Enabling DLP for SharePoint and OneDrive for Business

DLP or Data Loss Prevention is a way inside Office 365 (E3 suites or above) that you can protect data from leaving the organisation. You can use DLP to protect not only email attachments but also files in SharePoint Online Team Sites and user’s OneDrive for Business.

Office 365 provides a number of standard templates for protecting standard information, such as credit card information as detailed here, but you can also customise the DLP policies to protect any custom data you wish.

The first step in using DLP is to set up and enforce the policies you wish to use. To do this you’ll need to login to the Office 365 portal as an administrator with the appropriate rights. You’ll then need to navigate to the tenant Admin area. From the menu on the left hand side of the screen expand the Admin centers option. From the options that appear select the Security & Compliance item.

From the Security and Compliance console select Security policies on the left. From the options that then appear below this select Data loss prevention. If this menu item doesn’t appear then you current don’t have an Office 365 plan that supports DLP.

On the right hand side you will probably see that the list is empty. Select the Plus icon to create a new policy.

You can select from a number of templated policies if you wish but in this case select Custom and then the Next button.

You now need to select the areas in which this policy will apply. You can specify unique locations but for this example we’ll simply select all locations and then continue.

At the next screen select the Plus icon to set the rules for which you wish to test.

In the new window that appears select the Add condition button.

From the pull down menu that appears select Content containing sensitive information.

Select the Plus icon that appears to enter the actual rules.

Scroll down the list that appears and select Credit Card Number. You can select other items here but in this case all we want this example DLP rule to test for is credit card numbers.

Select OK to continue.

You should now see the entry appear in the list as shown above. You can edit this entry if you wish by selecting it and then pressing the Pencil icon (edit).

Select the Actions item from the menu on the left.

Select the Add actions button on the right.

In this example, select Block the content. This will prevent anything that matches this rule from being shared.

You should now see the blocking Action listed as shown above.

Select the Incident report option from the menu on the left. Enter the details if you wish to receive a report of any actions on this policy.

Select General from the menu on the left. Give this set of rules a name and save them.

You should now see the rules listing appear as shown above in the DLP policy you just created. You can create as many of these rules inside a single policy as you wish. However, best practice is always to keep it simple.

Give the DLP policy and name and select the option to Turn on the policy.

Select the Create to complete the policy creation process.

You should now see the policy listed in the DLP area as shown above. You should also see that the Status is set to On.

The DLP policy will not come into effect immediately. It will take a little while (15 – 30 minutes typically in my experience) to roll out through your tenant.

To test the policy, create a document in your OneDrive for Business that contains credit card numbers as shown above. The numbers used here are verified public ‘test’ card numbers.

Now create a public View link that requires no sign-in as shown above. This should allow anyone who clicks on that link direct access to the file without the need of a login or password.

When the DLP policy is active anyone trying to access that link will have the content blocked as shown above. This confirms that teh DLP policy is working as expected.

If you also elected to get alerts you should fine one in your inbox as shown above.

Thus, DLP is a way to protect your Office 365 information by examining the contents against a set of rules that you create. It can examine both email and file data then take actions which you determine.

DLP is part of the E3 or better suite in Office 365.

Uploading Documents to OneDrive for Business

Few people I know who use OneDrive for Business can name ALL the ways that you can get documents into OneDrive for Business. My aim was to cover all of the methods (except for third party tools) in the above video.

So here are the ways I reckon you can do it:

1. Create a new Office document directly in OneDrive for Business using the browser.

2. Upload a single file(s) from the menu bar.

3. Upload folder(s) from the menu bar.

4. Drag and drop directly onto the browser.

5. Open OneDrive for Business using Windows Explorer (requires you to go back to the classic interface).

6. Map a network drive.

7. Save directly from Office desktop applications.

8. Use the OneDrive for Business Sync tool.

9. Third party tool (Spfilezilla springs to mind).

Have I left any out? Let me know if I have but hopefully the video covers everything a new user needs to know about getting data into OneDrive for Business.

