Tag: SharePoint

Restrict SharePoint content discovery for Copilot

image

This new Restrict discovery of SharePoint sites and content option is now available to you if you are using Microsoft 365 Copilot. You will find the above option in the SharePoint Administration console, when you select an Active Site and then navigate to settings.

According to the docs:

Restricted Content Discovery doesn’t affect existing permissions on sites. Users with access can still open files on sites with Restricted Content Discovery toggled on.

and

This feature can’t be applied to OneDrive sites.

and

Overuse of Restricted Content Discovery can negatively affect performance across search, SharePoint, and Copilot. Removing sites or files from tenant-wide discovery means that there’s less content for search and Copilot to ground on, leading to inaccurate or incomplete results.

This feature is part of Microsoft ShrePoint Premium – SharePoint Advanced Management (SAM) which is being included with M365 Copilot licenses.

In essence, once you have a M365 Copilot license it is quick and easy way for an administrator to restrict Copilot being used with a certain SharePoint site. Check the Microsoft documentation for more information:

https://learn.microsoft.com/en-us/sharepoint/restricted-content-discovery

Best ways to monitor and audit permissions across a SharePoint environment in Microsoft 365

image

What are the best ways to monitor and audit permissions across a SharePoint environment in Microsoft 365. There isn’t one single “magic button,” but rather a combination of tools and practices that form the most effective approach.

The “best” way depends on your specific needs (scale, complexity, budget, compliance requirements), but generally involves a multi-layered strategy:

1. Leveraging Built-in Microsoft 365 Tools:

  • Microsoft Purview Compliance Portal (Audit Log):

    • What it does: Records actions related to permissions and sharing. This includes granting access, changing permissions, creating sharing links, accepting/revoking sharing invitations, adding/removing users from groups, etc.

    • Pros: Centralized logging across M365 services (not just SharePoint). Captures who did what, when. Essential for forensic auditing and tracking changes over time. Can set up alerts for specific activities.

    • Cons: Reports events, not the current state of permissions easily. Can generate a large volume of data, requiring effective filtering and analysis. Default retention might be limited (90 days for E3, 1 year for E5/add-ons, up to 10 years with specific licenses). Doesn’t give you a simple snapshot of “who has access to Site X right now“.

    • Best for: Auditing changes to permissions, investigating specific incidents, monitoring for policy violations (e.g., excessive external sharing).

  • SharePoint Site Permissions & Advanced Permissions:

    • What it does: The standard SharePoint interface (Site Settings > Site Permissions and Advanced permission settings) allows site owners and administrators to view current permissions on a specific site, list, or library. The “Check Permissions” feature is useful for specific users/groups.

    • Pros: Direct view of current permissions for a specific location. No extra tools needed. Good for spot checks by site owners or admins.

    • Cons: Entirely manual, site-by-site. Not feasible for auditing across the entire tenant. Doesn’t scale. Doesn’t show how permissions were granted (direct vs. group) easily in aggregate. Doesn’t provide historical data.

  • Site Usage Reports (Sharing Links):

    • What it does: Found under Site Settings > Site Usage, this includes reports on externally shared files and sharing links (Anyone, Specific People).

    • Pros: Quick overview of sharing activity for a specific site, particularly external sharing links.

    • Cons: Limited scope (focuses on sharing links, not inherited or direct permissions). Site-by-site basis.

  • PowerShell (SharePoint Online Management Shell / PnP PowerShell):

    • What it does: Allows administrators to scriptmatically query and report on permissions across multiple sites, lists, libraries, and even items (though item-level reporting can be slow). PnP PowerShell is often preferred for its richer feature set.

    • Pros: Highly flexible and powerful. Can automate the generation of comprehensive current state permission reports across the tenant. Can export data to CSV for analysis. Can identify broken inheritance, unique permissions, group memberships, etc. Free (part of M365).

    • Cons: Requires scripting knowledge. Can be slow to run across very large environments, especially if checking item-level permissions. Scripts need to be developed and maintained. Requires appropriate administrative privileges.

    • Best for: Periodic, deep audits of the current permission state across the environment. Generating custom reports. Automating permission inventory.

  • Azure AD Access Reviews (Requires Azure AD Premium P2):

    • What it does: Automates the review process where group owners or designated reviewers must attest to whether users still need access via Microsoft 365 Groups or Security Groups that grant access to SharePoint sites (often via the Owners, Members, Visitors groups).

    • Pros: Proactive governance. Engages business users/owners in the review process. Reduces permission creep over time. Creates an audit trail of reviews.

    • Cons: Requires Azure AD P2 license. Primarily focuses on group memberships, not direct permissions or SharePoint groups (though M365 groups are the modern standard). Requires setup and configuration.

    • Best for: Implementing regular, automated reviews of group-based access to ensure continued need.

