Back
SharePoint

Enhanced conditional access controls, encryption controls and site classification in SharePoint and OneDrive

Share on Facebook Share on Twitter Share on Linkedin Share via OneNote Share via Email Print

Microsoft understands that enterprise security is critical. Trust is not a product—it’s a value that must be earned. Our approach to SharePoint and OneDrive security, privacy and compliance is simple: It’s your data. You own it. You control it. We’re just caretakers. We give you controls to manage the data, paired with our own controls for securing and running our services. Policy governs every stage of a file’s journey, from conception to deletion.

Our investments are focused on five core pillars.

Enhanced conditional access controls encryption controls and site classification in SharePoint and OneDrive 1

  • Platform security—Protect information at rest and in transit with layered encryption, Microsoft datacenter procedures and customer controls for access and key management.
  • Secure access and sharing—Ensure sensitive data remains secure with managed access and sharing settings.
  • Awareness and insights—Track account and file activity with full transparency using reports and alerts.
  • Information governance—Govern your data retention, discovery and deletion policies.
  • Compliance and trust—Leverage Microsoft’s continuous compliance, ongoing certification and transparent operations.

Security, privacy and compliance are a core pillar of SharePoint’s vision for collaboration in Office 365.

Today at Ignite, we’re announcing the next wave of innovations that give you more control over your company’s valuable information and intellectual property:

  • Conditional access policies that govern access to files based on endpoint location (available today).
  • Granular conditional access policies based on the managed state of a device (available by end of year).
  • New Office 365 datacenter locations in Germany and Canada, extending our industry leadership in the number of distinct global regions to meet your compliance needs (available today in Canada and by end of year in Germany).
  • Customer-controlled SharePoint and OneDrive encryption keys (available by end of year).
  • Site classification that guides users to understand the value and sensitivity of information and can be extended to apply classification-specific security configuration (available by end of year).
  • Unified auditing across site collections in Office 365 and on-premises SharePoint Server 2016 with Feature Pack 1 (available in November 2016).

Below is an overview of these innovative experiences and capabilities, with links to additional resources.

Conditional access policies for location

Access controls have traditionally been scoped to users or groups. Today, a user’s work is no longer limited to one computer on a desk, and information risks exposure as users connect mobile devices to unsecure networks or use personal, unmanaged devices.

Conditional access in SharePoint and OneDrive goes beyond user permissions: it is based on a combination of factors, such as the identity of a user or group, the network that the user is connected to, the device and application they are using, and the type of data they are trying to access. The access granted to the user adapts to this broader set of conditions.

Enhanced conditional access controls encryption controls and site classification in SharePoint and OneDrive 2

Control user access based on location.

With new location-based conditional access policies in SharePoint Online, you can limit access to specific corporate networks or locations. For example, if you restrict access to only your corporate network, users will not be able to access organizational data when they leave the office. This policy helps you prevent access to organization’s data from rogue or insecure networks.

Enhanced conditional access controls encryption controls and site classification in SharePoint and OneDrive 3

Blocking access from unknown locations.

Conditional access based on device state

We recognize that users are increasingly mobile and use multiple devices, including personal devices, to access organizational data. It is important to enable users to be productive on any device while maintaining the security of data across all devices. That is why we are announcing new device access policies that allow you to decide the level of access you want to offer different types of devices based on the management state of each device.

Microsoft’s Enterprise Mobility Suite allows you to customize the definition of a managed device to fit the needs of your organization. You can either grant full access, prevent all access or allow restricted access from unmanaged devices.

The new restricted access policy allows a user to view a file in their browser but does not allow them to download, print or sync. This allows users to be productive on personal, unmanaged devices, but at the same time, prevent accidental leakage of data to devices that are not managed by the organization.

When you set any of these policies, you also default to blocking access from legacy apps that can’t enforce device-based restrictions.

Customer-controlled encryption keys

One of the core principles of security in SharePoint Online is that your data is yours. We are only the custodians of your data. It is always stored and served using multiple Microsoft encryption controls to assure information privacy and integrity.

In addition, we are announcing today the upcoming availability of customer-controlled encryption keys, sometimes referred to as “bring your own key.” Customer-controlled encryption keys provide an additional layer of security and privacy above that which is already supplied by Microsoft. You can use customer-managed “master keys” to encrypt/decrypt the individual encryption keys used to encrypt each file. You can also decide to change or revoke access to these keys to guarantee that Microsoft has no way to access encrypted files.

Identify sensitive information, guide users and apply security configuration with site classification

Using the new site classification feature, you can apply a custom label to a SharePoint site and its associated Office 365 group. The label identifies the sensitivity of the information for the site and group. The site classification appears in the header of the site and group pages and serves as a reminder to users that your organization has guidance regarding the use and sharing of information on the site.

Enhanced conditional access controls encryption controls and site classification in SharePoint and OneDrive 4

The site classification is a property that can be accessed programmatically, so you can script reporting or the application of additional security policies. Site classification will enter First Release in October. You will be able to select a classification when provisioning a site and group from SharePoint home, and you will see the site classification in the header of site and group pages.

Enhanced conditional access controls encryption controls and site classification in SharePoint and OneDrive 5

In the future, we will give you the ability to link Office 365 information policies directly to site classification, without the need for script or code.

Unified auditing

SharePoint unified auditing combines data from the cloud and on-premises for complete audit reporting in one unified console in the Office 365 Security and Compliance Center. Unified auditing will be enabled for on-premises customers as part of SharePoint Server 2016 Feature Pack 1 in November 2016. After Feature Pack 1 is enabled, customers will have the option to join the public preview using the hybrid configuration wizard in SharePoint Online administration.

Enhanced conditional access controls encryption controls and site classification in SharePoint and OneDrive 6

Once enabled, auditing data from on-premises is available in the Security and Compliance Center, as shown below.

Enhanced conditional access controls encryption controls and site classification in SharePoint and OneDrive 7

These innovations build on our recent investments in Office 365 security and compliance. Read these recent posts for more information:

Today’s announcements represent the continued investments we are making in security, privacy and compliance. We stand by these values. To learn more about how we deliver powerful security controls as the foundation for simple user experiences, please read our white paper.

Please share your thoughts and ideas through the Microsoft Technical Community and SharePoint’s UserVoice. And for the latest information on Office 365 security and compliance, visit the Office 365 Trust Center.

—Chris McNulty, senior product manager for the SharePoint and OneDrive teams

Top
7 comments
  1. Hello –

    Do these new features require additional licenses or will they be included with a basic E3 / Business Premium license?
    Thanks-
    PH

    • Many of the features are available in E3, while there are some features that require additional licensing. Your account team can map your requirements into specific licensing requirements. Thanks.

  2. Are there any specifics around the release date of bring your own key functionality for SharePoint Online?

    • We are targeting end of year to open this preview. Thanks.

  3. For the conditional access policies for location, is this all or nothing, or can it be applied based on users or groups, and can it be applied differently to different libraries?

    • HI. Conditional access by location is a tenant-wide setting. Hope this information is helpful.

  4. When will the restrict by ip functionality be rolled out for everyone? Our provider says it is not available to us yet and could not give a time from on when this might happen.

Comments are closed.