The extinction of the drive letter

Pretty much my whole working career with PC’s there have been drive letters. I think the good ole local C: Drive will be around for a while longer but, it’s my opinion that the days of the network drive letter (e.g. S:, M:, F:, etc) are fast coming to an end. That has major ramifications for the way many work with technology, especially in this new cloud world. I’m not saying that you’ll wake up tomorrow and network drive letters won’t be with us. What I’m however saying is that now is the time to start preparing for the day when they are no longer with us.

One of the greatest inhibitions many people (and IT resellers) have around SharePoint is they can’t simply map a persistent network drive letter to it and have it operate the ‘way it has always worked’ like a network share. The reality is, firstly you can still map a drive letter to both OneDrive and a Team Site Document Library as I have detailed previously if you really want:

Mapping a drive to OneDrive for Business

But secondly, the trend with SharePoint Online is away from providing the ability to map drive letters. That should signal it is time to adapt, not throw yourself on the floor and have a tantrum that things are different.

If we go into the ‘classic’ SharePoint interface with Internet Explorer and select the Library tab we can find the Open with Explorer option.

But if we repeat that on another browser like Microsoft Edge (or Chrome or Firefox) we see:

It isn’t supported. Remember, that Microsoft Edge is the ‘default’ browser for people using the latest version of Windows. Thus, it seems unlikely that you’ll be able to map a drive using the latest Microsoft browser going forward.

If we now look at the ‘updated’ SharePoint Document Library experience, there basically isn’t a way to open in Windows Explorer directly from the Document Library that I can find as there was in the ‘classic’ environment. No matter what browser you use.

Both of these factors should provide very strong evidence that the trend is away from mapped networked drives. Sure, I hear you that accessing a file from a M: drive was something you were comfortable with, but you know what? Doing so means you sacrifice a huge amount of functionality that is built into SharePoint. You can’t access any metadata associated with files using Windows Explorer. You can’t also filter and sort as you can in the browser. You don’t get the same search abilities and so on and so on. It’s like driving a Lamborghini in first gear! And who wants that??

As I said initially, you can still map a network drive letter to SharePoint Online if you really want to and are prepared to jump through some technical hoops. But you know what? The writing is on the wall that it is now time to shift your thinking to working in new way. To working in a world that doesn’t constrain you to a letter of alphabet. To a world of more functionality than you can imagine with your files. All that you need to do is let go of your dependency on the ways things ‘used to be’ and open your mind to the possibilities the new way offers. In my experience, those that embrace the new ways soon appreciate how limiting their concept of working with files used to be.

The major shift people traditionally tied to network driver letters have to make is from a world of file storage to collaboration as I have detailed previously:

The classic SharePoint Online migration mistake

I’ve also talked about how to get the most out of these new tools, like SharePoint Online, you need to invest time learning how to make the most of their features provided:

I would also point out that Office 365 is far more than just somewhere to store emails and files, it is a complete platform that includes some fabulous tools like Delve and Yammer to name but two, that can transform any business. However, it will never do this until the ‘old world’ mentality of wanting to remain with network drive letters is banished.

Now is the time to commence this transition. Learn how collaboration trumps storage every time and how it can make any business more effective. Graduate your technology from the S: drive to a world of co-authoring, Delve, Yammer, Planner and more. Expand your mind and your business to the possibilities rather than relegating it to a technology designed for bygone era.

The extinction of the drive letter is near. Those who don’t want to upgrade from it are also destined to go the same way. Technology changes, and to get the most from it, so should you. The earlier you do, the easier it is and the tea leaves should be telling you that it is now time to start that change.

If you really don’t want to change from using network drive letters then I’d be suggesting to you that Team Sites and OneDrive for Business are probably not the best place for your files to reside. A better place may be Azure SMB file shares:

Creating an Azure SMB file share

but that too has it’s limitations and is a poor second to what SharePoint can offer.

A world without network drive letters is a big change for many, but you know what? If you show these people the benefits of the new collaboration platform SharePoint Online provides you’ll be surprised at how readily they’ll adopt it. The secret to adoption is showing them how to get started. All they need is a little help to conquer that first hill, some training wheels to ease into it. After that all you need to do is stand back and be amazed at how people use the functionality that is now available to them. Here are further thoughts from me on how critical initial adoption is:

Start up is key

So, start freeing your business and users from the constraints of network drive letters today because I’m pretty sure the old F: drive won’t be around for much longer.

