Tips for administrators: how to manage Microsoft 365 external sharing

Microsoft 365 allows users to share documents or invite people outside the organization into collaboration groups. These external users are by default named guests in the Microsoft 365 environment.

This ease of external collaboration drives the need for improved access and sharing management in Microsoft 365.

Only 64% of IT teams have a way to control sharing with people outside the company – Microsoft 365 study from 2021.

However, managing external access and the data lifecycle is essential to ensuring data security: detecting external sharing links, making sure they are compliant and correcting them if necessary.

In this context, administrators or security teams have a role to play.

• Advice on setting up the environment and external sharing
• Data governance and access review in Microsoft 365
  
  

Advice on setting up the environment and external sharing

Firstly, it is not recommended to close shares with external parties, as this can lead to the rise of shadow IT solutions.

However, setting up guests and external shares by administrators remains an important and proactive approach to mitigating vulnerabilities, even when a patch is not yet available. This will enable the application of protective barriers to secure the company’s content.

Best practices for setting up the entire tenant

• Limit guest access policy

Instead of disabling guest access to the tenant, Microsoft 365 administrators can restrict them. Via PowerShell, they can prevent a guest from accessing specific groups or block guests from a specific domain.

• Set up a multi-factor authentication for external users

The identities of external guests can be impersonated. Implementing multi-factor authentication allows the user’s identity to be verified on another device and reduces the risk of compromise.

• Set session expiration times

For an enhanced identity policy, in addition to multi-factor authentication, you can enable a session timeout. Guests will need to log in regularly to access their account. This verifies the security of the device and the identity of the accessor.

• Implement DLP policies on privacy tags

Using privacy labels from Microsoft Purview Information Protection and the Azure AD DLP tool, policies can be defined to track and control sensitive data.

IDECSI completes Microsoft’s offer by integrating Purview’s classification labels and by proposing an advanced monitoring platform to supervise and be alerted in case of overexposure or compromise.
Improve access management for your sensitive data with IDECSI

Best practices for setting up sharing links

In Microsoft 365, share management is done through share links, of which there are several: Anonymous (everyone), Whole Company, Specific User.
In this case, where anonymous sharing is still allowed, admin teams can set up additional settings to reduce the risks.

• Set default link type

When a user decides to share a document or folder via OneDrive or SharePoint, the Anonymous link applies by default, when active in the organization.
If the user does not change the default link, he will unintentionally create an anonymous link that can be accessed by anyone without the need for authentication.

Administrators can set the default link to “Whole Company” or “Specific Person”.

• Set an expiration date for “Anonymous” links

Some data stored on SharePoint, Microsoft Teams or OneDrive will be kept.
By imposing an expiration date for Anonymous links, guest access will be automatically reviewed without user intervention. This prevents unexpected accesses over time and unwanted changes.

• Set permissions for Anonymous links

There are several possible permissions for Microsoft share links: edit, read, download.
By default, links are set to “Edit” but admin teams can push a read-only permission by default. Thus, guests will not be able to modify the content of the shared document.

Raising user awareness

The best practice for managing external shares is still user awareness.

Users are now the administrators of their resources. Moreover, the creation of a share starts with them via the creation of a share link, the creation of a teams team or a SharePoint site.
This is why, today, employee awareness of security issues is essential to prevent the risk of data leakage.

Data governance and access review in Microsoft 365

Enabling external shares carries risks (data leakage, no control over shares, illegitimacy of sharing over time). It is recommended that governance rules be put in place to reduce these risks.

Visibility is the core of this governance strategy. Native Microsoft and third-party solutions exist to understand how data is used and to monitor access.

Following the audit of the environment, it is possible to apply an access rights review strategy. Access review over time ensures that the rights granted to users are consistent with an organization’s security policy and the user’s activity.

Watch out the video to discore how to improve data sharing governance for Microsoft Teams

Microsoft Access Reviews

Azure AD Access Reviews is Microsoft’s tool for tracking and managing internal group membership and therefore access. By launching access review campaigns, it is possible to send notifications to Teams or SharePoint group owners to validate members.

Azure AD Access Reviews allows you to involve users in access reviews and ensure regular review of access made to resources.

Following the launch of the campaign, the owners of the Teams / SharePoint groups will receive an email with the group to be checked. The verification will be carried out at member level only and will not affect shared channels.
Permissions or sharing links made outside of a Teams team (on SharePoint for example) will not be part of the recertification campaign.

This tool is only offered in the Azure AD P2 license (included in the Microsoft E5 license).

The IDECSI complement

IDECSI has developed a recertification tool, which completes the Microsoft offer by addressing all Microsoft 365 collaborative tools, regardless of the license level.

To do this, security teams and administrators have a solution to quickly launch audits and quickly see at-risk shares (external, anonymous) and overexposure of data on the tenant.

Administrators can then launch automated and programmable rights review campaigns:

• Duration, periodicity
• Automatic reminders
• Email and notification customization
• Targeting resources and populations

Customized reports are then available on the platform to analyze the results of ongoing campaigns (tracking requests, validations, planning).

The user has a security dashboard to set up governance over his data and a review of the shares from a single portal, named MyDataSecurity.

In the context of a campaign, users will also receive a notification to recertify all permissions and will be able to apply automatic troubleshooting.