Active Directory & Office 365 Reporting Tool

SharePoint Online Security Best Practices. Efficient collaboration and secure data sharing form the backbone of enterprise success. A common tool is a Sharepoint. Whilst some opt to host SharePoint within their boundary walls, most have migrated over to the online version to utilize Microsoft’s cloud capabilities. In doing so, Microsoft takes the majority of responsibilities off the customers hands, and helps them to secure their instance by handling maintenance, updates and patches (backend). 

Microsoft doesn’t however handle all configuration, and the responsibility of securing the data hosted within Sharepoint still lies with the customer. In the post, we discuss the best practices to find the balance between security and usability.

User Access and Permissions

The starting point for any solution, is to design how your users interact with the service, and which permissions you should grant to what roles. Sharepoint Online is more accessible than the traditional on-prem solution (sitting behind a boundary). Because of this, it’s preferred to tailor access, so that you don’t fall back to enabling “Everyone”.  

Some organizations look to enable everyone access by default, however there is an unseen risk to this. If the access controls are misconfigured, or weak, you may allow an attacker to gain access to internal data. Limiting the access to users reduces the attack surface. By enabling all, you are allowing all “Entra ID identities” which include service accounts. In most orgs, service accounts fall short of controls such as MFA because multiple users share them. This leaves them exposed to attackers.

Find these settings under `Site Permissions` in Site Settings, be sure to validate the granted access. There’s more than just site access however. 

Administrator Roles

Based on the principle of least privileged access, we recommend only granting default admin access to those who need it. So, you are reducing the attack surface.

Continuous Review

Access reviews are in place, so unexpected access isn’t granted by accident. Your SharePoint admins should regularly review permissions at the group layer to ensure everything is in order.

Securing User Access

Whilst we limit “who” access Sharepoint, this isn’t enough. Implement user or device state controls, to validate their credentials and their current risk. Implement this using Entra IDs conditional access policies.

Enabling MFA is recommended, however review some further considerations. These include: 

  • Location 
  • Device platform
  • Compliance Device 
  • User risk – (requires Entra ID P2 License) 

Device Access Policies

Many organizations have moved to Intune managed devices, either direct or migrated from SCCM. For those who have full control of their workstations, access policies may be something for you to enable. Sharepoint online offers customers the ability to prevent or limit how unmanaged devices interact with the data. 

The diagram below shows how using these in parallel with conditional access can provide strong data security.

Find these settings in the SharePoint admin center under `Access control`.


External Sharing

Because Sharepoint is a collaboration tool, there is expectation that users will be sharing their files with others. Whilst this may reduce the need to share multiple copies of the same file, it does bring risk. It wouldn’t make sense for SecOps of Governance to be involved to sign off if each file can be shared, so instead should focus efforts in defining high level policy. In this circumstance, it’s “who” users can share data with. 

Microsoft offers a few options:

Unfortunately, there is no “best practice” that fits all as business requirements differ. For some organizations, external sharing within Sharepoint may be a requirement so for them, existing guests may be their secure option. Aim to move closer to the bottom whilst still allowing collaboration. Remember, being too strict, may force your users to use other ways to share data. Working out the business requirements, and baselining risk highlights your best solution. 

Read more: https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview 

Find these settings in the SharePoint admin center under `Policies` > `Sharing

Try our Active Directory & Office 365 Reporting & Auditing Tools

Try us out for Free.  100’s of reports available to gain control of your IAM.

Improve your AD & Entra ID security & compliance.

Data Loss Prevention Policies

Whilst sharing policies may restrict where the data goes, it doesn’t fully secure the data. For those wanting more, data loss prevention (DLP) policies, under Microsoft Purview help. DLP policies, not only enforce your data governance policies, but also alert on suspicious activities (Under certain criteria). This gives better visibility into how users are sharing and interacting with sensitive data. 

Whilst Purview DLP policies aren’t limited to Sharepoint, it should be a main focus. How your organisation wants to run DLP should be designed, before enabling. DLP is hard to get right, so below are a few helpful references. 

Microsoft offers guidance here: https://learn.microsoft.com/en-us/purview/dlp-policy-design 

Once you have your DLP design, start to enable to test out “policies”. 

To create policies follow: https://learn.microsoft.com/en-us/purview/dlp-create-deploy-policy

For the full read, visit: https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp

Data Encryption (Transit and at Rest)

Encryption always needs to be reviewed when dealing with data security. With O365 (includes Sharepoint Online), Microsoft enables encryption by default, to help secure customer data. 

Whilst this may be easy to brush over given it’s “always on”, it should be noted in your high level documentation. In summary, Microsoft handles In Transit and at Rest, but using the following: 

  • In Transit: Between Customer <> Data Center (Microsoft) and (Microsoft) Server and Data Center (Microsoft)
  • At Rest: Bitlocker – All data on disk and Per file encryption. 

Audit Log and Reporting

For many, auditing and reporting is standard practice, however it’s still important to review what you are logging from Sharepoint Online, and how you are using this data. Ingesting all into your SIEM may be the first steps, however how will this be used to alert on non compliant, or malicious activity?

To note, Microsoft has changed the way Sharepoint Online auditing is enabled, so it’s important to review the change. A good article to read: https://support.microsoft.com/en-us/office/configure-audit-data-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2 

To turn on auditing, navigate to: https://compliance.microsoft.com/auditlogsearch and see if it’s enabled. If it’s not, you should see the blue banner:

Once enabled, return to the same portal, and filter activity by Sharepoint Online. Here you are able to review the “types” of logs that are being recorded.

Other Considerations

While these are the most common configuration items to consider, the list doesn’t stop there. Review a few more areas, such as:

Review of Retention Policies:

A critical but often overlooked aspect of data security involves the duration of data retention. Implementing proper retention policies mitigates risks associated with data leaks or breaches. Locate these settings in SharePoint Online under the ‘Information Governance’ section of the Security & Compliance Center. Regularly review and adjust these policies to ensure that you do not retain data longer than necessary, thereby reducing potential vulnerabilities.

Implementation of Sensitivity Labels

Sensitivity labels play a pivotal role in data classification and protection within SharePoint Online. These labels categorize data based on its sensitivity and automatically apply corresponding access controls. Organizations using sensitivity labels effectively prevent the inadvertent sharing of sensitive information. Set up these labels in the Microsoft 365 compliance center, specifically under the ‘Information Protection’ section.

Integration of Information Rights Management (IRM)

 Lastly, integrating Information Rights Management (IRM) significantly enhances document security. IRM controls the actions that users may perform on documents downloaded from SharePoint libraries. It enforces restrictions on printing, copying, or modifying documents, providing an additional layer of protection. Configure this feature in the library settings of each SharePoint site.

SharePoint Online is a critical solution for Microsoft, and they continuously work on improvements. To stay updated, visit the Microsoft SharePoint Tech Community Blog: https://techcommunity.microsoft.com/t5/microsoft-sharepoint-blog/bg-p/SPBlog.

Thanks for following SharePoint Online Security Best Practices. We hope we added some points to follow about security of your SharePoint. 


Try InfraSOS for FREE

Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool

Ashley Moran

Ashley Moran

I am a seasoned Security Engineer with several years of experience, primarily in the healthcare industry.

Leave a comment

Your email address will not be published. Required fields are marked *