The essential Office 365 security checklist10 quick weekly checks to efficiently manageOffice 365 security.

2

From Snowden to WikiLeaks to the NSA, there’s no shortage of buzzwords to remind us about

security every day. Not a week goes by where we don’t hear about mass hackings, credit card

record thefts or major corporate data breaches caused by human error. Just ask Sony, The Home

Depot, JPMorgan, Chase... the list goes on.

It’s an understatement to say that security is the first thing that must come to mind when we think

about business infrastructure. As many as 85% of all U.S. companies experienced one or more data

breaches in 2013.

of all U.S. companies have experienced one or more data breaches.1

That’s a LOT of sensitive data. In 2010, the cost of a data breach averaged at $7.2 million per incident.

And this number doesn’t even include the cost of indirect revenue losses.

Would you want to deal with a company that’s known for its security breaches? Yeah, me neither.

The lost business caused by a lack of trust in an organization can end up costing billions!

Of course, security also comes to mind for companies using SharePoint and Office 365. For most of

us, these platforms are the brain, lungs and heart of our organizations. We want our content to be

secure and well protected.

But what is Office 365 security? How could you state that your environments are secure

(and believe it)? In this guide, we’ve identified the most important Office 365 security actions

that you can put in motion to immediately protect and secure your environments.

2

1 https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosdatasecurityreportwpna.pdf?la=en

3

About Benjamin NiaulinBenjamin Niaulin is an Office Servers and Services

MVP, recognized as one of the Top 25 SharePoint

influencers in 2014 and 2nd for Office 365 in 2015.

Being a Microsoft Certified Trainer since 2008 has

allowed him to become proficient in simplifying complex

technologies, making him an expert in SharePoint &

Office 365 vulgarization. He’s spoken at over 200

conferences around the world.

Follow him on Twitter @bniaulin

About Benjamin Niaulin 3

Chapter one: Establish an inventory of what you have 5

Chapter two: Manage user permissions 7

Chapter three: Manage object permissions 10

Chapter four: Broken inheritance 12

Chapter five: Custom permission levels 14

Chapter six: Edit vs. contribute permission levels 16

Chapter seven: Security auditing 18

Chapter eight: External sharing 20

Chapter nine: The administrator 23

Chapter ten: Mobile devices and synced content 26

Contents

Establish an inventory of what you have

Chapter one

5

FilesObjects

Folders

6

If you don’t know where your data is and who has access to it, how can you secure what you have

in your environments? If you want to properly enforce your security policies and stay compliant,

you’ll need to establish an inventory of what you have. The Microsoft cloud platform is continuously

evolving and empowers people in the organization to create objects and content themselves, so

it’s crucial for you to monitor Office 365 security. Making an inventory of a file share is easy: all you

need to worry about are the folders and files it contains. Office 365, however, encompasses a suite

of objects ranging from SharePoint sites to groups, lists and libraries–plus all the content those

objects contain. You need to know what you have and where you keep it as well as collect additional

information as needed to make better decisions about your content.

Where are your sites? What is their purpose? What templates do they use? Who has access to them?

When’s the last time they were accessed? I could go on for hours–there’s no such thing as too much

information when it comes to your organization’s security. However, you need to be able to use that

information properly.

There are a few different ways to build your Office 365 security

inventory. Trusty PowerShell, in the hands of an admin who’s

comfortable with scripting, is always there to help. You can

use it to build an inventory of your SharePoint sites and,

provided the right cmdlets exist, perform virtually any task

related to SharePoint management. However, in Office 365,

not all the PowerShell cmdlets are available to help you, and

not everyone is comfortable writing these scripts.

6

ShareGate Desktop can help you build not just an inventory, but the right inventory based on what you’re looking to collect. With criteria-based filtering, you can choose what you want to find and collect the results in an Excel spreadsheet.

Manage user permissions

Chapter two

7

88

If I’m given access to information I’m not supposed to have, there’s honestly a good chance I’ll go

look at it anyway. Office 365 user permissions can be difficult to understand if we don’t take the

time to learn how it all works. When first deployed, SharePoint is actually secure, as no one has

access to anything. The fun starts when you grant access to objects.

of all data breaches were caused by human error2

In 2015,

As a general best practice–one that goes back to permissions on file shares–you should never grant

explicit permissions to an individual user. Even if this works, it can cause a lot of problems with your

security in the long run. One of the biggest issues arises when the person to whom access was

granted leaves the company or changes roles and someone else needs to take over.

