Tagged: SharePoint
Safe attachments and links to protect your Office 365 collaboration
In this post I describe how you can configure safe attachments and safe links in Microsoft Office 365 Advanced Threat Protection (ATP) to make your communication and collaboration a more secure. It is for your Office 365 workloads (SharePoint Online, OneDrive for Business, Exchange Online and Microsoft Teams).
Please note, that is is just one of many measures to secure your communication and collaboration in Microsoft Office 365. This is only a single part – well, two capabilities – of a more holistic and required security architecture concept. Moreover, the below description, configuration etc. might change anytime and is just an example, demo piece.
Basics
Let me describe it as follows short and simplified:
What are Safe Links?
Safe Links are (hyper)links/urls which are pre-checked (in a sandbox) before a user opens the link. This “pre-check” is built to check if the website behind the link is ok or might be bad, start to download malware or something else which might harm your system/s.
What are Safe Attachments?
Safe Attachment[s] is a feature which checks attachments and tries to detect if it is malicious.
Requirements
You need a subscription which includes Microsoft [Office] 365 Advanced Threat Protection (ATP).
To configure this your administrative Office 365 account must have the global admin, security admin or Exchange Online Organization Management role assigned.
Configuration overview and walk-through
For both, you can start at https://security.microsoft.com/securitypolicies in the Microsoft 365 Security portal.
The following screenshots depict what I configured, so you can of course configure it another way depending on your needs and requirements.
1 Open https://security.microsoft.com/securitypolicies
2 Policies
3 + 4 Configure each (ATP safe attachments + ATP safe links)
ATP Safe Attachments
1 Enable ATP for SharePoint, OneDrive and Teams
2 Save it, to enable it
3 Protect attachments – create a new safe attachments policy
1 + 2 Give it a name + description
3 Configure handling
4 + 5 Enable redirect of potentially maliciouse attachements to another mail [don’t use a usual mailbox, create a “dumpster mailbox” just for that purpose]
6 Configure condition/s / exception/s
7 Save it
Validate input and check if the policy is enabled and the priority fits in case you create several policies.
ATP Safe Links
1 Configure the default Safe Links organization policy
2 Create Safe Link policies for specific recipients
1 Enable it for all Office 365 Apps, … iOS and Android
2 Configure “reporting” + handling
1 + 2 Give it a name + description
3 Turn it on
4 Enable real-time scanning for URLs including content for download
5 Enable it internally, too
6 Configure “reporting”
7 Enable – disables users to click the original URL from the warning page if it is blocked
1 Configure condition/s / exception/s
Validate input and check if the policy is enabled and the priority fits in case you create several policies.
Finally, test and verify your configuration. Regularly take a look into your security reports to enhance your configurations. Plus, don’t forget from time to time to check out what has changed to keep your security configurations always at a current level.
Conclusion, opinion and summary
Safe Links and Safe Attachments are very helpful features in Microsoft Office 365 to make your communication and collaboration more secure regarding sending/receiving links and attachments. These two features are options to increase your security setup with Office 365. I think it might be a good idea to enable it if you do not yet have something like this in place already.
Although it makes links and attachments safe[r] there are more and more advanced/intelligent threats and approaches available to trick and compromise users and systems. So, admin and user security awareness is also essential although you can get rid of many threats with a holistic security architecture and technical solution or service implementations.
Additional resources
B2B Sync with OneDrive for Business and SharePoint Online
In this post I like to highlight a highly handy feature update “B2B sync” regarding Microsoft OneDrive for Business for “inter-org collaboration”.
B2B sync enables users to sync not only OneDrive for Business and SharePoint Online data of their organization but of other organizations, too! This means that your collaboration experience becomes much better because if you are a guest of an external Team, which is of course hosted in another Office 365 tenant, you’ll be able to sync files from this SharePoint Online, too.
Conclusion, opinion and summary
I like this feature because this enables you to have much more synced data exchange and collaboration with external parties also having Office 365 incl. SharePoint Online and OneDrive for Business. So, you do not need to down-/upload files via browser.
Additional resources
- B2B Sync [Microsoft Roadmap Item ID 33413]
- SharePoint and OneDrive integration with Azure AD B2B (Preview)
- B2B Sync [How-To, requirements, configuration …]
- SharePoint Roadmap Pitstop: July 2019
Speaking at abtis Microsoft Bustour 2019
Soon, I’ll speak at the Microsoft Germany HQ in Munich (09/07/2019). The event and speakers cover different topics all around the digital future, e.g. modern teamwork, interactiv conferencing systems, AI, bots, big data/analytics, hybrid data center. The event is organized by abtis and Microsoft. It’s really extraordinary because attendees and speakers not located in Munich will travel by bus to Microsoft Munich and can take the chance to ask and discuss during the time in transit.
I’ll talk about digitize and automate processes. My session “Prozesse digitalisieren und automatisieren” is about Microsoft Flow, SharePoint Online and Office 365. I’ll focus on Microsoft Flow to automate processes and I show a demo to provide an understanding of what Flow can do for you to easily digitize and automate processes.
Additional Resources
Automatically mount SharePoint Team Site Libraries for OneDrive sync in File Explorer
Microsoft rolls out a new capability which enables administrator to automatically mount / add a specific SharePoint Team Site Library being synced for users (cp. M365 Roadmap).
Configure SharePoint Team Site Libraries Auto-mount
To configure the auto-mount you need to configure a group policy which configures the users OneDrive sync settings. (cp. link “Configure team site libraries to sync automatically”)
Prereqs, requirements and limitations
Please note that there are certain prereqs, requirements and limitations before you can start.
- Windows 10 1709 or later
- Library must have below 5000 files/folders.
- Not for 1000+ devices
- Sync is applied next time the user signs in but it can take some time until the sync starts.
- A user cannot stop the sync.
- You need the OneDrvie GPO Template (OneDrive.adml, ..admx) in your central GPO store (e.g. erik-klefeldt.de\sysvol\domain\Policies\PolicyDefinition) …
- This might be subject to change (June 2019).
Configuration steps overview
- Create a new GPO
- Configure the GPO based on your needs, applied to a OU and add WMI-filtering for a more granular scoping, if needed
- Add the SharePoint Team Site Library ID to the GPO
- Verify that the GPO is applied
- (Verify the reg key [HKCU\Software\Policies\Microsoft\OneDrive\TenantAutoMount]”LibraryName”=”LibraryID”)
- Verify that it syncs on the devices
Conclusion, opinion and summary
Easy to configure, isn’t it? In my opinion it might help you to move and simplify a migration from legacy files shares to SharePoint Online. It enables you as administrator to manage a smooth transition from file shares/services towards SharePoint Online and really adds a convenient way and comfortable user experience because your users do not need to manually add the library to their OneDrive sync and “map” the SharePoint Online Team Site Library on their device.
