthor and share documents with many of your first-degree LinkedIn connections right from Outlook on the web, OneDrive, SharePoint, Word, PowerPoint, and Excel Online by just typing a name in the “To” or “CC” field when composing a new message or sharing a document. This sends the email or document to their primary email address with LinkedIn and is only available if your organization allows external sharing. Azure Active Directory (AAD) B2B settings Azure Portal > Azure Active Directory > User settings https://aka.ms/M365-LinkedIn-User https://aka.ms/M365-LinkedIn-Admin

  10. Office 365 Sharing Settings Azure Active Directory (AAD) B2B settings Office 365 Tenant-level settings Microsoft 365 admin center > Settings > Security & Privacy

  11. Office 365 Groups Lets you and your team collaborate with people from outside your organization by granting them access to group conversations, files, calendar invitations, and the group notebook. Access can be granted to a guest—for example, a partner, vendor, supplier, or consultant—by any group owner. Azure Active Directory (AAD) B2B settings Office 365 Tenant-level settings Groups settings Microsoft 365 admin center > Settings > Services & add-ins > Office 365 Groups https://aka.ms/o365-groups-guests

  12. Microsoft Teams - Dependencies Guest Access authorizations • Azure Active Directory: Guest access in Microsoft Teams relies on the Azure AD business-to-business (B2B) platform. Controls the guest experience at the directory, tenant, and application level. • Microsoft Teams: Controls Microsoft Teams only. • Office 365 Groups: Controls the guest experience in Office 365 Groups and Microsoft Teams. • SharePoint Online and OneDrive for Business: Controls the guest experience in SharePoint Online, OneDrive for Business, Office 365 Groups, and Microsoft Teams. https://aka.ms/teams-dependencies

  13. Microsoft Teams

  14. Microsoft Teams – Guest Access Azure Active Directory (AAD) B2B settings Office 365 Tenant-level settings Groups settings Teams settings Microsoft Teams & Skype for Business Admin Center > Org-wide settings > Guest access https://aka.ms/teams-manage-guests

  15. Microsoft Teams – Guest Access Options

  16. SharePoint & OneDrive for Business SharePoint and OneDrive have the most configuration options around how content is made accessible. OneDrive settings are dependent on SharePoint Online settings. Azure Active Directory (AAD) B2B settings Office 365 Tenant-level settings Groups settings Teams settings SharePoint Online (SPO) settings OneDrive for Business (ODfB) settings https://aka.ms/sp-external-sharing

  17. SharePoint & OneDrive for Business • Whitelist Domains globally or per site collection • Require to use same account • Don’t allow guests to share items they don’t own Azure Active Directory (AAD) B2B settings Office 365 Tenant-level settings Groups settings Teams settings SharePoint Online (SPO) settings OneDrive for Business (ODfB) settings Site collection settings https://aka.ms/sp-external-sharing-control

  18. SharePoint & OneDrive for Business • Roadmap Item – tentatively scheduled for Q3 2019 • Site access for new external guests will automatically expire in this many days (default to 30) Azure Active Directory (AAD) B2B settings Office 365 Tenant-level settings Groups settings Teams settings SharePoint Online (SPO) settings OneDrive for Business (ODfB) settings Site collection settings

  19. SharePoint & OneDrive for Business File and Folder Links • Only people in your organization

  20. SharePoint & OneDrive for Business Who can share outside your organization This setting respects the global setting first but enables you to choose specific security groups. Options: • Let only users in selected security groups share with authenticated external users • Let only users in selected security groups share with authenticated external users and using anonymous links

  21. SharePoint & OneDrive for Business Additional Settings • Default link permissions – View or Edit • Require recipients to continually prove account ownership when they access shared items (does not apply to anonymous links Notification Settings for Owners • Other users invite additional external users to shared files • External users accept invitations to access files • An anonymous access link is created or changed

  22. SharePoint & OneDrive for Business Users on unmanaged devices will have browser-only access with no ability to download, print, or sync files. They also won't be able to access content through apps, including the Microsoft Office desktop apps. When you limit access, you can choose to allow or block editing files in the browser. https://aka.ms/SPLimitedAccess

  23. Yammer - Options • External Conversation • External Group • External Network Disabling External Messaging – Use Exchange Mailflow Rule https://aka.ms/yammer-block-external

  24. Yammer – External Conversation You can add external participants to conversations in Yammer so that you can work with the people you need, even if they aren't in your Yammer network. For example, you can add external participants to a discussion or use instant messaging to quickly get a response. External participants can view and download files that have been uploaded to the conversation, and upload files. You'll be able to see when a conversation includes an external participant, and you can remove an external participant when you need to. https://aka.ms/yammer-external-convo