The powerful search engine in SharePoint, as well as the Office Graph with Delve, can also introduce

a potential for breaches. With file shares, if a user were to be accidentally granted access to something

they didn’t know existed, it would be relatively difficult for them to glean any information about the

object in question. However, today, thanks to content discovery features such as the search engine

and Delve, users automatically have visibility on everything they’ve been granted access to.

8

2 http://www.cybersecuritytrend.com/topics/cyber-security/articles/421821-human-error-to-blame-most-breaches.htm

9

Ideally, users would always be added to SharePoint groups, and permissions would only be applied

to the groups themselves. This keeps user permissions well organized and easily manageable in

theory, but it also means you need to train every user to never click on the Share button and grant

permissions to an individual user. This may be a little difficult.

ShareGate Desktop helps you stay in control while empowering your users to work as efficiently as possible. You can copy permissions and group memberships from one user to another as well as check which permissions a given user has across all your Office 365 SharePoint objects. This way, you can let users click Share and get their work done knowing that when the project is completed or someone changes roles, you’ll have full oversight and control.

Manage object permissions

Chapter three

10

11

Permissions can only be assigned to certain types of objects in SharePoint Online: sites, lists and

libraries, folders, list items and library documents. Though many of us wish it could be done at the

column level or on views, there isn’t the option to do so. One of the difficulties when it comes to

managing Office 365 permissions is the sheer number of objects in your environment. As part of

your governance plan, you’ll have different objects that need to be secured in different ways and

according to different policies in order to maintain compliance. How can we be sure that all HR

tagged documents are secured properly? Unfortunately, it has to be done manually. You can only

imagine, as users author and edit different types of content across Office 365, how chaotic–and,

more to the point, hard to manage–this can get.

The criteria-based search in ShareGate Desktop lets you locate objects based on your organization’s security policies and view almost any information about them, including their permissions. Does everything comply with your governance policies? If not, you can even fix the problem straight from the tool.

Broken inheritance

Chapter four

12

13

Unlike with file shares, in Office 365, when you decide that a child object should have different

permissions than its parent, you need to break the permissions inheritance on it.

Because it’s actually SQL behind the scenes that stores the content, breaking inheritance creates

an impact on how content is stored and retrieved. This then slows your loading performance and

really hurts the user experience.

It also makes it very difficult to figure out who has access to what on a particular object when

inheritance has been broken multiple levels above. Users aren’t typically aware of the impact they

have when they click Share or change permissions. And they shouldn’t need to be–enforcing

permissions should never hinder the usability or performance of a platform.

ShareGate Desktop can show you where permission inheritance is broken in SharePoint and who has access to that particular location. It also gives you the option of inheriting the permission back form the parent. The tool’s built-in reporting capabilities let you easily locate all objects of a given type whose permissions have been changed.

One way to solve this type of issue is to restrict who can change permissions (and thereby break

inheritance). In the past, our governance plan even banned breaking inheritance on anything other

than sites. However, this isn’t always easy to maintain and enforce without having to resort to some

sort of custom development.

14

Custom permission levels

Chapter five

14

15

Creating new and custom permission levels in SharePoint Online is inevitable. Frankly, I wouldn’t do

it any other way. Not every SharePoint is the same, and needs are different from one organization

to the next. Permission levels are granted to a user or group for a specific object. For example, you

could either give Nathalie Full Control permissions to your site, or limit her access to viewing or

editing specific lists and libraries. The few permission levels that are automatically created aren’t

always enough. In many cases, I’ve created a new one similar to Full Control without the right to

create subsites. Essentially, depending on what you need to accomplish, you can create custom

Office 365 permission levels to give the right access to the right people. Although this can be very

useful in making sure too much isn’t granted to users who need only minimal access to an object,

it can also be dangerous. For one, who has the rights to create or edit these permission levels? If

you edit an existing permission level, do you know how many people or objects will be affected, and

how? A single checkbox could be the difference between people being allowed to download a local

copy or not.

