SysAdmin MAGAZINE

Worth Sharing:
SharePoint Online
Administration Hacks
 Contents SysAdmin Magazine June 2020

SysAdmin

Magazine Contents

03 SharePoint Online administration, step by step

№
61 June ‘20
10 Managing SharePoint Online using PowerShell

14 Easy and secure file sharing for business

SysAdmin Magazine is a free
source of knowledge for IT Pros
17 How to ensure secure guest access in Office 365
who are eager to keep a tight
grip on network security and do
the job faster. 21 How-to: Get a SharePoint Online permissions report

22 Tool of the month: Free Netwrix Auditor for SharePoint

The Sysadmin Magazine team

sysadmin.magazine@netwrix.com

2
 Contents
SharePoint Online
Administration,
Step by Step
Jonathan Hassell
Exchange Expert, IT Consultant
The SharePoint Online service is a cloud-based platform de-
signed to facilitate collaboration. Your users can share docu-
ments, calendars, lists, pictures, discussion boards and more
with users inside your network and, in some cases, with peo-
ple outside your network, such as partners or vendors. With
this platform, even small companies are able to have their
own corporate intranet, without spending their budget on in-
frastructure or staff. In addition, SharePoint Online provides
web services for developers to access SharePoint data.
This article will help you learn the critical details you need to
effectively administer your SharePoint Online environment.
3
SysAdmin Magazine June 2020
Understanding the Default Site In addition to those two tenant-wide site collections, you also
Structure get individual “MySite” sites for each user in your tenant who
has a SharePoint Online license. MySite is essentially a front
end to the OneDrive for Business service; it’s where each
The basic unit of SharePoint content is the site collection — a
user’s one terabyte of storage space is found. This storage
group of sites with similar characteristics that can be man-
space can be synchronized to desktops and laptops so that a
aged as a whole. By default, your Office 365 subscription in-
person’s documents are always on whatever device they are
cludes two site collections:
using. We will talk more about OneDrive for Business later in
▪ A default team site collection, https://yourtenantname. this guide.
sharepoint.com, which is a basic SharePoint site designed
for collaboration. You can create additional sites in this
site collection for individual teams, projects, meetings and
so on. Team sites provide a place for your teams to orga-
nize and collaborate on content, data, reports and news.
Administering SharePoint Online
Creating a site in SharePoint Online is very similar to the
To get started with SharePoint Online administration, access
process in on-premises SharePoint; the main difference is
the Office 365 SharePoint admin center by heading to https://
that for SharePoint Online, you won’t be able to select a
yourtenantname-admin.sharepoint.com. The administration
web application.
user experience is designed to be simple but effective. Log in,
and then you will see a screen like this:
▪ A default public website collection, https://yourtenant-
name-public.sharepoint.com, which was originally de-
signed to host the public-facing website for your company.
This functionality is being deprecated, so I recommend ig-
noring this site collection.
You can also create your own site collections. Many organi-
zations choose to use site collection templates because they
make the process faster and easier than developing every-
thing from scratch.
 Contents SysAdmin Magazine June 2020

Types of SharePoint Online Site

Content
SharePoint Online has a defined list of content types that you
can create on a site. They include:

▪ Page. A page is exactly what it sounds like — a page that

is edited in the browser using the editor functionality in
SharePoint. Pages primarily contain text, but you can em-
bed images, links, lists and web parts (little bits of code)
in them.

▪ Document library. A document library is a set of Word and

other files. You can create folders to structure the docu-
ments logically within the library. To modify a file, a user
must check it out and back in; this ensures that only one
person edits a file at any given time and enables you to
Figure 1. The SharePoint administration center
keep previous versions so you can see the revision history
of a given document.

▪ Other kinds of libraries. There are form libraries that store

XML forms which your business can use to route informa-
tion through Microsoft InfoPath; picture libraries that store
image files; and wiki page libraries, which basically create
a quick way to edit text and have it remain on the web as
well as link that text to other pages — a poor man’s share-
able text editor, you might say.

4
 Contents SysAdmin Magazine June 2020

▪ Site. Sites are basically collections of content, so you can
create sites underneath your main SharePoint site to col-
lect related materials that deserve their own focus. Meet-
ings, blogs, documents and teams might have their own
sites within a larger site.
will need. For example, you might want to have separate site collections for sales and marketing, customer support, research
and development, and operations. Within each of those site collections, site collection administrators might give users permis-
sion to create subsites at will, so that teams can manage their own sites and IT isn’t a bottleneck.

▪ List. Lists are collections of like items, such as links, an-
nouncements, contacts or tasks. More complex lists in-
clude a calendar, an editable datasheet, a discussion
board, an issue tracking list, a list of project tasks with a
Gantt-like chart, a survey, or an imported spreadsheet.
Understanding Groups and Permissions
Some of the most common administrative tasks are granting, modifying and removing permissions from Office 365 users. The easiest
way to understand SharePoint permissions is to compare them to standard NTFS permissions like you have in Windows — groups of
SharePoint users can have read and write (and some other SharePoint-specific) permissions granted to them.