2. Third-Party Tools:

  • What they do: Numerous vendors offer specialized SharePoint/Microsoft 365 administration, governance, and auditing tools (e.g., ShareGate, AvePoint, Quest, SysKit, CoreView, etc.).

  • Pros: Often provide user-friendly dashboards and pre-built reports for permissions auditing. Can simplify complex reporting tasks compared to PowerShell. May offer advanced features like alerting, automated remediation workflows, comparison reporting (permissions changes over time), and broader M365 governance capabilities. Can often combine state reporting and change auditing.

  • Cons: Cost (licensing fees). Can have their own learning curve. Reliance on a vendor for updates and support. Need to grant the tool potentially high privileges.

  • Best for: Organizations needing comprehensive, user-friendly reporting and management without extensive PowerShell expertise, or those requiring advanced features and workflows not available natively. Often essential for large, complex environments or those with stringent compliance needs.

Recommended Strategy (The “Best Way”):

For most organizations, the most effective approach is a combination:

  1. Configure & Monitor the Purview Audit Log: Ensure auditing is enabled and understand how to search/filter logs. Set up alerts for critical permission changes or sharing events (e.g., creation of “Anyone” links if disallowed, granting owner permissions). This covers ongoing change monitoring.

  2. Perform Regular Audits using PowerShell or a Third-Party Tool: Schedule periodic (e.g., quarterly, semi-annually) comprehensive audits to capture the current state of permissions across all relevant sites. Focus on:

    • Sites with broken inheritance.

    • Direct user permissions (should be minimized).

    • Membership of Owners groups.

    • External sharing status.

    • Usage of SharePoint Groups vs M365/Security Groups.
  3. Implement Azure AD Access Reviews (if licensed): Use this for regular recertification of access granted via M365 and Security groups, especially for sensitive sites.

  4. Establish Clear Governance Policies: Define who can share, what can be shared externally, how permissions should be managed (use groups!), and the responsibilities of Site Owners.

  5. Train Site Owners: Ensure they understand the principle of least privilege and how to manage permissions correctly within their sites using M365 groups primarily.

  6. Use Built-in UI for Spot Checks: Empower admins and site owners to use the standard SharePoint UI for quick checks on individual sites as needed.

By combining proactive monitoring (Purview), periodic deep audits (PowerShell/Third-Party), automated reviews (Access Reviews), and clear governance, you create a robust system for managing and auditing SharePoint permissions effectively.

Shortcuts in OneDrive for Business get the benefits of Copilot for Microsoft 365

image

If you have Copilot for Microsoft 365 you will find you have a number of Copilot abilities surfaced in your OneDrive for Business as shown above, such as Summarize, Compare files, etc.

image

What you may not be aware of, is when you add a Shortcut to OneDrive as shown above, from your SharePoint document libraries or Teams channels,

image

that shortcut then appears in the list of folders in OneDrive as shown above

image

and the contents of this shortcut, in your OneDrive, also now have the ability to be used with Copilot themselves just like any normal file in OneDrive for Business. Thus, if you ‘link’ your SharePoint and Teams documents to your OneDrive for Business you can now use them direct with Copilot for Microsoft 365 to do things such as create FAQs, comparisons, summaries, etc.

CIAOPS Need to Know Microsoft 365 Webinar – October

laptop-eyes-technology-computer_thumb

Join me for the free monthly CIAOPS Need to Know webinar. Along with all the Microsoft Cloud news we’ll be taking a look at SharePoint.

Shortly after registering you should receive an automated email from Microsoft Teams confirming your registration, including all the event details as well as a calendar invite.

You can register for the regular monthly webinar here:

October Webinar Registrations

(If you are having issues with the above link copy and paste – https://bit.ly/n2k2410

The details are:

CIAOPS Need to Know Webinar – October 2024
Friday 1st of November 2024
11.00am – 12.00am Sydney Time

All sessions are recorded and posted to the CIAOPS Academy.

The CIAOPS Need to Know Webinars are free to attend but if you want to receive the recording of the session you need to sign up as a CIAOPS patron which you can do here:

http://www.ciaopspatron.com

or purchase them individually at:

http://www.ciaopsacademy.com/

Also feel free at any stage to email me directly via director@ciaops.com with your webinar topic suggestions.

I’d also appreciate you sharing information about this webinar with anyone you feel may benefit from the session and I look forward to seeing you there.

Change in the share to specific users process in SharePoint Online and OneDrive for Business

Recently, this appeared in the Microsoft 365 message center:

[OneDrive for Business, SharePoint Online] New Tenants as of March 31 will have Azure B2B Integration with SharePoint enabled by Default [MC526130]

Description

Message ID: MC526130

Published date: 11/03/2023

Category: Stay informed

Tags: Admin impact

Relevance: Processing

We’re making some changes to the default configuration for new tenants for Azure B2B integration with SharePoint & OneDrive.

When this will happen:

Starting March 31, 2023, new tenants will have Azure B2B Integration with SharePoint & OneDrive enabled by default.

