Why You Need a Plan for Content Security in Microsoft 365
Microsoft 365 has a wide variety of applications, all with their own security implications.
Microsoft Teams integrates the applications of Microsoft 365 into an easy to use chat platform that simplifies collaboration for even the most inexperienced user. Through Teams, employees can share files, application data, email, calendars and planner information with the click of a button. Beyond the integrated Microsoft applications, it's also possible to integrate and provide access to hundreds of third-party applications.
All of these integrations bring an amazing level of productivity potential to an organization by making sharing, organizing and collaborating via files, chats and other application interfaces super easy. In some ways, it makes it too easy.
Sharing Doesn’t End Inside the Organization
Microsoft 365 offers two primary methods of sharing information externally: sharing links or adding guest users.
Sharing links are easy to create: you click the "share" button on a site or within a Microsoft Office application and it creates a link to the file or folder in question, as well as the option of emailing directly. Sharing links can be pasted to any location, even locations online or in highly exposed areas within Microsoft 365 or Teams.
Adding users as Guests allows external users to see information in a Microsoft Team or Group, including the associated files or applications within it. Guest users then have the same access as members of that Team. This includes the files and information behind the team, as well as any applications shared directly to the Team, especially if they are added as tabs within the channels.
Anyone who is added as a guest user to Teams is granted a user profile for Microsoft 365 and Active Directory. This is often also true for users who are granted access to unique files from sharing links that require authentication for access.
Related Article: Easing the Way to External Collaboration
Teams, Groups, SharePoint and Content Security in Microsoft 365
External sharing is on by default, but Microsoft Teams and Microsoft 365 include a number of security controls, including controlling external sharing at the Team level and Tenant level.
The SharePoint admin center allows you to apply controls for who can access external sharing links. Active Directory, which holds information on all users and guests, also offers controls and additional external access options, including preemptively allowing or prohibiting users from specific organizations.
3 Secrets to Accelerating Transformation to Improve CX + EX
Learn about force multipliers that will reduce technical debt and grow revenue while reducing costs
Why Knowledge Management Is Critical to Business Resiliency
How Organizations are Future-Proofing Business by Harnessing Company and Employee Knowledge
Once again, these controls are easy to access and change, but as you might suspect, they also conflict and overlap at different levels of your Microsoft 365 tenant. Each control also comes with its own implications.
Related Article: Beware the Lasting Impact of the Microsoft 365 Non-Decision
Strategic Implications (aka Why You Need a Plan)
It might be tempting to apply restricted settings to external sharing links or turn off the ability for Teams to have Guest Users, but this could also be very restrictive to your users.
On the other hand, if employees share sensitive or regulated information externally, this could have serious consequences for your organization. In addition, if guest users have access to too much information or are left as stale users with access to your tenant, they could pose a risk to your organizations’ privacy, even without access to sensitive information. There’s also the concern of increased exposure to fishing and other attacks if a guest user's tenant or organization is compromised.
So how can the organization allow external sharing for some sets of users or Teams in the organization, but restrict it for others? Understanding options like sensitivity labels (automatically applied with an E5 license) or having restrictions around who can be owners of Teams and Groups in your organization are typical starting points.
Third party governance and security tools can provide further options to customize settings in a way that tailors security for your organization without hindering collaboration. Remember that if every day processes become too difficult or restrictive, your users will likely just find an easier way to get their jobs done, regardless of whether or not it’s approved by IT or security teams.
In any case, familiarize yourself with the security options available to you based on your Microsoft 365 licenses. Then take time to understand your security and governance requirements, especially if your organization is part of a regulated industry. It’s vital to put in place a process that balances controls with collaboration needs. Your final step is to implement contextual training that helps end users understand how to get their jobs done, as well as why it’s so important to follow your guidelines.
About the Author
Hunter has been in web development, SEO and social media marketing for over a decade, and has GSuite Admin, MCSA Office 365 & Service Adoption Specialist certifications. Throughout his career, he has developed internal collaboration sites, provided technical and strategic advice, and managed solutions for small to large organizations.