In addition to enabling you to administer SharePoint Online, You can see what permissions are available to grant on the ribbon of each SharePoint site, on the Permissions tab:
the Admin Center enables you to manage Office 365 groups
as well.

Best Practices for Structuring

SharePoint Online
When you are first starting with Office 365, it’s important
to give some thought to how you will structure your Share-
Point sites. To simplify site collection administration, most
SharePoint experts recommend creating site collections
based on the types of permissions that users and creators
Figure 2. Viewing permissions and groups for the default SharePoint team site in a tenant

5
 Contents SysAdmin Magazine June 2020

On this page, you can create a new group; grant, edit or revoke permissions for the default groups (Team Site Members, Team Site 1. Go to the administrative portal at https://admin.microsoft.
Owners and Team Site Visitors); and check permissions on a specific user or object. com/AdminPortal/Home#/homepage.

If you click Permission Levels in the Manage section of the ribbon, you can see all of the permission levels available, as well as create 2. In the menu at the left, hover over the icon with multiple
or delete permission levels: people. From the pop-out menu, click Groups.

3. Click + Add a Group.

4. Fill out the form to create a new mail-enabled security

group. At this time, do not create an Office 365 group — that
is a different type of group that is irrelevant to our purpos-
es right now. A mail-enabled security group is a group of
users that can be assigned permissions in various sites
and services but that can also be addressed through a sin-
gle alias like an Exchange distribution group can.

Figure 3. Viewing and managing permission levels

If you want to create new groups of users so that you can assign them SharePoint permissions more granularly, the easiest option is
to use the regular Office 365 admin center. Since the entire service is based on Azure Active Directory, the groups you create in one ap-
plication are available for use in other applications, just as you would expect if you created security groups in your on-premises Active
Directory. Here is the process for creating a new group

6
 Contents SysAdmin Magazine June 2020

Enabling Versioning
One of the neat features of SharePoint Online is the service’s
built-in support for versioning of documents. When versioning
is enabled, SharePoint will create a new version of a file each
time it is saved. This makes it easy to create an audit trail,
see recent activity, review who made which changes and back
out unwanted revisions. Most businesses that work on sets of
docs for long periods of time will find versioning helpful.

You enable versioning on document libraries. On a team site,

for example, click Documents, click the site settings wheel at
the top right of the window (within the black bar) and then
click Library Settings. On the resulting page, under General
Settings, click Versioning settings. You’ll see this page:

Figure 4. Creating a new group

7
 Contents SysAdmin Magazine June 2020

SharePoint automatically tracks the different versions. Users can

access them from the web but not directly from Microsoft Word,
so instruct your users to head to the team site document library
when they need to see older versions. To see and edit different
versions, click … next to a file in a document library, and from the
pop-up menu, select Version history. You’ll see a screen like this
one:

Figure 5. Versioning settings for a document library

Make sure one of the versioning options — either “create major versions” or “create major and minor (draft) versions — is enabled and
click Save. Then, when your users are creating, modifying and saving documents to that library, they’ll be able to see and use different
versions in the history of the documents. Figure 6: Accessing an older version of a file in a SharePoint Online
document library
I recommend against enabling minor versions because every small change will generate a new version of the file. While SharePoint is
relatively efficient at storing files, you can quickly find your storage allotment eaten up with files that add little value to the versioning
history. Unless you have a specific need, stay with the “Create major versions” option.