Prepare for a OneDrive for Sync client upgrade

A heads up for everyone using OneDrive for Business sync client with tenants of less than 250 users.

Beginning in May 2016, Office 365 customers with fewer than 250 Office 365 licenses will be required to use the OneDrive for Business Next Generation Sync Client to sync OneDrive for Business files. This requirement will be rolled out between May 2016 and July 31, 2016 and will not apply to on-premises customers or customers with more than 250 Office 365 licenses.

From:

https://support.office.com/en-us/article/Transition-from-the-previous-OneDrive-for-Business-sync-client-4100df3a-0c96-464f-b0a8-c20de34da6fa

I wrote an article about the different OneDrive Sync clients a while back that may also help answer some questions:

The various OneDrive Sync clients

Basically, this will ensure all Office 365 installations with <250 users will be using the NextGen sync client.

The various OneDrive Sync clients

One the confusing things at this point in time that we have a number of different OneDrive sync clients on Windows. Hopefully, I can shed some light on the role that each of these play here.

Two independent services

The first thing to appreciate is that there are two cloud based OneDrive services into which you can store files.

The first of these is the free consumer offering found at:

www.onedrive.com

You access this service using a free Microsoft account. This account is also typically now the same as the account used to login to stand alone Windows 10 machines.

The second service is a commercial product that is part of Office 365 for Business:

https://onedrive.live.com/about/en-us/business/

As you can see both services now look very, very similar:

OneDrive consumer (above)

OneDrive for Business (above)

I’m not going to dive into the differences between the consumer and business OneDrive here, however you need to appreciate that there are two separate OneDrive services currently and both allow you to synchronise files from the cloud to your desktop.

OneDrive Consumer sync

The first sync client to consider is the one provided for OneDrive consumer. You’ll need a OneDrive consumer account to access the services. For many people that is now the same as their Windows 10 login.

Also, modern operating systems like Windows 10 automatically include the OneDrive consumer sync tool. If you don’t have the OneDrive consumer sync tool installed you’ll find it here:

https://onedrive.live.com/about/en-us/download/

If the OneDrive consumer sync tool is running on your desktop you can open the system tray, as shown above, and you should find a white icon with clouds as highlighted above.

If you now right mouse click on this white cloud icon you will see the above menu. You will notice that the first option says Open your OneDrive – Personal folder. This is an indication that this tool is synchronising files from OneDrive consumer service to your desktop.

If you select the Settings menu item you will see the above. Note at the top that this tool is connecting using my Microsoft consumer account (director_cia@hotmail.com). Note that I can also select which folders I wish to sync from the cloud to my desktop using the Choose folders button.

You may notice at the bottom of this dialog the Add a business account button. I’ll come back to this later. However, the important thing is that this sync client (i.e. white clouds) is designed to sync files from OneDrive consumer service to the desktop.

If you look at your file system, the files from OneDrive consumer are synced with this tool to a OneDrive – Personal location as shown above.

OneDrive for Business sync (classic)

The second sync icon to examine here is the one of the two that has dark blue clouds. This one also does has as pronounced outline and is highlight above.

When you right mouse click on this icon you’ll see the above menu options. You will notice that the first option says Open your OneDrive for Business folder. This is an indication that this tool is synchronising files from OneDrive for Business service to your desktop.

This client is the original sync tool for Office 365 for Business in that it could synchronise both the OneDrive for Business files in Office 365 as well as those found in SharePoint Online Team Sites. Thus, it could sync from two separate locations in Office 365 for business.

If you elected to synchronise your personal OneDrive for Business files they would be saved into a location denoted by OneDrive – Tenant Name as shown above.

If you elected to synchronise information from SharePoint Online Team Sites in Office 365 for business they would saved into a location called SharePoint as shown above.

Unfortunately, as the amount of business data grew and people wanted to sync this volume of data to desktops like other products, the OneDrive for Business classic sync client started to have issues. This resulted in common errors during the sync process.

