Using OneDrive for Business while is a really awesome way to store your documents has always been wild wild west when it comes to administering it. My compliance department doesn’t like it when people can share documents out easily and not have control to pull that back if required. We also have policies around devices, although that’s being lifted to an extend but not fully, we still want security. The last thing a company wants is it’s clients personal data or proprietary data leaked out to public domain and up until recently it was extremely hard to control that.
Microsoft has released the Office 365 OneDrive for Business Admin Center which allows administrators and compliance officers to secure corporate data that’s stored in OneDrive. The Admin center can be found by going directly to https://admin.onedrive.com or via the admin centers drop down in the Admin Center Portal
Inside the OneDrive Admin Center, you have a myriad of options that you can use to secure your OneDrive offering. These options range from sharing options to what types of devices can sync and access items stored in OneDrive. For this blog, we are going to take you through some of the settings, I am going to use and explain why I might use them.
Before we begin, let’s remember that OneDrive is an extension of SharePoint and follows its functionality. OneDrive like SharePoint makes it very easy to share documents out via links. I am going to use DLP and Compliance policies to block certain types of data to be shared, I am ok to allow data to be shared out via links, but I do want the users to have to sign in. To do this, the person we want to share the data with will be invited to create a Microsoft account with whatever email address they are using, if they aren’t already. When I do this, the anonymous links radio button will grey out because I don’t want anonymous links sent out, I want to be able to audit what is being accessed. I may also want to block certain domains from being allowed to access or be sent out links. I definitely don’t want external users to be able to share items shared with them.
Basically what I’ve done is made my document sharing much more comprehensive, easily traceable and auditable than sharing via email would have been.
The Sync section deals with the sync tool, and allows me some control over where people can sync from. Here we have 3 options. The most useful 2 would be to “Allow syncing only on PC’s joined to specific domains” and “Block syncing of specific file types”
You might want to disable the Sync button on the OneDrive website too. Keep in mind that the specific domains refers to your internal domain. You can find some PS cmdlets to get those guids here
Storage allows you a few things, 1 of which I find useful. Firstly, it allows you to control how much storage is available. By default every users gets 1 TB, and I am not sure why you’d want to give them less. Possibly if you want to make the maximum they can have more predictable for backup purposes (Yes, you want to backup your data, it’s yours who else is going to take responsibility for it?) The second option seems very valuable to me. It’s the ability to retain files in OneDrive after a user account is marked for deletion. The default is set to 30 days, you might want to extend that to ensure you get a final backup of their data.
Device access is all about controlling your devices that access to Office 365, the real power in this section comes from if you are using Intune to manage your devices. If not you really only have two options to manage and both options are not extremely useful. “Allow Access only from specific IP address locations” only works if you have absolute control over this, but many companies prefer users save data on home wireless networks etc.
This is where things get interesting and you have many options. Here you can set up Retention and data loss prevention policies, use eDiscovery (identify, hold, search) and Audit what’s happening in OneDrive. This section is where you get the most control over what the content is in people’s one drive. Like I said before, before this it was a little bit wild wild west, and that creates risk for companies.
And for the Admins and Managers that want to know everything, you have the ability to notifiy Administrators when users invite external users to shared files as well as accepted invitations. You can also run some of these same settings with Alerts in compliance where you can set alerts when external users access files so you can report on that as well.
As is always the case in Office 365 as a product nears full production, right now the admin center is in preview, you will start to see some additional features to round out the offering such as reports.