8
 Contents
Using Recycle Bin
When you delete items (including OneDrive for Business files)
from a SharePoint site, they’re sent to the site’s Recycle Bin,
and you can restore them from there if you need to. When
you remove items from a site’s Recycle Bin, they’re sent to
the site collection’s Recycle Bin. A SharePoint site collection
administrator can view items in the site collection’s Recycle
Bin and restore them to their original locations. If an item is
deleted from the site collection’s Recycle Bin, or its retention
time elapses, it is permanently deleted.
To remove site collections, you need to have the right permis-
sions. If the feature is not available, you don’t have permis-
sion to perform the operation. When you delete a site, you
also delete any subsites, content and information associated
with the site. The site collection administrator can restore it
from the site collection’s Recycle Bin.
Configuring Sharing
One of the biggest draws of SharePoint Online is the abil-
ity to share content with people outside your organiza-
tion. With such a configuration, SharePoint Online gets
extranet-like functionality with a couple of clicks. For exam-
9
SysAdmin Magazine June 2020
ple, you can share a document, a document library or even
whole site with users external to your organization without
Set-SPOSite –Identity https://
yoursite.sharepoint.com/sites\ /
worrying (at least from the end user’s perspective) about
thesiteyouwant -SharingCapability
federation, identity management, mapping credentials and
ExternalUserAndGuestSharing\
all that jazz. External users typically only need to view and
contribute information (i.e., read, add and update); they
do not need the rights to make structural changes to the To enable only authenticated external users (no guests) to
SharePoint site or create new elements like subsites. Note have content shared with them, use this command:
that you must have a global or SharePoint administrator
role in Office 365 to configure external sharing.
Set-SPOSite –Identity https://yoursite.
sharepoint.com/sites\ /thesiteyouwant
But some companies, especially those with more strin-
-SharingCapability ExternalUserSharingOnly
gent or sensitive regulatory and compliance requirements,
want to completely disable the ability for external users
to access or even receive invitations to the content stored
in their tenant. Luckily, one command in PowerShell turns
this ability on and off. To completely disable external shar-
ing, use this command: GUIDE
Set-SPOSite –Identity https://yoursite. Office 365
Administrator’s Guide
sharepoint.com/sites\ /thesiteyouwant
-SharingCapability Disabled
To enable both external user and guest (i.e., unauthenticated)
Learn More
access, use this command:
 Contents
Managing
SharePoint Online
using PowerShell
Jeff Melnick
Director, Global Solutions Engineering
Most Office 365 applications can be managed using Pow-
erShell. PowerShell commands (cmdlets) can be combined
to create scripts that perform complex administrative tasks.
Managing SharePoint Online using PowerShell makes it easy
to add, modify and remove user accounts and their permis-
sions, as well as configure SharePoint site settings, such as
sharing and access settings. To automate repetitive tasks
in SharePoint, administrators can use the SharePoint Online
Management Shell.
In this article, we will review how to install and connect the
SharePoint Online Management Shell to SharePoint Online.
You’ll also find the useful PowerShell commands for Share-
Point online.
10
SysAdmin Magazine June 2020
How to Install the SharePoint
Online Management Shell
If you’re running Windows 8.1 or Windows 10 on your manage-
ment workstation, that’s all you need. But if you’re still running
Windows 7, you must also download and install the Windows
Before you can use the SharePoint Online Management Shell, Management Framework version 3.0 or later.
you need to download it from the Microsoft website and install
it. The SharePoint Online Management Shell is a Windows Pow-
erShell module that lets you run command-line operations and
efficiently perform batch operations.
How to Connect to SharePoint
Before getting started, check whether the SharePoint Online Online using PowerShell
Management Shell is already installed by running the following
Before you connect, make sure you have:
command in administrative mode in PowerShell:
▪ An account with global administrator permissions
▪ The URL of your SharePoint Online Admin center
Get-Module -Name Microsoft.Online.SharePoint.
PowerShell -ListAvailable | Select
To connect to SharePoint Online, run the SharePoint Online
Name,Version
Management Shell and open a session to the admin site in your
tenant using the following command:
If your operating system is using PowerShell 5 or newer, you can
install the SharePoint Online Management Shell by running the
Connect-SPOService -URL https://yourtenant-
following command in administrative mode:
admin.sharepoint.com
Install-Module -Name Microsoft.Online.
SharePoint.PowerShell You’ll be prompted for your tenant administrator credentials, and
then your session will be loaded, like this example:
 Contents SysAdmin Magazine June 2020

Connecting Using an Account that

Has MFA Enabled
If your account is subject to multifactor authentication (MFA),
you will need to remove the -Credential parameter and its val-
ue from the Connect-SPOService cmdlet, as shown below, and
then enter your credentials on the web login page.

$orgname="enterprise"Connect-SPOService -Url
https://$orgname-admin.sharepoint.com

Microsoft explains how to troubleshoot issues with connecting

using MFA in the article “Cannot force Modern Authentication
when using Connect-SPOService cmdlet in SharePoint Online
Management Shell.”
Figure: Loading a new SharePoint Online Management Shell session

Connecting with a Username and Password The Most Useful PowerShell

To connect using a user name and password, run the following PowerShell script:
$admin="Admin@enterprise.onmicrosoft.com"$orgname="enterprise"$userCred = Get-Credential -UserName
$admin -Message "Type the password."Connect-SPOService -Url https://$orgname-admin.sharepoint.com
-Credential $userCred
Commands for SharePoint Online
Windows PowerShell includes more than one hundred cmdlets
for performing day-to-day administrative tasks. With a solid
knowledge of PowerShell scripting, you will spend less time
on administrative functions, without having to purchase and
implement third-party tools.

