SharePoint Online Security: Best Practices for 2022

Last week I got off the call with a customer who is using SharePoint Online to manage documents for their investment portfolio worth 10 billion dollars.

Is their SharePoint secure?

You bet.

This customer has been with us for over 4 years, and I can remember how nervous they were when we first started talking about SharePoint online.

If you're considering going to the cloud after using SharePoint on-prem for a while and worried about how safe it is, you're not alone.

How secure is SharePoint?

… someone asked me at the Microsoft Ignite conference a few years ago after my session.

The answer to this question is 3-part:

  1. How strong is your Office 365 set up? How much have you left open? Have you followed the best practices?

    You can leave SharePoint pretty wide open, and combined with unintended user errors - you can get exposed to information leaks.

  2. How trained are your users? When your employees are not trained well on how to use SharePoint Online, they go for shortcuts. It's human nature.
    Rather than learning from bad experiences, it pays to innoculate your organization against any breaches with targeted and relevant training

  3. Are you evolving and re-evaluating your set up? Are you doing breach tests? How are you verifying that employees follow Security best practices?

    You might have heard the story of how KPMG inadvertently deleted the MS Teams' chat history of 145,000 users. How many of this chat history contained information users relied on – it's supposed to be persisted chat, right.



SharePoint Security Best practice listed here

In this post, I'll share some of the most common best practices on how to make your SharePoint Online secure, including:

  1. How to manage permissions in SharePoint

    1. On a site level

    2. Using a hub site to set permissions automatically

    3. The particular case of a SharePoint Team site

    4. On a library level

  2. How to set permissions to copy from a SharePoint hub site

  3. How to make SharePoint documents private

  4. Using SharePoint security groups when managing permissions

  5. How to restrict access to a SharePoint folder

But first, here a frequent question…


Can you password protect a SharePoint site?

Now, most of you reading this post know that SharePoint is not a wide-open system, so what does this common user question really ask?

About a year ago, I picked up a phone from an alarmed new employee concerned that their SharePoint site is not password protected. They have just received their work laptop by mail. This employee opened the browser from home, and his team site was wide open without asking for a password. He immediately thought it's accessible for everyone.

When employees open SharePoint Online on their home computer (not joined to your company domain), they will be asked to enter the username and the password in its most basic set up. When an employee logs in, their browser will remember their login and not ask for the password again.

Many organizations have single-sign-on enabled for all employees on their work laptops, as in this employee's case. Meaning when you log into your work computer, you will be immediately authenticated, and it'll seem that the site was wide open – even though it's not. Here is a bit more about how SharePoint Security is handled from a technical side.

Regardless of the administrator's set up, as the site owner, you need to set up permissions on your team site so only authorized users can access your site.

This brings us to the next question …


How do I manage permissions in SharePoint?

SharePoint allows you to manage Security and permissions on 3 different levels. And we'll take a look at when and how to do that in each case. These levels are:

1.       SharePoint site

2.       SharePoint list or a library

3.       The item in the list, such as document

Unless you set otherwise, all employees who have access to the SharePoint site will automatically inherit this access on document libraries (#2) and items in the library (#3).

Before I show you how to set up unique access to the library and folder, let's first see how you can restrict access on who gets to see the site (#1 on our list).



Managing permissions on a SharePoint site (Communications Site)

SharePoint site is usually a landing site for one of the major areas on the intranet. For example, an HR site or a Company & News site are all sites.

Here we have an [Employee Center] SharePoint site in the top navigation.

1. SharePoint site security.PNG

Everyone will need to access this site in [Read Only] mode, but a few users will need to add new content, like the HR team members.

Here is how to set up permissions on the SharePoint site:

  1. Go to the site you'd like to manage access for, in our case [Employee Center]

  2. Click [*] -> Site permissions

  3. Click the [Share site] button and search for users you'd like to add. In my case, I only added one user.

NOTE: By default, the user will have [Read Only] access, but you can change that to [Full Control] or [Edit]

 

Here is the complete sequence of what we have done:

2. Setting permissions on the site.PNG

Special case for managing permissions on a Team site

Almost all of the customers I talk to use Team Sites, Projects Sites, Task Force sites as collaboration sites where a small group of people access documents only available to them.

