What’s new in Security and Compliance in SharePoint, OneDrive, and Teams – Ignite 2021 Announcements
This post is originally published on Microsoft SharePoint Blog articles
The security and compliance landscape continues to evolve as more organizations look to digitally transform while their digital estate continues to exponentially grow. Safeguarding people and the tools/devices they use to stay connected, get work done, and thrive in today’s hybrid environment is critical. Microsoft runs on trust. We continue to innovate and offer you a comprehensive approach to cybersecurity, privacy, compliance, and management.
Today at Microsoft Ignite 2021 we are thrilled to announce the following new security, compliance, and administration/management capabilities in SharePoint, OneDrive, and Teams.
Here is what’s new in:
- Secure internal and external collaboration
- Secure access with contextual and continuous policy evaluations
- Comprehensive compliance
- Administration experience and management scenarios
Control default sharing link types with sensitivity labels – General Availability
In the Spring Ignite’21 announcement, we announced the Microsoft Information Protection (MIP) labels-based external sharing policies. We are now extending that support to simplify default sharing experience for internal and external collaboration. Today, we are excited to announce the general availability of sensitivity labels-based default sharing link type for SharePoint sites.
For example, if a team or site is labelled as Confidential, then you could configure the default sharing link type to be “Specific People” and ensure users are selecting specific users to collaborate with instead of selecting broader audience. On the other hand, if a team or site is labelled as General, then you could configure the default sharing link type to be “Anyone link” and allow open collaboration in that team or site.
To learn more about this feature, check out product article here.
Auto labeling enhancements for Office documents in SharePoint and OneDrive - General Availability
A year ago, we announced the auto labeling capability that empowers administrators to create rules to detect sensitive files in their corpus and then automatically label them, targeting specific SharePoint Sites or OneDrive accounts. For example, if a file contains 10 credit card numbers, then label it as Confidential.
We are taking auto labeling capability steps further, today we are thrilled to announce auto labelling enhancements that enable administrators to create auto labelling policies targeting all OneDrive accounts and SharePoint Sites within their organization. This includes files that are being created or uploaded through Teams. This is a big step forward in the lens of scale, ease of use for administrators, and most importantly completeness i.e., detecting your sensitive documents no matter where it resides in Microsoft 365.
We have also improved the simulation experience such that it is predictable and intuitive. For example, you will be able to create an auto labeling policy and get a simulation result in a few hours with sample files that match the policy, instead of waiting for a complete list of files that meet the policy criteria.
To learn more about these enhancements, check out our product article here.
SharePoint Syntex support for Sensitivity Labels – General Availability
SharePoint Syntex uses advanced AI and machine teaching to amplify human expertise, automate content processing, and transform content into knowledge. Now, it also can detect sensitive content and automatically label the content to protect it from unauthorized access by applying labels-based policies such as encryption.
Today, we are excited to announce SharePoint Syntex support for Sensitivity Labels is Generally Available. When you create a Syntex model, you can now pick the appropriate sensitivity label that your organization has published to you to auto label the documents and protect with the appropriate security policies.
For example, for Tax Forms content as the content gets automatically processed and extracted by Syntex the documents deemed as Tax Forms are labeled as Confidential. The encryption policy associated with this Confidential label will protect these Tax Forms documents.
For more details on this feature, learn more here.
Data access governance in SharePoint and OneDrive - Public Preview
Using sensitivity labels, you can classify all your digital assets in SharePoint, OneDrive, and Teams, however, you may wonder how to ensure the right labels and security policies are set for the sites that matter the most in your organization. As external collaboration becomes a norm in your organization, you may wonder how to avoid oversharing or accidental sharing of sensitive sites. Look no further, admins can now use data access governance insights dashboard in SharePoint admin center to monitor the external sharing activities and label/policy settings for the sites that matter the most.
In last year’s Ignite, we introduced this roadmap feature. Today, we are happy to announce that data access governance feature is in public preview. These insights allow you to: a) discover your top sites, the sites with the greatest number of sensitive documents or with most content shared using anyone links or company sharable links, b) validate they have appropriate sensitivity labels and access policies for your security posture, and c) tailor the labels and policies as needed.
Interested in learning more? Check out the product article here.