11
 Contents
Here are some of the most useful SharePoint cmdlets:
1. To get a list of all available SharePoint Online cmdlets, run the
Get-Command cmdlet:
Get-Command -Module "Microsoft.Online.
SharePoint.PowerShell"
2. To list the settings for a particular tenant, including quota sta-
tus and sharing capabilities, use the following command after
connecting to your SharePoint Online:
Get-SPOTenant
3. To create a new SharePoint Online site collection using Pow-
erShell, use the New-SPOSite command, specifying a web ad-
dress for the SharePoint site, the user who will own the site and
the storage quota in gigabytes:
New-SPOSite -Url https://yourtenant.
sharepoint.com/Sites/newsitename -Owner you@
yourtenant.com -StorageQuota 100 -Title "New
Site"
12
4. The Test-SPOSite cmdlet runs all the site collection health
checks on the specified site collection.
Test-SPOSite https://enterprise.sharepoint.
com/sites/hr
5. To see what groups are available on a site, use this command:
Get-SPOSiteGroup https://yourtenant.
sharepoint.com/sites/yoursitename
6. You can add a user to a site, but when you do, you need to add the
user to one of the existing site groups at the same time:
Add-SPOUser https://yourtenant.sharepoint.
com/sites/yoursitename –Loginname you@
yourtenant.com -Group Visitors
7. You will likely want to periodically review the current state
of sharing on your tenant. The following script will spit out
sharing status along with who has received invitations out-
side your organization for each site in your tenant:
$SitesToAudit = Get-SPOSite | Where-Object
{$_.SharingCapability –ne “Disabled”}ForEach-
Object ($Site in $SitesToAudit){Write-Host
SysAdmin Magazine June 2020
$Site.URL “ has “ $Site.SharingCapability “
configured”Get-SPOExternalUser –SiteUrl $Site.
URL | Select DisplayName, Email, InvitedBy,
WhenCreated | Format-Table –AutoSize}
Going Beyond Basic SharePoint
Management Tasks
PowerShell can help you manage SharePoint more efficiently, but
remember that it’s also critical to be aware of every change that
happens in your environment. If there’s an inappropriate change
to the farm configuration or if mission-critical content is deleted,
you need to know about it. With Netwrix Auditor for SharePoint,
you can track changes to SharePoint documents and lists,
configuration, permissions, and more.
▪ Monitoring changes — Netwrix Auditor provides detailed in-
formation about every change across your SharePoint envi-
ronment: which user made each change, when and where it
happened, and exactly what was changed, with the before and
after values. By tracking all changes in SharePoint, you can
spot modifications to farm configuration settings, groups, per-
missions and user content that could result in a data breach or
bring down your SharePoint services.
 Contents SysAdmin Magazine June 2020

▪ Monitoring data access events — If you don’t regularly audit

who accesses which documents and lists in your SharePoint
Online, someone might read a file that they are not supposed
to see and you won’t know about the violation. Netwrix Au-
ditor helps to regularly review data access events, such as
access to sites or libraries containing sensitive data, so you GUIDE
can reduce the risk of missing improper activity.

▪ Monitoring permissions — SharePoint’s complex system of

access permissions makes it a challenge to ensure that your
PowerShell
critical documents are secure. Netwrix Auditor enables you
to quickly find out exactly how permissions were granted and
Scripting Tutorial
for Beginners
identify broken inheritance across your SharePoint Online.
You’ll be able to clearly see the effective user permissions
for all objects in your site collections, how those permissions
were granted and whether inheritance is broken.
Free Download

