Conditional Access Policies with SharePoint Online and OneDrive for Business
The days of the corporate boundary beginning at the firewall are over, today’s corporate boundary is the end user. Connectivity is ubiquitous and with an endless number of devices available, people have an increasing number of options for staying connected at anytime, anywhere.
The freedom to work fluidly, independent of location has become an expectation as has the freedom to access email and documents from anywhere on any device—and that experience is expected to be seamless. However, data loss is non-negotiable, and overexposure to information can have lasting legal and compliance implications. IT needs to make sure that corporate data is secure while enabling users to stay productive in today’s mobile-first world, where the threat landscape is increasingly complex and sophisticated.
SharePoint Online and OneDrive for Business are uniquely positioned to respond to today’s evolving security challenges. As a first step to providing administrators security and control in a mobile and connected world are conditional access policies. Conditional access provides the control and protection businesses need to keep their corporate data secure, while giving their people an experience that allows them to do their best work from any device. Conditional access policies with SharePoint and OneDrive allow administrators define policies that provide contextual controls at the user, location, device, and app levels.
In January we made available to First Release Tenants location-based policies which allow administrators to limit access to content from defined networks. These policies ensure content can only be access when someone is connected to the defined network, denying access outside of that boundary – whether the content is access via a browser, application, or mobile app.
Configuring Location-Based Policies
To configure location-based policies:
Navigate to the SharePoint Admin Center in Office 365 and select device access from the list of available options (see illustration).
On the Restrict access based on device or network location page navigate to Control access based on network location and specify a range of allowed IP addresses (see illustration).
In scenarios where an administrator has also configured Azure Active Directory Premium (AADP) to restrict location access by IP network range, this policy is prioritized, followed by the SharePoint policy; however, the specified ranges should not be in conflict of one another. To learn more about conditional access in Azure Active Directory see https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access.
Conditional access policies are just one of a broad array of features and capabilities designed to make certain that sensitive information remains that way, and to ensure that the right people have access to the right information at the right time. To learn more about how Office 365 safeguards your data while increasing employee productivity see https://www.microsoft.com/en-us/trustcenter/cloudservices/office365.
Q: Is location-based policy limited to SharePoint Online and OneDrive for Business?
A: Location-based policy, as configured through the SharePoint Admin Center are limited to SharePoint Online, OneDrive for Business, and Groups.
Q: Is location-based policy available to E3?
A: Yes. Location-based policy is available to E3 Tenants?
Q: Does location-based policy require Azure Active Directory Premium?
A: No, location-based policy does not require Azure Active Directory Premium.
Microsoft Flow: Creating Team Flows
By the Microsoft Product and Advisory Team
Create a team flow by specifying one or more other people in your organization as owners, who can perform these actions:
- View the flow’s history (that is, each run).
- Manage the properties of the flow (for example, start or stop the flow, add owners or update credentials for a connection).
- Edit the definition of the flow (for example, add or remove an action or condition).
- Add and remove other owners (but not the flow’s creator).
- Delete the flow.
If you are the creator or an owner of a flow, you will find it listed on the Team flows tab of the Microsoft Flow portal. Team flows are also tagged with Team Flow, so you can easily find them among your other flows on the My flows tab of the Microsoft Flow portal:
Owners can use services in a flow but not modify the credentials for a connection that another owner created.
To create a team flow or add/remove an owner from a team flow, you must have a paid Microsoft Flow plan and be the creator or an owner of a flow.
Follow these steps to create a team flow or to add more one or more owners to a team flow.
- Sign in to the Microsoft Flow portal, and then select My Flows.
- Select the people icon for the flow that you want to modify:
- Enter the name, the email address, or the phone number of the person or group that you want to add as an owner:
- In the list that appears, select the user whom you want to make an owner:
The user or group that you specified becomes an owner of the flow:
Congratulations — your team flow has been created!
If you remove an owner whose credentials are being used to access one or more services in the flow, you may need to update the credentials for those services so that the flow continues to run properly.
- Select the people icon for the flow that you want to modify:
- Select the Delete icon for the owner that you want to remove:
- In the confirmation dialog box, select Remove this owner:
- Congratulations — the user or group that you just removed is no longer listed as an owner of the flow:
Connections used in a flow fall into two categories:
- Embedded — These connections are used in the flow.
- Other — These connections have been defined for a specific flow but aren’t used in it.
If a connection is no longer being used in a flow, that connection will appear in the list of Other connections, where it remains until an owner includes it in the flow again.
The list of connections appears under the list of owners in a flow’s properties:
All organizations, regardless of size and industry, have data that they consider sensitive. Data Loss Prevention (DLP) is an important capability for protecting this information from getting into the wrong hands. We are always looking to enhance the DLP solution in Office 365 to help meet this organizational need. Today, we are pleased to announce a single management experience for DLP policy creation and reporting across Exchange Online, SharePoint Online and OneDrive for Business. In addition, we are introducing enhancements to the DLP data delivered via the Management Activity API.
Unified policy creation
To date, IT admins have managed DLP for Exchange Online via the Exchange admin center (EAC), while managing DLP for SharePoint Online and OneDrive for Business from the Office 365 Security and Compliance Center. Now admins can create a single DLP policy in the Office 365 Security and Compliance Center that covers Exchange Online, SharePoint Online and OneDrive for Business. The unified DLP platform allows organizations to manage multiple workloads from a single management experience, reducing the time required to set up and maintain security and compliance within your organization.
Apply a single policy to protect across Exchange Online, SharePoint Online and OneDrive for Business.
These changes do not impact any existing policies created via the EAC, and you will still be able to create new email DLP policies in the EAC. However, we recommend you check out the new DLP management experience in the Office 365 Security and Compliance Center, as this is where you’ll see new capabilities show up in the future.
Along with unified policy creation, we also now provide a single location to view reports for your DLP policies across Exchange Online, SharePoint Online and OneDrive for Business. This makes it easier to understand the business impact of your DLP polices and uncover actions that violate policies across multiple workloads.
Report that shows DLP policies matches from Exchange Online, SharePoint Online and OneDrive for Business.
DLP events in the Activity Management API
Lastly, based on customer feedback, we are providing additional details for DLP events published via the Activity Management API. The Activity Management API enables organizations to connect DLP event data from Office 365 with third-party tools, such as a security information and event management (SIEM) system. Now event details provided via the Activity Management API will contain the same data as the alerts generated in Office 365 to notify IT admins when a DLP event occurs. This data requires separate permissions in Azure AD called, “Read DLP policy events including detected sensitive data,” which an admin can grant.