Co-authoring and autosave on Office documents encrypted with MIP (Microsoft Information Protection) – General Availability
In the Spring Ignite’21 announcement, we shared with you that co-authoring and autosave on Microsoft Information Protection (MIP) labelled and encrypted documents was available in Preview. In Sep'21 we announced that co-authoring and autosave on Office documents encrypted with MIP is Generally Available for Windows and Mac. See the feature’s blog post here for details.
Just like with regular Office documents, two or more users can co-author encrypted Office document, be it a Word, Excel, or PowerPoint document, hosted in SharePoint and OneDrive and experience the modern productivity, while the security posture of the document is intact.
To learn more about this capability, check out the product article here.
Secure sensitive sites with Labels-based Granular Conditional Access Policies (GCAP) – Public Preview
Zero trust is the security norm these days and gone are the days users expected to VPN (Virtual Private Network) in to access the corporate data. Also, number of sensitive sites are growing in the organizations as they digitally transform their business. Tailored and least privileged access to the sensitive sites is crucial to avoid any leakage.
To help you secure sensitive sites, today we are announcing Microsoft Information Protection (MIP) labels-based granular conditional access policies (GCAP) for SharePoint and OneDrive Sites in Public Preview. Administrators can now create sensitivity labels that can be associated with the granular conditional access policies in Microsoft 365 Compliance Center. You can then associate these labels with sites that have or intend to have sensitive content.
For example, let us assume in Azure Active Directory your directory administrator has created ‘Single factor authentication’ that requires single factor authentication like password authentication and ‘MFA authentication with IP’ that requires multi factor authentication (MFA) like OTP (one time passcode) verification and IP network location policy. You can then associate these granular conditional access policies with MIP sensitivity labels in Microsoft 365 Compliance center. ‘General’ label requires ‘Password authentication’ policies whereas ‘Confidential’ label requires ‘MFA authentication with IP’ policies. For sensitive sites users just need to associate the ’Confidential’ label and the appropriate security policies are automatically enforced.
Users can be productive without any interruptions and only when accessing sensitive sites that require additional security policies then they provide on-demand additional verifications.
To learn more about this feature, check out the product article here.
Continuous Access Evaluation (CAE) in SharePoint and OneDrive – General Availability
One of the core principles of Zero Trust is verify explicitly i.e., always authenticate and authorize based on all available data points such as user identity state, IP address of location, device health, etc., With conditional access policies support we advanced the authorization scenarios in SharePoint, OneDrive, and Teams such that a sensitive site is accessible only from a managed device, for example.
We are taking our authorization journey one step further with continuous evaluation of the conditions under which users access the content. For example, if you disable a user’s account in the directory for whatever business reason, then the user’s access to content in Microsoft 365 is revoked in near real time instead of waiting on session expiration. This is made possible with Continuous Access Evaluation (CAE).
Today, we are thrilled to announce General Availability of Continuous Access Evaluation (CAE) support in SharePoint and OneDrive. For security centric administrative actions like user account disabled in the directory, user’s password has changed, user’s session has been revoked, and MFA (multi-factor-authentication) is enabled for a user account all will be honored near real-time in SharePoint and OneDrive. Also, the IP address conditional access policy is continuously evaluated.
For example, let us assume you have configured IP address network policy in Azure Active Directory and users are allowed access only from within your corporate IPs. A user is authenticated and accessing a SharePoint site within corporate office. When the user travels to a coffee shop and then tries to continue accessing the site, he/she will get access denied in real-time. This is Continuous Access Evaluation (CAE) in action in SharePoint and OneDrive.
We continue to add more events, like changes in user account risk, in near future, stay tuned.
To learn more, check out the product article here.
Information Barriers Enhancements – Modes, Insight cards, and more - General Availability at the end of CY21
Insider trading continues to be top of mind for highly regulated industries. For example, in financial vertical FINRA like compliance requires organizations to show compliance controls are in place to prevent and control the insider trading. Microsoft 365 Information Barriers is the solution for this business compliance need. It is designed to help you segment your users per business compliance needs and restrict collaboration and communication between the segmented users in SharePoint, OneDrive, and Teams.
We continue to innovate in information barriers journey and today we are thrilled to announce general availability of three Information Barriers Enhancements.