13
 Contents
Easy and Secure
File Sharing for
Business
Adam Stetson
Systems Engineer, Security Expert
File sharing — the transfer of digital items from one device to
another — is a standard business practice in almost every in-
dustry. Think of how many files get uploaded to Google Drive
or your company’s Slack channel every day. While businesses
benefit from the ease of contemporary file sharing, it comes
at a price. This article explores the benefits and risks of un-
controlled sharing and then reviews the top solutions for re-
ducing those risks.
14
Benefits and Risks of Uncontrolled
File Sharing
Today, employees can upload even extremely large files to
cloud servers, and their colleagues across the world can view
the content, make edits or add comments, and pass them
back without ever having to download them.
Sharing files through the cloud offers significant cost savings,
since companies no longer need to purchase and maintain
their own servers to host the data. It also offers flexibility:
Team members can share files wherever they are to collabo-
rate easily with both internal and external personnel, without
ever having to worry about whether a file is too big for email.
Unfortunately, file sharing also involves multiple security risks,
including the following:
▪ Data leakage — Most sharing platforms let users send
files to people outside of the company network. That can
be great for collaboration, but it can also be a security night-
mare. It’s too easy for an employee to send a document
with intellectual property or regulated sensitive data to the
wrong person, whether by accident or design. It’s also easy
for users of many platforms to set their own share permis-
sions. You can advise your people to restrict access, but
you might not be able to lock down their settings.
SysAdmin Magazine June 2020
▪ Account breaches — With many file-sharing platforms
and collaboration tools, users set their own passwords.
If a user chooses a weak password or reuses passwords
from other sites, a malicious actor could easily break
into that user’s account to share or download propri-
etary content.
▪ Lack of accountability — When employees share files,
in some cases it may be challenging for system admin-
istrators to track who is sending which files to which
third parties. That lack of accountability could land the
company in trouble if sensitive data is compromised.
▪ Infected files — Not all data-sharing and collaboration
platforms have the same level of encryption, and many
let users accept files from third parties. If your teams
are receiving and downloading files, your system could
be at risk.
▪ Shadow IT — When a company doesn’t have an of-
ficial secure file sharing system that is approved and
managed by the IT team, employees will find their own
solutions. That’s how a company ends up with shadow
IT — software and hardware that operates outside of
the awareness of the IT department. When teams use
shadow IT file sharing solutions, the entire corporate
data system is at risk.
 Contents
Methods for Sharing Data
There are different ways to share data:
▪ File transfer protocol (FTP) — FTP transfers computer files over
the network, usually from a computer to a server.
▪ Peer-to-peer networks — Files can be shared directly be-
tween machines connected through the same peer-to-peer
technology.
▪ Removable storage media — Removable media, such as USB
drives, used to transfer files between different machines.
▪ Online file sharing services — Online platforms like Box and
Dropbox enable users to easily share files online without hav-
ing to install any specific software to connect the devices.
The following section explores the advantages and disad-
vantages of the top online file sharing services.
Top Online File Sharing Platforms
for Business
There are different ways to share data:
15
SysAdmin Magazine June 2020
BOX fewer advanced features, and users can more easily share
and select permissions, so IT departments have less con-
One of the most well-established file-sharing companies, Box
trol over file security. Dropbox is most appropriate for
serves 97,000 organizations, including 68% of the Fortune
smaller companies with a less robust tech support system.
500. Its primary focus is on meeting the needs of larger en-
terprises. Available security and permissions options are ad-
Pros
vanced, making it appropriate for companies and firms with
valuable intellectual property. ▪ Users can share files with recipients who don’t use Dropbox.
▪ File and version recovery is user-friendly.
Pros ▪ Professional users can password-protect files and disable
downloads.
▪ Security is compliant with HIPAA, FINRA and other regula-
tory systems.
Cons
▪ Encryption keys enable you to track who is accessing
which files. ▪ Centralized permission and sharing controls are limited.
▪ Enterprise-level controls enable sharing and collaboration. ▪ Advanced security features are limited.
▪ Dedicated “confidential” setting can be used for inter-
nal-only communications.
▪ Granular permission settings are included.
GOOGLE DRIVE
Cons
Google Drive powers Google Docs, one of the first and most
▪ Limited document preview can result in employees open- popular cloud-based document collaboration tools. Available
ing unknown documents.
▪ Only limited tracking and content management are includ-
to the public in its standard form, it offers more functionality
to businesses in two ways:
ed at lower price points.
▪ One option is Drive for G Suite, which has advanced infor-
mation rights management functions and default admin
sharing controls. The Business and Enterprise editions in-
DROPBOX
clude audit logs for usage analysis.
Dropbox is designed for more casual use than Box. It has
 Contents
▪ Businesses also have the option of subscribing to Drive
Enterprise as a standalone service. It includes advanced
administrative access management and a robust security
center to keep intellectual property safe.
Pros
▪ It is easy to use and familiar.
▪ Files can be shared with any email address.
▪ Users can limit sharing, downloading and copying of files.
▪ Robust administrative controls are provided for file sharing.
▪ Advanced data tracking and retrieval are possible with
Google Vault.
Cons
▪ Collaboration requires a Google account.
▪ Advanced security features are limited.
ONEDRIVE FOR BUSINESS
OneDrive is Microsoft’s version of Google Drive. It’s de-
signed primarily to enable sharing of Office 365 files, which
makes it useful for teams who use that software, but it’s
less welcoming for non-Windows teams. On the plus side,
it offers in-depth permissions settings and security so that
IT teams can control the movement of data.
16
SysAdmin Magazine June 2020
Pros Cons
▪ Granular permission settings are provided. ▪ An Office 365 license is required,
▪ Encryption for mobile devices is an option. ▪ Sharing with external users can be challenging to control.
▪ Administrators can monitor activity.
▪ Advanced security features are included
for business users.
SHAREPOINT ONLINE
Cons Unlike Microsoft Teams, companies can purchase and use
SharePoint Online as a standalone solution. It satisfies com-
▪ Integrations are limited for teams who don’t use
plex security and collaboration needs with functions like ad-
Office 365.
vanced guest access controls and confidentiality labels for
documents. SharePoint also allows administrators to man-
age sharing settings at the administrative level.
MICROSOFT TEAMS Pros
If OneDrive is Microsoft’s answer to Google Drive, Teams is
▪ Access controls are available for administrators.
its answer to Slack. It’s a fully-featured collaboration tool de-
▪ External sharing can be controlled.
signed for Office 365 users and has support at the enterprise
▪ Extensive content governance functionality is provided.
level — as long as your company uses Microsoft products.
Cons
Pros
▪ It is pricier than comparable options.
▪ It offers more functions than a single-purpose file shar-
▪ Employees will require training to use the platform
ing platform.
effectively.
▪ It includes file editing capabilities.
▪ It supports multiple identity models and multifactor
user authentication.
 Contents SysAdmin Magazine June 2020

How to Enable or Restrict the Guest

How to
wrong users? What if users mishandle sensitive information?
How can you stay in control of your guest users?
Access Feature

Ensure Secure
To mitigate security concerns around sharing, it’s important By default, the guest access feature is enabled for a Micro-
to understand how to configure the two mechanisms of shar- soft 365 tenant, which means a Microsoft 365 group owner