If you are experiencing these sync issues with OneDrive for Business classic sync tool, I wrote a blog post a while back that may help:

Troubleshooting OneDrive for Business

Due to these sync issues and the growing volume desired to be synced Microsoft decided to go back to the drawing board with their OneDrive for Business sync and re-write it from scratch. That new tool is known as the OneDrive for Business NextGen sync client.

OneDrive for Business NextGen sync client

The NextGen sync icon looks a lot like the classic OneDrive for Business sync. If you look closely, it has a more pronounced outline.

If you right mouse click on the NextGen sync client you’ll see the above menu which is very different from the OneDrive for Business classic sync tool. You will notice that the first option displays as Open you OneDrive – Tenant name folder. This is an indication that this tool is synchronising files from OneDrive for Business service to your desktop.

If you select Settings you’ll see that options are almost identical to those of the OneDrive consumer sync tool. This is because this OneDrive for Business NextGen sync tool is based on that. You will however, notice that I am connected to this using my Office 365 for Business account.

At the moment the NextGen sync client can only synchronise OneDrive for Business files, it cannot do files from SharePoint Online Team Sites. This means that if you need to sync Team Site files you’ll need to use the OneDrive for Business classic sync. Microsoft have publically committed to update the NextGen sync client to also do Team Sites before the end of this year.

The NextGen sync client overcomes all of the sync issues that were evident with the OneDrive for Business classic sync client. It also provides additional feature like selective file sync.

If you want to learn more about the OneDrive for Business NextGen sync client start here:

Getting Started with NextGen Sync Client

It is therefore possible for you to have three OneDrive sync clients on your Windows desktop all syncing to different locations as shown above.

If you have the OneDrive for Business NextGen sync client installed it will automatically take over the job of syncing your OneDrive for Business files from the OneDrive for Business classic client, leaving the classic client only syncing SharePoint Online Team Sites.

As noted previously, you have the option with both the OneDrive consumer and OneDrive for Business NextGen client to add a personal and business account to the one tool and allow it to perform both functions for you. This is certainly the preferred option if you need to reduce complexity and you don’t have the need to sync SharePoint Online Team Sites.

The future

Microsoft have committed to consolidate all these different sync clients into one before the end of this year. They are already bring a range of new features to the NextGen sync client and have committed to a whole lot more. You can read about the latest updates here:

OneDrive for Business Spring Updates

OneDrive sync clients have had a chequered history. It has also brought a lot of challenges with its ‘appropriate’ using with Office 365 for Business. However, I am now very positive with the development and direction I see. Things are still a little confusing for end users, as the above demonstrates, but you need to remember we are still in transition here. Sure, I’d like changes to come quicker but I am very pleased to see that change is now happening on a regular cadence. That’s what gives me the confidence to say that I reckon the OneDrive for Business sync tool will soon be the premier cloud file syncing experience available on the market. There is still a ways to go, I admit, but I really feel things are on the right track for the way people want to work with file sync.

Of course, you can’t overlook all the improvements in the mobile versions of OneDrive but I’ll leave that to an upcoming blog post but I hope this post has made things a bit easier for people to understand the current environment with OneDrive sync options.

Limit SharePoint Online outside sharing

A nice new feature that Microsoft has added across SharePoint Online, including OneDrive for Business, is the ability to whitelist or blacklist domains for sharing.

You’ll need to login to the Office 365 web console as an administrator. You’ll then need to navigate to the Office 365 Admin center as shown above.

From here, select the Admin icon on the left and then SharePoint from the menu that appears.

From the menu that appears on the left select sharing.

You should now see the sharing control options as displayed above.

Under the Additional settings, when you select the option Limit external sharing using domains the above box and selector appears.

Here you can now prevent sharing to specific domains by selecting the Don’t allow haring with users from these blocked domains or only allowing sharing to specified domains using the Allow sharing only with users from these domains option..

Thus you can either block a list of domains or allow access only to a list of domains, you can’t do both simultaneously.

Once you apply these settings they will be applied across both Teams Sites and OneDrive for Business for all users.

This now gives you an easy method of controlling which domains you allow your users to share information with across everything in SharePoint Online.

