New technology, new features, early adopters and sound skepticism and preparations

I like to call myself an “Early Adopter”. I love new technology and new functionality that is launched, and I happily throw myself into it to find good areas of use, see what opportunities are offered, analyze its strengths and identify its weaknesses.
BUT, to be a good “Early Adopter” you also need to have a “healthy skepticism”. You need to be gifted with a good dose of security thinking, you need to be able to see past the shiny marketing material and be able to focus on – and understand what is under the shell.

My belief is that to “afford” to be an “Early Adopter” (and minimize any negative consequences of being a naive one) you need to have good control over the environment and platform in which you test the new technology and functionality. You need to have a well-oiled machine where you are confident that Devices, Identity and Data are configured and secured according to the book. You need to be confident that the applications, services and tools that run on the platform are also configured according to the book. You need to have a basic (at least) level of security when you are going to test the new stuff. You have this necessary basic security in place when you have cleaned up in Microsoft Teams and SharePoint and adjusted the exposure of the data. When you have established good Microsoft 365 Governance you are in control and can ensure that it does not become messy again.

What you need to organize and secure in Microsoft Teams and SharePoint, when implementing Multitenant Organization (MTO) and/or Copilot.

At the time when I am writing this blog post, there are two relatively new technologies that I consider to be very relevant when it comes to having this control and basic security and they are Copilot for Microsoft 365 and Multitenant Organization (MTO). Both require largely the same technical preparations and control. What is important about both is that we want to minimize the risk of users accidentally gaining access to information that they should not have access to.

Proper security of and access to stored documents is of utmost importance both when it comes to MTO and Copilot. Since most collaboration and document storage takes place in Microsoft Teams and SharePoint, it is in these two applications that we can advantageously start by making sure that things are as they should be. Data should be up to date and relevant; Data should be available (only) to those who should have access to it, and it should be inaccessible to those who should not have access to it. Thus, the key here is good Microsoft 365 Governance at different levels

Current state of Microsoft 365 Governance in Many Organizations

In many organizations, the current state of Microsoft 365 governance is far from ideal. Common issues include:

• Lack of Control: Many organizations have hundreds (and sometimes thousands) of Teams, but no clear understanding of their purpose, value, relevance or usage.
• Overwhelmed IT Departments: Small IT teams are expected to manage and control all aspects of Microsoft 365, including frequent updates and changes.
• Poor Communication: Users often receive little to no information about new features and updates.
• Unclear Responsibilities: It is often unclear who is responsible for what within Microsoft 365.
• Self-Sustaining Applications and Services: Microsoft 365 is often left to manage itself without proper oversight.
• Desire for MTO and Copilot: Organizations want to implement MTO (Multitenant Organization) and/or roll out Copilot but struggle with the current chaotic state.

Desired state for Many Organizations

The desired state for many organizations includes:

• Organized Teams and SharePoint: An environment where all SharePoint sites and Teams are relevant, in use, and properly secured. A structured process for creating new Teams and SharePoint sites.
• Optimized Configuration: Services in Microsoft 365 are configured to meet organizations security- and functionality requirements.
• Centralized Governance Plans: Governance plans for all applications and services stored in one place.
• Effective Update Management: The ability to handle updates and changes in Microsoft 365 efficiently. All users are informed of relevant updates and receive the required training.
• Clear Responsibilities: Clear understanding of roles and responsibilities within Microsoft 365.
• Successful MTO and Copilot Implementation: A well-prepared environment for implementing MTO and/or rolling out Copilot in a safe and effective way.

The Platform Basics (Devices, Identities, and Data)

Before setting up MTO, it is essential to address the Platform basics:

• Devices: Ensure that all devices are properly managed and secured.
• Identities: Implement strong identity management practices, including multi-factor authentication and relevant dynamic Entra ID groups.
• Data: Classify and secure data, ensuring it is stored in the right places and properly labeled.

The Applications/Services (Microsoft Teams, SharePoint, and OneDrive)

So, what are the most basic and most important access settings in Microsoft Teams and SharePoint if you want to implement MTO and/or Copilot, and what are these settings? The answer is as follows:

Microsoft Teams

In Microsoft Teams, there are important differences between Private and Public Teams:

Private Teams:

• Membership: Only members who are added by the team owner can join a Private Team. This makes it suitable for e.g. confidential projects or sensitive information.
• Visibility: Private Teams are not visible to everyone in the organization. Only members can see the team and its content.
• Access: Members have access to all content within the team, but non-members cannot view or join the team (or its content) without an invitation from a team owner

Public Teams:

• Membership: Anyone in the organization can join a Public Team without needing approval from the team owner. This can be useful for topics of general interest or company-wide initiatives.
• Visibility: Public Teams are visible to everyone in the organization. They can be found in the teams gallery and joined by anyone.
• Access: All members of the organization can view and edit the content within a Public Team. and this is where it gets weird. MTO users from another organization/tenant are no longer “guests” but become “members” of the organization. So, they are considered members of the organization and can therefore also read and edit the content of a Public team in your organization because they are included in the “Everyone except external users” group (even though they are actually formally external users). 🚨

So, what do you need to do when it comes to Microsoft Teams?

