News for Microsoft 365 Administrators - First Half of 2020

Sensitive by default - preventing external sharing of unindexed files

Applying DLP rules in SharePoint Online works by indexing the file and then scanning its content for match with any DLP rules. This process can take some time, even a few hours. Before it happens, the file can be freely shared externally - this is not ideal as that is exactly what DLP rules should prevent. Therefore, Microsoft comes with a solution to block external sharing of all files that are not yet indexed and scanned - you can turn on this functionality via the cmdlet Set-SPOTenant –MarkNewFilesSensitiveByDefault BlockExternalSharing. We recommended setting this if you use DLP rules to prevent external sharing in the tenant and want to make surr that the rules cannot be circumvented.

Default sharing link type for users with existing access

Another new functionality sounds almost trivial and is actually incredible that it took so long to be implemented. Until now, Microsoft 365 administrators had the option to set default sharing link types in SharePoint OneDrive to:

• Anyone with the link (=anonymous access)
• People in your organization with the link
• Specific people

Unfortunately, the link type that I personally find most logical, that is a link for users with existing access (without adding new ones or listing them specifically) could not have been set as the default.

In addition, after the last change in the file sharing UI (which happened in 2019), sharing in SharePoint Online and OneDrive works in such a way that the pop-up the dialog no longer asks what type of link you want to create, but creates a default link and it can be changed afterwards. This means that when a user misclicks, opens the sharing dialog accidentally and then closes it later, the default sharing link stays created. If you have set the external anonymous link as the default sharing link type, you can easily share files that you didn't intend to (my personal experience).

Just as problematic are cloud attachments in Outlook. I case of attaching a file from SharePpoint the default sharing link type is automatically created - e.g. I send a link to a file to pavel.otych@gurot.com who already has access to the file. However, if the default sharing link type is set to all internal users then such a link is created and sent. This can be problematic because forwarding the link to other internal users is a matter of a few clicks.

Microsoft now comes with the option to set the default sharing link type to users with existing access. This is great news because it solves the problems mentioned above. Currently we do not have the option to set this in the UI but only through PowerShell and only to a specific SharePoint pages. You can find more information here.

If the current options of default sharing link types bother you, we recommend setting this, otherwise you can wait for the feature to be globally available in the SharePoint admin center and applicable to all sites, which is promised to happen soon.

Support for Sensitivity Labels in SharePoint online and desktop office applications

For some time we have the option to turn on native support for Sensitivity Labels in SharePoint Online, which enables indexing of encrypted files, ability to apply DLP rules, co-authoring, etc. Turning on this preview feature is a question of one PowerShell command, but it brings quite a lot of complications and limitations, so I recommend reading the details on this page first.

Also, there is an additional preview feature, namely the support of applying Sensitive Labels to Office 365 groups, SharePoint sites and Teams channels. Information about this preview can be found here, but I would recommend not looking into it too much as of yet - the current functionality is quite limited and it looks like it will take some time to be fine-tuned - for example, currently SharePoint pages do not yet automatically apply Sensitivity Labels on files stored in document libraries.

Current and functional is native support for Sensitivity Labels in desktop Office applications. Since the autumn of 2019 it has been available in the Monthly Channel of the Office suite and now it is getting into the Semi-Annual Channel. It is a feature that many businesses are waiting for as it will help them to get rid of Azure Information Protection labeling client. Native support in Office suite also allows administrators to turn off access to content via macros (until this time it was necessary for the AIP add-in to work properly).

Unfortunately, with native support in Office suite also come some limitations, and unfortunately quite important ones - like automatic content-based labeling or disabling removal of labels. Therefore, we recommend firstly to read the current comparison of native support and AIP client functionalities. If you leave the AIP client installed, the Office applications will use its add-in; if the AIP client is not available, native support will be used in the Office applications.

Turn off specific "What's New" notifications in desktop Office applications

Since February 2020, administrators have the ability to turn off notifications about new features that are displayed to users in desktop applications. Unfortunately, it is not possible to set the default value of all new notifications to not show automatically - it is necessary to wait for the list of new features for each monthly release and to turn off individual announcements. Although it is a matter of a few clicks, perhaps Microsoft will fine-tune it, so we do not have to click every month.

Collections on the My Apps portal

For a long time, administrators have the ability to add app links to the Office 365 App Launcher or the Azure My Apps portal. Settings are managed in two places, either when registering the application in Azure or in Office 365 in the organization settings. Each of these options is displayed to the user in a different way in the O365 Launcher - one group of apps is pinned at the top with a special heading, the other group is located at the bottom. This is a bit chaotic to say the least.

Microsoft comes with unified management of assigned applications and the new Azure Launcher at https://myapplications.microsoft.com. Administrators can now group applications into collections and then assign these to user groups. Functionality requires Azure AD Premium P1 license and is currently available in preview version.

Request access to applications

Since autumn 2019, there is another interesting feature in preview that allows Azure AD users to ask their administrator to allow a third-party web service to access their business data (provided the approval is not set to be automatic). Typically, these are situations when a user wants to log in to a web application through an Azure AD account.

Approval workflow is quite sophisticated, it is possible to set types of notifications for administrators or expiration of user requests. We therefore recommend to take a closer look at this functionality.

Security Defaults replace Azure AD baseline policies

A major change that hopefully all administrators have noticed is the abolition of baseline policies in Azure AD and the replacement with a single switch called Security Defaults. This setting includes everything that was previously separate in each baselines, basically MFA and blocking legacy authentication protocols.

Generally it is a tool suitable for individuals, smaller companies or those who do not need to set up sophisticated solutions. The problem is that if you are using Conditional Access in Azure, then you cannot turn on Security Defaults. This disadvantage, in my opinion, applies to almost everyone who wants to have some fun with Azure AD or whose business needs require him to customize the settings.

Support for Windows Information Protection in the new Edge

The new Chromium-based Edge currently only supports Windows Information Protection to a limited extent. This will finally change from version 82, which is currently in Dev Channel and will be fully released by the end of April 2020. By that time, there should be full support of WIP, including copying content, drag & drop of files, etc.

New Office app for iOS/Android

In early 2020, Microsoft released a new Office app for iOS and Android devices. It is a relatively simple application that unifies other applications in the Office package, allows you to combine and scan documents, etc. Of course, the application supports MAM policies, so you need to add the Office application to the list of managed applications if you use MAM.

Conclusion

Today, we have summarized some of the changes in Microsoft 365 that are taking place during the first half of 2020. There is also quite a few innovations coming in the second half of 2020 - especially blocking basic authentication, ATP support for other operating systems, and new possibilities of cloud printing management. Maybe we will look into those next time.