As a general rule, don’t directly modify existing permission levels in Office 365 sites. Instead, copy

them and edit the copy to isolate the original and minimize the impact of the operation on existing

automatically created SharePoint objects.

With ShareGate Desktop, you can validate access based on permission levels or use them to create reports to run on your environment. Whether it’s to find everyone, a group or a specific user with Full Control, you’ll be able to stay on top and in control of your Office 365.

Edit vs. contributepermission levels

Chapter six

16

EditContribute

17

This came as a subtle surprise to me when I dove into it. As mentioned above, permission levels

are rights that you grant a user or group to access an object. If you’re used to a previous version of

SharePoint or simply migrating from it, this change may come as a surprise to you as well. When you

create a site in SharePoint, several groups are automatically created and granted access to the site.

One of these groups, Members, was always awarded the Contribute permission level in past versions

of SharePoint. This allowed people within the group to add, modify, and delete content within lists

and libraries. Since SharePoint 2013 and in Office 365, however, Members groups are granted Edit

permissions by default. This is an entirely new permission level that also allows users and groups to

create, change, and delete lists and libraries. This huge shift in power can have immense impact on

your security, especially if you’re migrating or operating on the assumption that things are the same

as they were in the past.

The first step towards mitigating this issue is being aware of its existence. There are a few solutions,

or perhaps workarounds, that can help you ensure users have the right permissions on your objects.

Of course, you can simply delete the Edit permission level. Though not ideal, it definitely solves the

issue. Another way would be to make sure that when sites are created, the Members group has its

permissions changed from Edit to Contribute.

17

With ShareGate Desktop, you can identify any objects that have been granted Edit permissions and make the switch to Contribute if required. This applies to both groups and actual objects to which permissions have already been granted.

18

Security auditing

Chapter seven

18

19

Who accessed this file in the last few days? Not everyone is aware that Office 365 comes with built-

in audit reports that you can run on whichever type of content you wish to audit. Want to know who

viewed a file or deleted an item in your document library? Well now you definitely can.

Office 365 security audits are vital in keeping your environment secure. They allow you to confirm

the existence of ongoing security breaches and take action to stop them. A lot of these breaches

actually stem from people sharing the data they have access to, whether maliciously or mistakenly.

One thing you should know is that due to its significant performance requirements, the audit feature

is disabled by default. This means that if you haven’t enabled it and decide to view the reports

because of a possible breach or simply to inspect, it will be too late. This site collection feature also

needs to be granularly configured for each list and even for each content type.

There aren’t a million ways to get around this; you just need to enable the feature and configure it

where needed. But don’t go audit-crazy either–the sheer volume of information generated by the

reports can really slow down your users’ experience with the platform.

19

However, making sure it’s turned on and properly configured for every single site collection can be a tedious, error-prone process. With ShareGate Desktop, you can make sure Office 365 and SharePoint security audits are enabled where you need them to be and manage them in bulk.

20

External sharing

Chapter eight

20

21

Office 365 introduced the concept of external users to allow content sharing with people outside of

your organization. It’s a highly useful feature, as working with external users is almost a necessity

nowadays. However, it introduces a serious potential security threat if not properly monitored.

Where are these Office 365 external users and what do they have access to, especially months after

they no longer need that access anymore?

employees use cloud apps to share sensitive corporate data outside of the four walls of the organization. 3

The way it all works can be confusing to users, which opens the door to mistakes. When you share

an object with an external user, the email address they provide isn’t necessarily the one that the

access will be granted to; they still need an Office 365 or Microsoft Live account to access the

information. Make sure to read and understand the Definitive guide to Office 365 external sharing

to understand how it works and the impact it has on your own Office 365’s security.

There are multiple perspectives to consider when managing external sharing in Office 365. Which

external users currently have access to your environment? What’s being shared with a given external

user? Which externally shared documents haven’t been accessed in X amount of time?

3 http://www.sailpoint.com/blog/2014/12/2014marketpulsesurvey/

22

ShareGate Desktop gives you that level of control in just a few clicks. Build your own reports using “external user” and “externally shared content” as criteria. You can also run pre-built actions to quickly gain insight on what’s being shared so you can act accordingly.