For example, one of my customers, 2 years ago, had their Change Management team working on change management communication, which affected a number of employees and their jobs. The crating of the communication took 3 months and involved collaboration from Legal, Change Management, and the Executive Team.

Since the SharePoint search picks up any document you upload, employees could inadvertently access sensitive communication like this just by typing the right keyword into the search.

The solution: restrict access to sensitive team sites.

Here is how you restrict access on the Team site:

  1. Navigate to that Team site as an owner

  2. Click the [members] link as shown in the picture below in step 1

  3. Click the [Add members] button and find who you'd like to have on your site

  4. You can change their membership level from [Member], which is the default, to [Owner], someone like yourself.

NOTE: To add [Read Only] user, click the gear icon [*] -> [Site permissions] -> [Advanced permissions settings] -> find the “Visitors” group and add employees into this group.

 

Here is the full sequence of how to assign permissions on the Team site:

Using SharePoint hub site to set permissions on your SharePoint sites automatically

Not every site will need unique permissions like the Team site. In fact, the HR site and other company landing sites will need to be accessible by everyone.

One organization we work with a lot has about 90 sites publicly available to everyone, and all those sites make up the intranet.

By the way, if you have a large amount of sites on your intranet, here is a related post on how to organize them easier:


All of those sites are also part of the main Hub Site, which is also an intranet home page. The Hub Site in SharePoint Online acts as a parent.

In this organization, all of the sites that belong to the same hub site (the intranet) will need to be accessible by all users (Read-Only).

Here is how to set up your site to inherit access from the hub site:

  1. Navigate to the site which you'd like to inherit access. In my case, it's the [HR] site.

  2. Click [*] -> Site permissions

  3. Select the [Hub] tab

  4. Flip the [Sync hub permissions to this site] toggle to [On]

Here is the snapshot of how to set up your site to inherit access from the hub site:

 

Managing permissions on a SharePoint list or a library

When we looked at our HR site in the example earlier, you'll see that our HR page has a spot for [Online Courses].

You wouldn't want just about anyone to be able to make changes to the HR landing page. Someone might inadvertently break something on of the page. Yet, you might want to give some users more granular access to update only the part of the page, like in our example [Online Courses]. This could be a Training Admin or Payroll Admin who can post new courses, and everyone will only be able to read them.

Since our list of courses is in the SharePoint list, we will set it up so that only specific users will post anything into that list.

Here is how to set up permission on the SharePoint list or a document library:

  1. While on the site where you know you have the list, click [*] -> [Site contents]

  2. Find the list you know holds the data you want to restrict, in our case [Online Courses], click on the ellipsis (…) and select [Settings]

  3. On the next page, click the [Permissions for this list]

  4. Now, we need for this list to stop inheriting permissions from the site, so in the ribbon, click [Stop inheriting permissions]

  5. You can now click the [Grant permissions] button to add unique users and give them the [Edit] rights, as shown in the sequence below.

 
4. Setting permissions on a SharePoint list or library.jpg

Speaking of all of those online courses, what if there are so many of them, and you'd like to target them easily to only people who need to see them?

Keep reading. That's what we dive into next!

How do I make a SharePoint document private?

Last week, I spoke to a customer who had over 1,500 different forms in their form directory. The issue was that not all forms applied to everyone. For example, hourly employees didn't need to see [Submit an expense] form, and salaried employees didn't need to see the [Timesheet] and so on.

5. Setting permissions on the employee form.jpg

Even in our example with [Online Courses], you might see the same pattern. People need to access what they need, sometimes due to Security, other times because there is too much content that's not relevant to them.

Let's see how we can arrange that.

Setting up unique permissions on a document or a form

One easy way to target your content is to enable permissions on the document or list item to be seen only by employees who need to see it. An existing [group member] can add new users but not modify access for existing members and readers.

Here is how to set up permission on a SharePoint list item or a document:

  1. Find a list where you have all of the items or documents you're displaying to users

  2. Select a document or a list item you need to give unique permissions to and click [Manage access]

  3. Select the group and the access you'd like to give it to, as shown in the sequence below.

 

NOTE: Instead of giving access to multiple specific individuals, use Groups to make it easier for you to add everyone and clearer for IT to see who has access to what. Continue to the next section, which describes how to set that up.