• Cleanup: Identify and archive inactive Teams and review and manage guest access.
• Governance: Implement a controlled process for creating new Teams, including approval workflows, naming conventions and Sensitivity Labels.
• Configuration: Ensure the Global settings for Microsoft Teams are configured to support the security and functionality requirements of your organization.
• Avoid Public Teams: Change existing Public Teams to Private. Public Teams containing Everyone-groups pose significant security risks. They allow all users, including “MTO-users”, to access and edit files, which can lead to data breaches and unauthorized access. It is crucial to change public Teams to private to maintain control over who can access sensitive information.

SharePoint and OneDrive

Who hasn’t heard of (or used) the group “Everyone except external users”? I bet that when you start analyzing your SharePoint sites, you will find several sites that either have this group at least in the SharePoint site’s Visitors group. We have the same challenge here as when it comes to public Teams. MTO users are included in Everyone except external users and thus have read rights to these SharePoint sites (or in the worst-case editor rights).

So, what do you need to do when it comes to SharePoint?

• Cleanup: Identify and archive inactive SharePoint sites, review and manage guest access, and set appropriate sharing settings. Ensure that content cannot be shared anonymously with Anyone-links.
• Governance: Limit the creation of new SharePoint sites to designated administrators.
• Configuration: Ensure SharePoint sites are configured to support the security and functionality requirements of your organization.
• Avoid “Public” Sites: Like Public Teams, SharePoint sites containing Everyone-groups can expose sensitive data to unauthorized users. 🚨 It is essential to remove Everyone-groups and replace them with dynamic Entra ID groups containing only people from your organization to ensure only authorized personnel have access.

So, what do you need to do when it comes to OneDrive?

• Cleanup: Limit/Disable synchronization, especially for unmanaged devices and personal OneDrive accounts. Ensure that content cannot be shared anonymously with Anyone-links. Also run an analysis to ensure that there are no old folders left that are shared with everyone and contain sensitive content.
• Governance: Implement policies for file and folder sharing, including expiration dates for guest access.
• Configuration: Ensure OneDrive is configured to support the security and functionality requirements for your organization.

And by the way, We must not forget public M365 Groups.

For example, if your organization uses Viva Engage and has several public Communities that are open to all users, the group “Everyone except external users” is included in the SharePoint sites that are connected to these Communities. This means that MTO-users also have full access to the files that have been uploaded to these communities’ SharePoint sites.

Here too, you should assess these Communities and possibly limit their openness or to go in to their SharePoint sites and tweak their access rights a bit.

Summary

Did you get the impression that there is a lot to think about and fix? 😟

None of what I have mentioned is actually anything new. Neither MTO nor Copilot create any “security problems”. If you thought so, you were wrong. You are probably already using Search in Microsoft 365 today. Those who have too extensive access rights today can already find this information just by using search. If your tenant has been configured according to the book from the beginning, there is not much new to think about, but if it has not been, it is time to start cleaning, analyzing, configuring and securing. When this is done, you can be both “Early Adopters” and “Pioneers” and feel safe both when you test and implement new groundbreaking functionality that helps you collaborate even more effectively.

What I have described in this blog post is just the basics. I will dive deeper into security and compliance in Microsoft Teams and SharePoint in several future posts so stay tuned.

Finally, I would like to share some useful links that can help you along the way.

Useful links from Microsoft Learn on how to secure Microsoft Teams:

• Security guide for Microsoft Teams overview
• Set up secure file sharing and collaboration with Microsoft Teams
• Implement security for Microsoft Teams

Useful links from Microsoft Learn on how to secure SharePoint:

• Cloud data security measures in SharePoint & OneDrive
• Recommended SharePoint access policies
• Managing SharePoint Online Security: A Team Effort

Useful links from Microsoft Learn on Microsoft Purview data security solutions:

• Learn about data loss prevention
• Learn about Data Security Posture Management (preview)
• Protect your sensitive data with Microsoft Purview
• Learn about insider risk management
• Learn about data lifecycle management