Guest Access
ing in Microsoft 365: can invite anyone who has a business or consumer email ac-
count become guest members of the group.
▪ Guest access: Sharing content with guest members in Mi-

in Office 365
crosoft 365 groups or Microsoft Teams
As a Microsoft 365 administrator, you can set the level of external ac-
▪ External sharing: Sharing links to specific SharePoint and cess for the tenant by going to the Microsoft 365 Groups page in the
OneDrive assets with external parties Microsoft 365 admin center. Under Services and Add-ins, you can
control whether to turn off guest access entirely and whether group
This article explains how to manage guest users and external
owners are allowed to invite guest users.
access in Microsoft 365 to ensure business continuity with-
out compromising the security of your critical data. You can also use PowerShell to limit the policy on guest ac-
Jeff Melnick cess. For example, you can:
IT Security Expert, Blogger

▪ Prevent guest users from accessing a specific group.

With its flagship productivity suite Microsoft 365 (formerly Guest Access in Microsoft 365 ▪ Block external guests from a specific domain.

known as Office 365), Microsoft aims to break down the tra-

On the back end, Microsoft 365 groups are objects in Azure
ditional business silos that inhibit content sharing and col-
Active Directory (Azure AD). Each group object in Azure AD
laboration. The interwoven capabilities of SharePoint Online
and OneDrive for Business allow users to collaborate with a
contains unique identifying information such as: How to Add a Guest User to a Group
wide range of colleagues from both inside and outside their ▪ Information about the group owner Any group member can nominate an Office 365 group exter-
organization. ▪ URLs for associated resources nal user for guest access, but only the group owner can grant
▪ Group membership list, including any guest accounts guest access. The process of adding a guest user to a group
Despite its benefits, file sharing poses several risks. What proceeds as follows:
if your files are inadvertently or deliberately shared with the
1. The group owner or a group member uses the Groups >