 

Using SharePoint security groups when managing permissions

Adding users to groups one by one is no fun. It's much better to create a group, add users to this group, and then delegate permissions to the site or library through that group.

When you create a Team site, it has a group created for it automatically. This means that I can give access to another site for everyone who is a member of the Team site.

As you can see, when sharing a site, the groups will show up in search results just as users:

8. Sharing a SharePoint site with a SharePoint Group.PNG

But what if you need to create a group that doesn't have or need a Team site?

For example, one of my customers wanted to create a group for [News Authors] where members were a few employees from HR, Communications, Business Divisions, and IT.

To create a security group, follow these steps:

  1. Ensure that you are Office 365 Admin and go to Admin center of your Office 365 tenant

  2. Click [Active groups] and [Add a group] button

  3. In a set of options, select [Security] as a type of group

NOTE: This is a simple group that won't have an email address or anything else assigned to it. Basically, it's a folder with users

4. Enter the name of the group, in my case [Intranet News Authors], and click Finish

Here is the summary of how to create Office 365 security group:

9. Creating Office 365 Security Group.jpg

Next, here is how to add users to this Office 365 security group:

  1. Find the group in a list of [Active groups], and click on its name

  2. In the popup window, click the [Add group owners] button

  3. Click [+ Add owners] and find users you'd like to own this group

  4. Next, click the [Members] tab and repeat step #3 this time adding users who will be group members

And here is how to add users to the Office 365 security group in pictures:

10. Adding Users to Office 365 Security Group.jpg
 

Now you can use this group to restrict access on the site, library or items, in the same way, we already looked at earlier in this post.

When you have a new employee you'd like to share the same level of access as all of the other members of the group, you simply add them to the list of group members. This new employee will inherit the same rights wherever the group already has access.

Now then, let's take a look at how you can restrict access to the folder to a newly created SharePoint group.

How do I restrict access to a SharePoint folder?

There are times when you need to limit access not just on the individual file but a folder with files. The most common need for this is when team members need to have [Read Only] access on all folders but [Write] access to their specific folder.

For example, below, let's give technical architects [Write] permission on the "Technical Architecture" folder.

Here is how to restrict access to the SharePoint folder:

  1. Pick a library and the folder you want to limit access to. In my case, it's the "Technical Architecture" folder that will only be available to [Edit] for specific people.

  2. Click on the (i) button on the right-hand side of your SharePoint library, as shown below in point #2

  3. In the flyout, click the [Manage access] link

  4. Under [Direct access], click the [+] button and find a group or users you'd like to give explicit access. In my case, I'm giving explicit [Edit] access to the [Technical Architects] group.

  5. Click the [Grant access] button

Here is the full sequence of this in a visual form:

11. Restricting access to a Sharepoint folder.png

More best practices

Have a best practice question, tell me more

This is not an exhaustive list of all SharePoint security best practices. But these are the most commonly heard from customers worldwide. I bet a few of these questions you see pop up from your employees every other day. Share this post with them.

If there is anything you'd like clarified, tell me more in the comments. I'd be happy to hear from you.

Did you know we have this post on 19 SharePoint Best Practices for End Users?

Check it out for more best practice goodness:

The information here is yours to keep forever...

If someone in your network might be stuck with their HR site or intranet project, share this with them.
I find that when I learn something, that feels nice but when I share that with others and they found it helpful, that feels amazing!

Best practices, in-a-box

Working with clients worldwide, we've accumulated a lot of best practices like these. Many of these are baked into our process and Origami pre-built intranet solution.

If reading this post, you feel like you need a more tailored approach to your existing SharePoint site or a brand new one – get in touch, tell us more about what's going on, and help us understand what your goal is.

Our advisor will help you assess all the pros and cons and offer a solution, whether it's something you can do on your own or something we can help you here at Origami.

 
SharePoint Intranet Design Expert

Yaroslav Pentsarskyy is a Digital Workplace Advisor at Origami. Yaroslav has been awarded as Microsoft Most Valuable Professional for 8 years in a row and has authored and published 4 intranet books.
Yaroslav is also a frequent presenter at industry conferences and events, such as the Microsoft SharePoint Conference and Microsoft Ignite.