How this will affect your organization:

This message is for your information and there is no impact to existing tenants or tenants created before March 31, 2023.

What you need to do to prepare:

No change is needed for existing customers. New tenants can opt out of using Azure B2B Integration using the SharePoint Online Management Shell.Please click Additional Information to learn more.

The major impact of this is that going forward, all newly created tenants will have this Azure B2B integration enabled by DEFAULT. That changes the way many have become familiar with when it comes to sharing files with specific users via an email address.

With this Azure B2B integration enabled the process now looks like:

image

The initial sharing process is identical. You select the files to share from the source location. Next, select the external user to share the file with, typically using their email address. Then you share the file as per usual. Nothing different yet.

image

The external user (in this case a Gmail account) gets a normal sharing message like shown above. They click on the link as usual and see:

image

They click Next and see:

image

They then select Send code to obtain an access code via email. Still nothing appears to be different.

image

In the background however, things are quite different. As you can see above, an Azure B2B account is created in the source Azure AD for this external user.

image

After the destination user enters the sharing code they receive in email, the experience changes.

image

Because the sharing process has created a new guest Azure B2B account in the source tenant, all the security of the source Azure AD environment is enforced.

In this example, the tenant has Security defaults enabled, which is also now on by default in new M365 environments.

image

This will force the destination user who wants access to the document to enrol in MFA for M365 as shown above.

image

Only after they complete that process are they able to view the document as seen above.

image

Depending on how the source environment where the originating sharing is coming from is configured, the external user may also need to Accept the permission consent like shown above.

The key change now is that Azure B2B integration with SharePoint & OneDrive. is now ON by default.

The other unfortunate thing is that I don’t believe there is option where you can control this in the M365 administration portal. You must use PowerShell.

image

To view whether Azure B2B integration is on, you’ll need to connect to SharePoint Online with PowerShell. You can use my free script to do so here:

https://github.com/directorcia/Office365/blob/master/o365-connect-spo.ps1

Once you have successfully done that, as shown above, run the command:

Get-SPOTenant | Select *B2B*

image

If the result of this is True as shown above, then Azure B2B integration is enabled.

In summary then, if you have a new tenant in Microsoft 365 it will have Azure B2B integration with SharePoint and ODFB ENABLED and Security defaults ENABLED. That means when you share a file with a specific email address, that user will be required to complete MFA enrolment.

If you have a tenant that also includes Conditional Access, which would be operating in place of Security defaults, then the external user that the document is shared will be subject to your Conditional Access policies like any other user!  This means, for example, if you have a Conditional Access policy that does location blocking (by IP address typically), and the external user is outside the allowed configured locations, their access to that document will be blocked.

For example, if you have a Conditional Access policy that only allows compliant devices, the email received by the external looks like:

image

and clicking on the document link results in:

image

given that the device the external user is on is not compliant as it is not part of the source Azure AD.

The official Microsoft documentation on this is here:

SharePoint and OneDrive integration with Azure AD B2B

and importantly, if you want to disable the Azure AD B2B integration you must return to PowerShell and run the command:

Set-SPOTenant -EnableAzureADB2BIntegration $false

When the Azure B2B Integration feature is enabled is makes a big change to the way that specific sharing is done. Having that now enabled by default on tenants is going to be a surprise to those who are not aware of this. Hopefully though, given you have read this far, you’ll be prepared for and can make an informed decision as to whether you want the additional security for external user sharing to be subject to your Azure AD policies. You’ll also know how to turn it off if you don’t want it.

Microsoft 365 collaboration framework training

pexels-pixabay-416405

On February 14th 2023 I’ll be running a collaboration framework training course for Microsoft 365 environments. Training will held remotely via Microsoft Teams. The session will be two (2) hours and run from 9am Sydney time.

The sessions will be recorded and other materials from the sessions (checklists, etc) will be available to attendees afterwards.

The aim of this training is to help you better prepare for the move to the Microsoft 365 collaboration environment utilising services such as Teams, SharePoint, OneDrive for Business, and so on. You’ll be shown a tested framework that you can use when designing a modern collaboration environment to ensure a business gets the most from their investment in Microsoft 365. You’ll also learn tips and tricks on how to implement this successfully inside a modern organisation, whether large or small. If you want to get the most from your Microsoft 365 collaboration environment, this course is for you. The price for this event will be:

Gold Enterprise Patron = Free

Gold Patron = Free

Silver Patron = Free

Bronze Patron = $33 inc GST

Non Patron = $99 inc GST

You can learn more about the CIAOPS Patron community at www.ciaopspatron.com.

I hope that you’ll join me in February for this event as I believe it help you improve how to get the most from the Microsoft 365 to improve day to day operations.

You can register you interest in attending this course here – http://bit.ly/ciaopsroi after which I’ll be in contact with you to arrange payment and get you enrolled.

As always, if you have any questions about this training please email me on – director@ciaops.com.

I hope to see you there.