User Access and External Sharing Improvements in SharePoint Online

It’s been a while since we covered SharePoint Online and OneDrive for Business, and some major improvements have arrived. The new group-backed team sites are now available, including a preview of the ODFB admin portal and conditional access. Here are important additions to restricting user access and securing external collaboration.

OneDrive for Business Admin Center

The preview of the ODFB admin center was announced a few weeks ago. The new portal gives administrators an easy-to-use, UI-based tool that brings together most of the settings available with PowerShell, the SPO admin center and Intune admin console.

The portal features several different sections. Home gives you a brief introduction and the feedback link, and the Sharing section exposes different sharing controls similar to the SPO admin center. You can turn external sharing on or off, control new user invitations and guest links and set the default type of link generated when you press the “Share” button. You can also restrict sharing to specific external domains or block selected ones. Other settings include the lifetime of guest links and controlling the (re)share functionality for external users.

Some settings are still not exposed in the UI, including:

• Controlling the permissions level for folders and files shared via guest links
• The option to verify that invited account identity matches the accepted account (RequireAcceptingAccountMatchInvitedAccount)
• Notification options (BccExternalSharingInvitations and BccExternalSharingInvitationsList)

Those settings are available in the SPO admin center under the Sharing tab, or can be configured via PowerShell. An unfortunate bug with the setting to limit external sharing to select group of users only caused its removal from the ODFB admin center, but hopefully it will be back soon.

Sync covers settings related to the sync client. You have the option to disallow downloading of the client, restrict syncing to specific domains and block some file types. The Storage section allows you to configure the default quota for ODFB sites and retention for deleted sites. The options to configure a secondary owner and access delegation are not exposed here. You still should configure those in the SPO admin center.

The Device Access section exposes some of the more interesting settings, including the ability to allow access only from specific network location. This was one of the most requested features since Office 365 reached general availability — the “available anywhere, anytime, on any device” design was problematic for customers in sensitive industries.

Until recently, restrictions were only possible when AD FS was in place and had some undesired side effects. Now administrators can define a set of allowed IPs (or ranges) and configure SPO/ODFB to only allow access from those IPs. The functionality became available in November via PowerShell and the Set-SPOTenant cmdlet and is now also exposed in the ODFB Admin center. Unlike conditional access, this feature does not require Azure AD Premium subscription or any additional licenses.

Under the mobile application management group, you can enforce a variety of settings on ODFB apps for iOS and Android, such as blocking file downloads, the copy/paste functionality and restricting access to specific approved apps.

They are the same settings exposed in the Intune console and require a valid EMS/Intune subscription. If the subscription is not provisioned in your tenant, those settings unfortunately aren’t available (see screenshot below). Detailed description on the different MAM settings can be found here.

The last section of the portal Compliance includes links to different auditing, retention, DLP and eDiscovery settings available in the Security and Compliance center.

New features available

Unfortunately, many of the cool features announced at Ignite are still under development or in limited preview, so we can’t explore them yet. Here are the features that made it into production:

• Similar to the “allow access only from specific network location” feature we discussed above, extended controls for conditional access for SPO/ODFB are now available. They include network location, group membership, device state and more. The feature also gives you more flexibility in terms of restricting access. You can decide between granting access; require MFA, domain-joined or compliant device before granting access; choose a combination of those or block access altogether. Conditional access has been around for a while now. Extensive documentation is available, and you can see more details here.
• Since conditional access only works with modern authentication, you can disable access for apps that don’t use modern authentication. It can be configured via PowerShell or via the corresponding setting available in the ODFB admin center.
• Expanding on the token-revocation functionality we’ve had for a while in SPO, you can now revoke tokens across all Office 365 apps via the Azure AD PowerShell module and the Revoke-AzureADUserAllRefreshToken
• Related to the above, users also have control over the token lifetimes across all Office 365 apps. This functionality is currently in preview — learn more about it here.
• The option to control mobile push notifications for ODFB and SPO is available under the Settings tab in the SPO Admin center.
• With the rollout of the new, group-based team sites, there are extended options for controlling the site creation process. You can choose the type of site, restrict team sites creation to a group of users and more.

Coming soon

Other interesting features announced at Ignite include:

Restricting downloading, syncing, editing and printing of files from web browsers. Instead of using conditional access to completely block access for non-domain joined or non-compliant devices, you can use a “read-only” configuration. The new “read-only” option and additional settings in the currently missing User Access section of the SPO/ODFB portals were showcased at Ignite, but aren’t live yet. Here is a screenshot of the upcoming settings taken from the Ignite session:

Cool feature, right? Keep an eye out for the new User Access section in the SPO/ODFB admin portals!

In the compliance area, DLP policy tips are coming to the mobile apps. Policy tips are also visible directly in the Share dialog in browsers displayed with additional information why the match was triggered.

With the introduction of Azure Information Protection and latest improvements in the Security and Compliance center, we will soon have global, unified experience across all workloads for data retention, classification/labeling and records management.

Tag a document with the “confidential” tag, and it will not only be preserved for X amount of days, but other actions will also apply. These include making sure the document is deleted after the mandatory retention period has expired, it’s encrypted and external sharing is blocked. Watch this Ignite session for more info if you haven’t done so already.

BYOK support for the per-file encryption utilized across SharePoint Online is also coming soon, with no effect on SPO’s ability to “reason over data.”

Summary

You should now have an overview of the newly introduced OneDrive for Business Admin Center with the options available and important controls for restricting user access and managing compliance features for SharePoint Online and OneDrive for Business.

Some of the new features are already available, while others will be coming over the next few months. The lists above are not exhaustive, and Microsoft’s continuous focus on security and compliance will surely drive even more improvements this year.

Other Ignite sessions you don't want to miss:

Keep your OneDrive and SharePoint content safe
Protect your OneDrive and SharePoint files on mobile devices

Learn how SharePoint safeguards your data in the cloud