Mapping a drive to OneDrive for Business

When you visit OneDrive for Business these days you get a ‘simplified’ interface like that shown above. What you may not appreciate is that you can map a network drive to your OneDrive for Business. Doing so makes it easier for people who are familiar with using only drive letters as well as for bulk uploads. Here’s how to do that.

You’ll firstly need to temporarily revert back to the original, or ‘classic’, OneDrive for Business interface. You’ll find an option for that in the lower left of the screen.

Once you’ve selected that you should be a more ‘SharePoint-like” OneDrive for Business interface as shown above. Don’t worry, the next time you visit your OneDrive for Business site it will have reverted back to the new ‘simplified’ interface. The ‘classic’ interface is only valid for the current browsing session.

Even the interface here is somewhat simplified, so to display the Ribbon Menu you’ll need to select the COG in the top right of the screen to reveal a menu as shown above.

From this menu select the first option Ribbon. Doing so will enable the standard SharePoint Ribbon Menu at the top of the page.

Now you should see the additional tabs Browse, Files and Library displayed just above the search box as shown above.

Select Library to reveal the Ribbon Menu.

In the section Connect & Export, select the icon Open with Explorer.

You may be prompted with some security messages like the above. If so, select Allow to permit the connection.

In a moment or two you should see Windows Explorer open with the files from OneDrive listed as shown above.

If you look closely at the directory location you should find it in the format of:

https://tenantname-my.sharepoint.com/personal/first_last_domain_com/Documents

where the users Office 365 login = first.last@domain.com

If you take a look down in the network area of Windows Explorer you will see the above mapping matching your office 365 tenant details.

You can now map a drive letter to OneDrive for Business. To do this right mouse click on Network and select Map network drive from the menu that appears.

In the Folder field enter the following, substituting your own configuration:

\\tenantname-my.sharepoint.com@ssl\davwwwroot\personal\first_last_domain_com\documents

Then press the Finish button.

You will then see the mapped drive and if you select you’ll see the files within from your OneDrive for Business as shown above.

Now, if you reboot your machine without doing anything further the drive will not automatically be reconnected because re-authentication to Office 365 needs to occur. I’ll cover off how to set that up in a future post but for now have a look at this option using PowerShell:

OneDrive Mapper automatically map your OneDrive for Business upon login

As I have said before, the trend is away from static drive letters to plain storage to full collaboration environments. Yes, drive letters may be convenient for those who don;t want to change but I’d suggest they need to phased out because they are so limiting. But that is a topic for another blog post!

Need to Know Podcast–Episode 100

Holy flying sharks Batman, the Need to Know Podcast has reached 100 regular episodes! Who would have ever thought back in 2010 when I kicked the podcast off, that I’d still be putting it out? Although the episodes haven’t been as regular as I would have liked over the years I thank everyone who has taken the time to listen and especially those people who have been guests. My guests have given both their time and knowledge to listens which I really appreciate.

So now it is onwards and upwards to the next 100 episodes. If you haven’t already, I’d really appreciate you leaving a review on iTunes or just dropping me a line (director@ciaops.com) and letting me know what you think and importantly if there is anything I can do to improve the podcast. Once again, thanks to everyone who has supported the podcast over its first 100 episodes and I’ll work hard to make sure the next 100 are even better.

As a follow on from our last episode on Azure storage, Marc and I now focus on the different storage options in Office 365 and how to take advantage of each. We consider best practices for data migrations as well as what experience has taught us when moving information to Office 365.

You can listen to this episode at:

http://ciaops.podbean.com/e/episode-100-office-365-storage/

or subscribe to this and all episodes in iTunes at:

https://itunes.apple.com/au/podcast/ciaops-need-to-know-podcasts/id406891445?mt=2

The podcast is also available on Stitcher at:

http://www.stitcher.com/podcast/ciaops/need-to-know-podcast?refid=stpr

Don’t forget to give the show a rating as well as send me any feedback or suggestions you may have for the show.

Resources

Marc Kean – @marckean

Robert Crane – @directorcia

Azure via CSP

Where to put data in Office 365