First, we are simplifying the information barriers policy adoption with the concept of Info Barriers Modes. You simply set the Information Barriers Modes for a given site or team and the appropriate restrictions will automatically apply, no need to manage segments association to a site or team unless you need to. There are 4 modes, Open, Implicit, Owner Moderated, Explicit. To learn more about these modes, check out our product documentation here.
Second, we are introducing information barriers insight cards in the SharePoint Admin Center. As the picture shows below, you can get a compiled view of what percentage of SharePoint Sites and OneDrive accounts in your organization are information barriers enabled and with which segments.
Third, one of the frequent feedbacks we heard from you is to offer an ability to enforce Microsoft 365 Groups or Teams membership while allowing access to the corresponding SharePoint Site. We are happy to share that with Implicit mode introduction we are now bringing that capability in SharePoint Site. For example, if you have an Investment Banker Team and its associated SharePoint site is set to information barriers mode Implicit, then only the users who belong to that Team or Microsoft 365 Group are allowed to access the associated SharePoint site.
To learn about these enhancements in detail, check out our product article here.
Channel Sites Management in SharePoint Admin Center – General Availability at the end of CY21
We continue to innovate and simplify the administration experience for SharePoint and OneDrive. There are many insight cards on the SharePoint Admin Center home page we recently released. Today, we are thrilled to announce the general availability of channel sites management in SharePoint Admin Center, starting roll out at the end of CY21.
As the usage of Teams becomes ubiquitous, the number of teams-connected and channels-connected sites in SharePoint grows in organizations. We heard your feedback to have a simple way to discover and manage these sites. With this new experience you have a collective view of all sites that are associated with a Team and its channels, see below picture. You can easily view the settings and policies that are configured for the Team and the channel sites too.
To learn more about this experience, we will be updating our product article here towards end of CY21.
SharePoint Tenant Rename – Public Preview
One of the top asks for SharePoint management was to provide the capability of renaming the SharePoint domain i.e., ability to rename the tenant’s URL, for example from contoso.sharepoint.com to fabrikam.sharepoint.com. Today, we are excited to announce that SharePoint support for Tenant Rename is here, in public preview. If your tenant has a total of <1K SharePoint sites and OneDrives, then you can take advantage of this capability.
We are looking to expand the support to tenants that have >1K total SharePoint sites and OneDrives in near future, will keep you posted.
There are many reasons you might have this need to rename your tenant’s SharePoint URL, your company’s brand name has changed, or your organization went through a merger & divestiture etc., Using the SharePoint Online PowerShell you can now trigger the URL rename for your tenant.
Interested to use this preview capability, check out the product documentation here.
For licensing information for all these features, check out the respective feature’s product documentation.
There are many Teams innovations announced at Ignite’21, for full list check out Innovations coming to Microsoft Teams blog.
For full list of new SharePoint, OneDrive, Teams capabilities announced at Ignite’21, check out Jeff Teper’s blog Rich, secure content and collaboration for hybrid work Ignite 2021 announcements.
We have a beautiful security and compliance cookbook for SharePoint, OneDrive, and Microsoft 365 administrators, you can download SharePoint and OneDrive Security Cookbook for FREE.
Finally, check out our recent video on “SharePoint runs on Trust”:
To learn more about the above features in detail, check out the product documentation articles below:
- Labels-based default sharing link types
- Co-authoring and autosave in encrypted Office documents
- Auto labeling enhancements for Office documents in SharePoint and OneDrive
- Data Access Governance Insights in SharePoint and OneDrive
- Labels-based Granular Conditional Access Policies (GCAP) for SharePoint Sites
- Continuous Access Evaluation (CAE) support in SharePoint and OneDrive
- Microsoft 365 Information Barriers Enhancements
- Use information barriers with SharePoint
- Use information barriers with OneDrive
- What’s new in SharePoint Admin Center
- SharePoint Tenant Rename
Interested in participating in the private previews of our upcoming new features? Check out available features and sign up here: https://aka.ms/ODSPSecurityPreviews
If you are new to Microsoft 365, learn how to try or buy a Microsoft 365 subscription.
As you navigate this challenging time, we have additional resources to help. For more information about how we are responding together to COVID-19, visit our Remote Work site. We’re here to help in any way we can.
Sesha Mani – Principal Group Product Manager (GPM)
Microsoft 365, SharePoint & OneDrive
John Gruszczyk – Product Marketing Manager (PMM)
Microsoft 365, Teams