Quick Settings for Balancing User Empowerment and IT Oversight in Microsoft Office 365
By: Allen Pangilinan, Director of Innovative Solutions at IndyConn
I was recently setting up a new Microsoft 365 environment and I thought it would be great to share several setting changes that I always apply in my setup process. While Microsoft 365 is a great tool to increase productivity and collaboration, I personally find that the default settings are too minimal.
By assessing these settings and applying these changes it helps secure data, identify the areas where an organization may or may not want to give control to end users, and drive discussion around what their requirements and policies are (or help identify gaps where new policies need to be created).
While the content here is primarily targeted at setting up a new tenant, it may be helpful to check your settings to see what is being allowed and if it falls in line with your organizations policies
Manage who can create Microsoft 365 Groups
By default, all users can create Microsoft 365 groups. Microsoft 365 Groups are an integral part of Microsoft 365 with tie-ins into many of their services including Outlook, SharePoint, Teams. While allowing users the ability to create Groups removes the necessity to have IT involvement for provisioning certain resources, it does raise concerns around governance and long-term support
The link below outlines the several steps and PowerShell commands to manage Microsoft 365 Group creation.
Microsoft Documentation: Manage Who can create Microsoft 365 Groups: https://docs.microsoft.com/en-us/microsoft-365/solutions/manage-creation-of-groups?view=o365-worldwide
Guests and Microsoft 365 Groups
End users may have the ability to add external users as guests to a group. As a guest invited to a Microsoft 365 Group, they would be able to access files posted in the group document library.
Microsoft 365 Admin Center > Settings > Org Settings > Security & Privacy > Sharing
SharePoint Site Creation
Similar to Microsoft 365 Group creation, any user by default can create a SharePoint site. To prevent users from being able to create SharePoint sites, the following setting can be disabled. This would only allow Administrators the ability to create new sites.
SharePoint Admin > Settings > Site Creation
At a global setting, SharePoint can be configured to control how SharePoint sites can be shared. Until requirements and policies can be established for when/how sites and documents can be shared externally, my recommendation is to prevent external sharing.
Microsoft 365 Admin Center > Settings > Org Settings > Services > SharePoint
SharePoint Sharing Links and Permissions
When a user shares files and folders from SharePoint and OneDrive they are given an option on how that file should be shared; whether anyone with the link can access or shared to specific people. Additionally, they have the option whether that link provides view only or edit access.
By setting the defaults to Specific People and View, end users are forced to make a conscious decision to grant everyone access and edit privileges.
SharePoint Admin > Policies > Sharing
Similar to sharing folders and documents in SharePoint, OneDrive has settings for selecting the default options. By selecting the option to share links to Specific people, the user must make the conscious decision on who they want to grant access to or to change the option to allow anyone with the link to access the file.
OneDrive Admin Center > Sharing