Though there are basic methods at your disposal for managing external sharing in Office 365, there

isn’t any way to provide actual guidance to ensure complete control of your entire tenant.

23

The administrator

Chapter nine

23

24

Top 5 passwords of

2017 4

1. 1234562. password3. 123456784. qwerty5. 12345

4 http://fortune.com/2017/12/19/the-25-most-used-hackable-passwords-2017-star-wars-freedom/

Let’s talk about the administrator for a second–the person who has all the power in your Office 365

environment. That person may very well be you, and you may not want to listen to what I’m about

to say. But I’m sure you’ll agree with me on this: the admin’s role can be a dangerous one when it

comes to matters of security.

While Office 365 admins don’t necessarily have instant access to all created sites and

user-owned OneDrives, they can grant themselves that level of power by enabling and disabling

whichever features they want without leaving a trace. How can you tell what a given admin

account has access to?

In some security breaches, it was the administrator account’s credentials that enabled hackers to

access and steal the information they wanted. You administrator credentials can be stolen and used

to erase any indication that the theft has happened.

The Administrator role is potentially the biggest threat to your Office 365 security.

25

Have you considered using multi-factor authentication to verify the identity of everyone who tries

to access your admin account? Enabling this feature in Office 365 adds an extra layer of security to

every sign-in attempt by sending a unique code to the phone number on record for the administrator

and only granting access if the correct code is entered.

To further reduce security risks, you can also avoid using the admin account altogether. Most

companies have an administrator account that no one uses unless it’s absolutely necessary to

accomplish a certain task. Otherwise, they use their regular account on a daily basis.

ShareGate Desktop lets you build and run reports that inspect and validate what’s shared with administrators and how. You can also take action in bulk to remove permissions if needed according to a criteria-based search.

25

26

Mobile devices and synced content

Chapter ten

26

27

Considering Microsoft’s clear “cloud-first, mobile-first” messaging, we’re inevitably going to see

more and more users access their content from mobile devices. This presents a challenge from a

security perspective since we don’t always have full control over these devices.

About 12,000 laptops are lost every week at U.S. airports alone, or approximately one every 50 seconds.5

Office 365 also introduced the ability to sync offline content with OneDrive for Business, making

it even more difficult to enforce security policies. Combine that with the anytime, anywhere

access that mobile devices enable, and you have yourself a recipe for sleepless nights worrying

about security.

Of course, these features are very important for the organization to be flexible and keep up with the

demands of our workforce today. It allows us to stay competitive, and turning it off globally is out

of the question.

5 https://www.sophos.com/en-us/medialibrary/Gated%20Assets/white%20papers/sophosdatasecurityreportwpna.pdf?la=en

28

There are simple ways to mitigate the risks, such as training users on how to use OneDrive for

Business and how to properly access content from their mobile devices. Mandatory password

protection for all mobile devices can go a long way to help prevent breaches. Microsoft Intune will

also continue to play a big part in securing company devices.

IRM, or information rights management, is already available for Office 365 and allows you to add

an additional layer of security at the document level. For example, it can allow you to prevent

users from printing documents or forwarding emails from their mobile devices. IRM-protected

documents also work if synced with OneDrive for Business, making this a great solution for

enforcing security policies.

ShareGate Desktop can help by showing you which of your Office 365 document libraries have offline syncing enabled and allowing you to manage this setting in bulk. Although offline access in OneDrive for Business can be a very helpful feature, you might want to disable it in certain locations, such as HR libraries containing sensitive employee information.

29

Establish an inventory of all your Office 365 content, including sites, groups, lists and libraries

Verify and manage all user permissions in Office 365

Manage object permissions in your environment and ensure they are compliant with governance policies

Verify and manage broken inheritance

Create custom permission levels for individual users

When sites are created, ensure that permissions for Members groups are changed from Edit to Contribute

Run audit reports regularly

Verify and manage external sharing

Ensure administrator credentials are only given to trusted individuals

Here’s a printable checklist of everything we covered.

Every business will eventually move to the cloud and adapt to it. That’s a fact. ShareGate helps with that. Our products help IT professionals worldwide migrate their business to the cloud, increase cloud adoption while reducing sprawl, and control cloud costs.

sharegate.com