Friday, December 8, 2017

Better security defaults for Office 365 Groups and document collaboration

image

After working with Office 365 Groups for a while now and helping customers tailor their Office 365 Groups, I have developed a mantra I call Better Defaults. This involves exchanging default settings for more sensible ones – at least in my opinion.

One of the strengths of a SharePoint site is the ability to set very granular permissions. This security strength is also a pain for end-users. Over the years teaching classes and helping customers, getting to grips with AD groups, SharePoint Security groups, permission levels, and all the places you can set them is one of the top three hardest topics. When you tack the simple owner/member permission structure of an Office 365 Group on top of a SharePoint site, it does not help the confusion.

In this post I’ll offer two tips for better defaults regarding content access, one for public groups and one for private groups.

Public Office 365 Groups

By default an Office 365 Group Owner is a site owner, while the members are, well they are site members. This means they have contribute permissions and can author new documents and pages. However, if you take a look at the permission settings in the site, you see that Everyone except external users also have contribute access. So from a document collaboration point of view it doesn’t matter if you are an explicit member or not. As long as you are a company employee, you can throw your stuff around this public group :)

image

My preferred better default for a public group is to make the everyone group visitors instead of members. The group is public, members can author content, and everyone else can view the content. If someone outside of the group members need to co-author, they should either be added as members or you can give them edit rights by sharing the items/folder in question.

Tip: Make Everyone except external users visitors in the site

image

Private Office 365 Groups

When you create a private Office 365 Group only explicit owners and members have access to the group site. This makes perfect sense as the reasoning behind a private group is usually to keep it closed and only accessible to the members. Most likely you have sensitive content which you don’t want shared outside of the group.

And this brings us over to the second tip of sensible defaults. In a private group, the default setting allows any member to share a document outside of the members of the group. However only a few clicks away a SharePoint site has a setting for how to handle access requests.

Home –> cog wheel –> Site permissions –> Advanced permissions settings

(/_layouts/15/setrqacc.aspx at the end of your URL to access it directly)

image

If you look at the default settings you see members of the site can share the site or individual files, or add other users in your company as site members. This means that any member can give out access without the group owners knowing. It’s still traceable, but probably goes against the reasoning why the group was private in the first place.

What you want to do is uncheck the two top boxes. If a member now tries to share a file, the owner (or e-mail specified) will receive an e-mail specifying that a member wanted to share a file with someone.

The owner then has the option to accept or decline the sharing request.

image

If you want to block sharing all together, uncheck the third checkbox as well. Note that not all sharing UI’s give an indication that sharing is not allowed.

Tip: Disable the ability for members to share items from the site. Or at least have the owner approve such requests.

Summary

You might not agree with the default settings in an Office 365 Group site, and want to change them according to your own business rules. This is indeed possible if you take control over how Office 365 Groups are created. In order to take control you probably need to enlist your favorite Office 365 partner to help you do the right thing.

Do you have any other better default tips?