17
 Contents
Add Members command to nominate the external user for
membership by entering the user's email address.
2. The group owner reviews the access permissions the guest
would receive by joining and approves the nomination.
3. The guest receives a welcome email and can begin partic-
ipating in group activities.
What Level of Access Does a Guest
User Have?
▪ Don't have direct access to any of the group's sites, such
as a team site in SharePoint
▪ Can participate in group activities through conversations
and group calendar invitations sent to their email inbox
▪ Can access shared files included in email messages, such
as attachments or links, provided the administrator has
enabled the requisite file-sharing permissions
External Sharing in Microsoft 365:
SharePoint Online
The external sharing capabilities of SharePoint Online can be
18
managed at two levels:
▪ Across the entire Microsoft 365 tenant, through either
the SharePoint Admin Center, the Microsoft 365 admin
center or Azure AD
▪ At the site level
How to Manage Tenant-Wide Sharing
Using the SharePoint Admin Center
To configure external sharing settings for the entire tenant, go
to the Sharing page of the SharePoint admin center. The Exter-
nal sharing section on this page contains options that let you
control the tenant-wide sharing level in SharePoint:
▪ Only people in your organization: Turn off external shar-
ing and limit sharing to internal users only. This is the de-
fault setting for communication sites and classic sites in
SharePoint. As a security best practice, it's recommend-
ed that you turn off tenant-wide external sharing by se-
lecting this option.
▪ Existing guests: Permit sharing with external users who
have already been added to your Azure AD Existing guests
may have joined your Azure AD by accepting a share in-
vitation in the past or by being added as guest users by
an administrator in the Azure portal. This option requires
guests to authenticate into Microsoft 365 with valid cre-
SysAdmin Magazine June 2020
dentials before they can access shared assets.
▪ New and existing guests: Grant site owners and users full
control permission to share sites with external users. Site
users can also share files and folders to collaborate with
external users.
▪ Anyone: Allow anyone with the resource link to access the
resource and forward the link to others. This option is se-
lected by default, but it's recommended that you change
the external sharing setting to Only people in your organi-
zation. Beware of leaving the Anyone option selected, as
it opens the door to uncontrolled sharing with anonymous,
unauthenticated users and may put sensitive data at risk.
If you elect to allow sharing with Anyone, you can improve
document management and security by configuring these
recommended advanced settings:
▪ Configure Anyone links to expire after a certain period of time.
▪ Restrict guest links to allow only view access to files & folders.
▪ Restrict default links to be accessible to Only people in
your organization.
▪ Enable the ATP safe attachments feature.
▪ Restrict external sharing with users from blocked domains.
 Contents
Using the Microsoft 365 Admin Center
You can also configure tenant-level sharing for SharePoint by
going to the Microsoft 365 admin center and selecting Settings
> Services & add-ins > Sites. This page lets you configure the
same external sharing options as the SharePoint admin center.
Using Azure AD
For the highest level of control over external access to Share-
Point, configure sharing settings in Azure AD. You can approach
the Azure AD sharing configuration in either of two ways:
▪ Have SharePoint use its own external sharing list, inde-
pendent from Azure B2B, and configure organizational re-
lationships settings in Azure AD. Log in to the Azure Portal
and select Azure Active Directory > Overview > Organiza-
tional relationships. Go to the Settings page and define
the SharePoint online external sharing settings you want
to use for your organization.
▪ Have SharePoint use the external sharing settings defined
in Azure B2B and configure B2B collaboration in Azure AD.
TIP: The sharing settings configured in Azure AD override the
sharing settings configured in the Microsoft 365 admin center or
SharePoint admin center. For example, if you allow external shar-
ing via the Microsoft 365 admin center but disable external shar-
ing through Azure AD, the Azure AD setting takes precedence
19
and external sharing will be turned off for your organization.
How to Manage Site-Level Access in
SharePoint Online by External Users
In addition to configuring tenant-wide sharing policies, you can fur-
ther restrict external sharing for a specific SharePoint site. To do
this, you must have global admin or SharePoint admin privileges.
Site owners cannot change the external sharing setting for sites.
1. How to Change the External Sharing Setting for a Site
2. In the SharePoint admin center, go to Sites > Active Sites.
3. Select the checkbox next to the site name.
4. Click the 'i' icon at the top right corner of the page.
5. Select the desired sharing level from the list of sharing op-
tions. These are the same four sharing options that are
available for tenant-wide configuration.
Tip: The external sharing setting for a specific site has to be
the same or more restrictive than the tenant-level setting. For
example, if tenant-wide sharing is limited to Existing guests,
the sharing setting for a specific site can be changed to Only
people in your organization, but it cannot be changed to a
more permissive option such as Anyone.
In another typical use case, a global or SharePoint admin needs
SysAdmin Magazine June 2020
to restrict external users in a certain network domain from ac-
cessing a specific site. For example, users from the Client A do-
main should not be able to access a site specifically designed
for collaborative sharing with Client B.
How to Restrict Access to a Site based on the
User Domain
1. In the SharePoint admin center, go to Sites > Active Sites.
2. Select the checkbox next to the site name.
3. Go to the Policies tab.
4. Under External sharing, click Edit.
5. Under Advanced settings for external sharing, select the
checkbox next to Limit external sharing by domain.
6. Click Add domains.
7. Select Allow only specific domains.
8. Enter the fully qualified domain name (FQDN) of each do-
main you want to add to the allow list. Only users from the
listed domains will be eligible for invitations to the site.
How to Manage Tenant-Wide Sharing for OneDrive
Tenant-wide sharing settings apply to all the OneDrive in-
stances for users in your Microsoft 365 account. There are
two portals through which you can configure these sharing
settings for OneDrive:
 Contents
▪ The Sharing page in the SharePoint admin center (Micro-
soft recommends using this page to configure your One-
Drive sharing settings)
▪ The Sharing page in the OneDrive admin center
How to Configure OneDrive Sharing through the Share-
Point Admin Center
Follow the instructions and guidelines described earlier in
''How to Manage Tenant-Wide Sharing Through SharePoint Ad-
min Center." OneDrive provides the same four sharing options
as SharePoint.
TIP: The sharing level for OneDrive must be the same as or
more restrictive than the sharing level for SharePoint. For
example, if tenant-wide sharing in SharePoint is set to Exist-
ing guests, you can only configure OneDrive to use the same
setting or the more restrictive Only people in your organiza-
tion setting.
How to Configure OneDrive Sharing through the
OneDrive Admin Center
1. Log in to the OneDrive admin center.
2. Navigate to the Sharing
20
Here, you can set the level of external sharing for OneDrive and
configure more fine-grained sharing controls such as:
▪ The type of link generated by default when a user shares
a file
▪ The expiration period for links
▪ Whether to allow editing and uploading privileges for links
that share OneDrive files or folders externally
▪ Specific domains to allow or block users from receiving
sharing invitations
▪ Whether external users must use the same account to re-
ceive and accept sharing invitations
▪ Whether external users can share content they don't own
▪ Whether content owners can audit the list of users who
have viewed their content
How to Manage External Sharing for an
Individual OneDrive
To customize the sharing level for a specific user's OneDrive, use
the Microsoft 365 admin center:
1. Log in to the Microsoft 365 admin center with global ad-
min or SharePoint admin privileges.
2. Go to Users > Active users.
3. Select the OneDrive user for which you want to change the
sharing level.
4. Go to the OneDrive tab.
SysAdmin Magazine June 2020
5. Select Manage sharing under the Sharing section.
6. Configure the external sharing level and save your changes.
TIP: The external sharing level for an individual OneDrive must
be the same as or more restrictive than the sharing level config-
How to Mitigate the Risk of Unauthorized
External Sharing of Critical Data
Classifying your data will help you understand where your critical
data resides, including whether a particular SharePoint Online
site or site collection or a OneDrive for Business folder shared
with external users contains sensitive data. This insight will en-
able you to set up external sharing according to the sensitivity
and value of data stored there.
To ensure comprehensive and accurate data discovery and clas-
sification, choose an advanced solution like Netwrix Data Classi-
fication. Its automated and highly accurate data tagging enables
you to choose appropriate sharing settings and also enables us-
ers to easily find the data they need. The tagging will also improve
the effectiveness of the data loss prevention (DLP), information
rights management, records management and other data gov-
ernance solutions your organization already using or planning to
implement. You can also set up workflows that will automatically
move overexposed data from SharePoint Online and OneDrive for
Business repositories to a designated quarantine area.
 Contents SysAdmin Magazine June 2020