  25. Yammer – External Groups You can create a group that includes external users, called an external group. You must create the group as an external group - you can't change an existing internal group to be an external group. The group admin can add external users to the group. In public external groups, other users in the group can suggest that adding an external user, but the group admin has control over whether that user is added, and has to approve the addition of the external member. In private external groups, only the admin can add external members. https://aka.ms/yammer-external-groups

  26. Yammer – External Network If you have permission, you can create an external Yammer network to collaborate with people outside your company, such as customers, suppliers, and partners. People with external email addresses must be invited into or request access to an external network. When they join the external network, they can only see content posted specifically to that external network. That means they will not have access to your home network. • Recommend: • Only Admins • Require Admin approval https://aka.ms/yammer-external-network

  27. Sway Sway is an app from Microsoft Office that makes it easy to create and share interactive reports, personal stories, presentations, and more. https://aka.ms/sway-admin

  28. Microsoft Forms Microsoft Forms is a simple, lightweight app that lets you easily create surveys, quizzes, and polls. It can be used to create quizzes, collect feedback from employees and customers, or plan events. https://aka.ms/msforms-external

  29. Group Specific Settings Documentation Update settings for a specific group - Azure Active Directory cmdlets for configuring group settings Azure Active Directory (AAD) B2B settings Office 365 Tenant-level settings Groups settings Teams settings SharePoint Online (SPO) settings OneDrive for Business (ODfB) settings Group specific settings

  30. Guest inviter role policy Documentation: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-delegate-invitations

  31. Control who can be invited Documentation: Allow/Block guest access to Office 365 groups

  32. Data Loss Prevention With a data loss prevention (DLP) policy in the Office 365 Security & Compliance Center, you can identify, monitor, and automatically protect sensitive information across Office 365. https://aka.ms/dlppolicies

  33. Sensitivity Labels With sensitivity labels, you can classify and help protect your sensitive content, while making sure that your people’s productivity and ability to collaborate isn’t hindered. • Encryption • Watermarks • Protection across Office Apps (platforms/devices) • Endpoint Protection (via Intune) • General Classification https://aka.ms/sensitivitylabels

  34. Audit Logs Use the Office 365 Security & Compliance Center to search the unified audit log to view user and administrator activity in your Office 365 organization. • Numerous Actions can be audited • Export • Connect to Flow • SIEM Integration (check with your SIEM vendor) https://aka.ms/365-auditlogs

  35. eDiscovery Quickly finding and retaining for further investigation specific information in email, documents, instant messaging conversations, and other content locations used by people in their day-to-day work tasks. External user activities in the network are available with eDiscovery searches. Advanced eDiscovery is available for deeper analysis and management following standard EDRM processes https://aka.ms/ediscovery https://aka.ms/adv-ediscovery

  36. Conditional Access (CA) Factor how your cloud apps are accessed into your access decisions whether that be the from a user’s network location, a managed device, client app, and more. Examples • Sign-in frequency • Browser Persistence • MFA from untrusted networks • Require Terms of use • Block legacy authentication https://aka.ms/aadconditionalaccess

  37. Conditional Access App Control Context-aware session policies • Control access to cloud apps and sensitive data within apps based on user, location, device, and app SAML, Open ID Connect, & on-prem apps • Support for Microsoft and non-Microsoft web apps, including on-prem apps onboarded via Azure AD App proxy Enforce granular monitoring & control for risky user sessions • Data Exfiltration: • Block download, Apply AIP label on download • Block print • Block copy/cut • Block custom activities: (e.g., IMs with sensitive content) • Data Infiltration: • Block upload • Block paste https://aka.ms/sp-ca-app-protection

  38. Cloud App Security Microsoft Cloud App Security is a Cloud Access Security Broker (CASB) that operates on multiple clouds. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your cloud services. 2. A classification label is automatically applied to protect the file 4. External user is not able to access the file due to classification and protection 5. Admin receives event alerts 3. User tries to share sensitive file with external users 1. User uploads a sensitive file to a cloud app https://aka.ms/mcasdocs

  39. Cloud App Security Detect and remediate overexposed files and anomalies • Create policies to generate alerts and trigger automatic governance actions • Be notified to identify and investigate policy violations and related activities • Automatically remediate with built-in actions incl. notify  owner, notify admin, make private, quarantine, etc. • Automatically label and protect existing sensitive information and when new files are uploaded

  40. Access Reviews (AADP P2) Enable organizations to recertify group memberships, application access, and privileged role assignments. https://aka.ms/create-access-review

  41. #SPSCLT19 Speaker Survey Session 2

  42. Thank You!

More Related