How-to for IT Pro -Credential$Cred

#Generating Report
$GroupsData = @()
#get sharepoint online groups powershell
HOW TO GET A SHAREPOINT ONLINE $SiteGroups =Get-SPOSiteGroup -Site$URL
PERMISSIONS REPORT ForEach($Group in $SiteGroups) {
$GroupsData +=New-Object PSObject-Property @{
'Group Name' =$Group.Title
1. Download and install the SharePoint Online Client 'Permissions' =$Group.Roles -join ","
Components SDK. 'Users' = $Group.Users -join ","
}
2. Open the PowerShell ISE. }
#Export the data to CSV
$GroupsData |Export-Csv $Path-NoTypeInformation
3. Review the easy-to-understand report:

#SPO-specific cmdlets require sharepoint-

online module
Users Group Name Permisions
Install-Module -NameMicrosoft.Online.
SharePoint.PowerShell b.jackson@enterprise.onmicrosoft.com, Team Site Members Edit
j.brown@enterprise.onmicrosoft.com, j.carter@enterprise.onmicrosoft.com,
$ServiceURL ="https://enterprise-admin. spo-grid-all-users/762525ca-eb79-412c-8c1d-ecc76c75b80a
sharepoint.com"
SHAREPOINT\system Team Site Owners Full Control, Limited Access
$URL = "https://enterprise.sharepoint.com"
$Path = "C:\Temp\GroupsReport.csv" ale@enterprise.onmicrosoft.com, a.gold@enterprise.onmicrosoft.com Team Site Visitors

$Cred = Get-Credential i.scur@enterprise.onmicrosoft.com, c.decker@enterprise.onmicrosoft.com Team_OC Contribute, Read

#Connect to SharePoint Online
j.smith@enterprise.onmicrosoft.com, review_team@enterprise.onmicrosoft.com Team_Review Limited Access
Connect-SPOService -url$ServiceURL

21
 Contents SysAdmin Magazine June 2020

Free SharePoint monitoring to stay aware of changes and data access events in your SharePoint Online and on-premises SharePoint
environment
FREE COMMUNITY EDITION

Netwrix Auditor for SharePoint

Activity Summary

Added 1
Removed 1

Netwrix Auditor Modified 1

for SharePoint Action

Added
Object type

File
What

http://sp.enterprise.com/
Item

http://sp.enterprise.
Where

http://sp.
When

4/17/2018
Workstation

81.89.03.122
sites/Management/2018/ com/sites enterprise. 3:02:44 AM
Release Plan.docx com:4755

Download Free Tool

Removed Folder http://sp.enterprise.com/ http://sp.enterprise. http://sp. 4/17/2018 81.89.03.122
sites/Management/ com/sites enterprise. 3:04:56 AM
Contact Info com:4755

Modified Site http://sp.enterprise.com/ http://sp.enterprise. http://sp. 4/17/2018 81.89.03.122

Collection sites/Management/ com/sites enterprise. 3:05:14 AM
com:4755
Site Collection Administrators: Added: “j.rogers@enterprise.com”

This message was sent by Netwrix Auditor from au-srv-fin.enterprise.com.

22
 Contents SysAdmin Magazine June 2020

[On-Demand Webinar]

Managing SharePoint Online and Exchange Online can be a painful task. Luckily, you can accom-

Managing SharePoint plish many tasks with PowerShell. Learning a few basic commands and scripts will make your
life so much easier.

Online and Exchange In this webinar, a renowned SharePoint expert Liam Cleary will walk you through how to use

Online with PowerShell

PowerShell to:

• Connect to Office 365

• Perform basic management tasks like user and mailbox administration
Jeff Melnick Liam Cleary
Solutions Engineer
• Modify permissions and retrieve log data when auditing permissions
Office Apps and Sirvices MVP

Watch Now

23

What did you think
of this issue?
What did you think of this content?
About Netwrix
Netwrix is a software company that enables information security and governance professionals to reclaim control over
sensitive, regulated and business-critical data, regardless of where it resides.
Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of
enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.

For more information visit www.netwrix.com

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608 Switzerland: +41 43 508 3472 Hong Kong: +852 5808 1306
Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Italy: +39 02 947 53539
Netherlands: +31 858 887 804 France: +33 9 75 18 11 19

Sweden: +46 8 525 03487 Germany: +49 711 899 89 187

565 Metro Place S, Suite 400 1-201-490-8840
Dublin, OH 43017

5 New Street Square +44 (0) 203 588 3023 SOCIAL: netwrix.com/social
London EC4A 3TW