Am a keen follower of Microsoft's SharePoint Blog and proud to provide this direct from the Microsoft Tech Community:
Zero Trust is the new security norm. Nowadays, cybersecurity is top of mind in every board room. As organizations realize their individual digital transformation, they will see exponential growth of their digital estate. With that growth comes the responsibility of managing and governing all aspects of people, content, and context — diligently.
We are here to empower every administrator worldwide safeguard and govern their digital content. We continue to innovate in security and management at cloud speed. And today is a big moment of disclosure. Today at Microsoft Ignite 2022, we are excited to announce the following new security and management capabilities across SharePoint, OneDrive, and Teams:
- Advanced access policies for secure collaboration
- Security controls to safeguard content
- Comprehensive compliance
- Migration Enhancement
- Advanced sites lifecycle management
- Organization lifecycle management
Restricted access control (RAC) policy for SharePoint sites – Private Preview
Oversharing of content is a common problem in many organizations. Despite the right intent, users mistakenly share content with a broader audience that often results in unauthorized access to content. Especially as hybrid work and external collaboration becomes business existential themes, oversharing problem expands to a new level.
Look no further, administrators can now restrict access to SharePoint sites such that no matter how widespread the content was shared, or inheritance was broken at the content level the access is instantly confined to a set of users only.
Today we are excited to announce restricted access control (RAC) policy v1 (Private preview). With this advanced policy, you can now restrict a Microsoft 355 Groups-connected site to having the same membership as the parent Microsoft 365 Group despite if the site or content was shared outside of that group membership. In future, we plan to extend this policy to all SharePoint site templates by configuring RAC policy with a security group.
To learn more about this premium feature, check out the article here: RAC Policy for SharePoint Sites.
To participate in the preview, sign-up here: Preview RAC Policy for sites.
Restricted access control (RAC) policy for OneDrive in your organization – General Availability
Much like oversharing SharePoint sites, users overshare their OneDrive content too especially with external users.
Today we are excited to announce that restricted access control (RAC) policy for OneDrives is generally available. With this policy, you can now restrict access to all OneDrives in your organization to a set of users, say all your employees only and no one else. You simply create security groups in Azure Active Directory that contains all your employees, then in SharePoint admin center configure the Limit OneDrive Access to those groups. It is that simple!
To learn more about this feature, check out the article here: Limit OneDrive Access in your organization
Conditional access policies for SharePoint sites, OneDrives, and Teams – General availability
Security posture of content varies based on whether its business criticality. General training content should be easily accessible wherein classified strategy content should be accessible only when certain conditions are met. The conditional access requirements should match the sites’ security posture.
Today we are thrilled to announce the general availability of conditional access policies for SharePoint sites, OneDrives, and Teams. Simply use the SharePoint Online PowerShell to set appropriate access policy for a site, which dictates the conditions required for accessing that site. For example, for your 2025 Strategy site that is expected to have business critical content you can configure the policy to require MFA (multi-factor-authentication) for all users.
The key benefit of this capability is that users need to go through additional credential gates only when they try accessing sites or teams that contain business critical information. If your organization already has sensitivity labels deployed, then you can also associate this policy with the sensitivity labels and simply label the sites or teams appropriately.
To learn more about this feature, check out the product article here: Conditional access policy for sites.
Security controls to safeguard content
User defined permissions (UDP) support for Office files in SharePoint, OneDrive, and Teams – Private Preview
We have been in the journey of MIP (Microsoft Purview Information Protection) Sensitivity Labels for the past three years and have come a long way continually expanding policies that can be associated with labels. For example, you can have a Confidential label associated with admin-defined-permission of only full-time employees. Office files with that label are now accessible only by full-time employees.
We are continuing to innovate in this labels-based policies journey and aim to provide comprehensive coverage for all use cases of sensitive content. Today, we are excited to announce support for user-defined permissions (UDP) for Office files in SharePoint, OneDrive, and Teams, starting private preview soon.
With this capability we bring in first-class experience to Office files that are protected with labels containing user-defined-permissions i.e., ability to view and co-author those files in SharePoint, OneDrive, and Teams. You can already create a label that allows users to define the permissions at the time of labeling a file.
We are taking nominations for private preview, sign-up here: Preview form for UDP support.
Protected PDFs support in SharePoint, OneDrive, and Teams – Private Preview
We are bringing the security controls that power Office files to protected PDF files. Specifically, your users can open and/or search for content in protected PDF files while you can now govern them with your DLP (data loss prevention) and eDiscovery policies!
We are excited to announce protected PDFs support in SharePoint, OneDrive, and Teams, starting private preview soon. With this capability, when you upload labelled and encrypted PDF files to SharePoint, OneDrive, and Teams you can now view their sensitivity labels in the Document Library’s sensitivity column. Also, you can simply search for content in these protected PDF files.
Security and compliance admins, on the other hand, can now govern these protected PDFs with their established DLP or eDiscovery policies, which already secure their Office files.
We are taking nominations for private preview, sign-up here: Preview form for Protected PDFs support.
Default sensitivity label for SharePoint Document Libraries – Public Preview
We have rich sensitivity labels experience for Office files and SharePoint sites, Teams, and Microsoft 365 groups. We are now bringing the labeling concept to the SharePoint document libraries.
Today, we are thrilled to announce default sensitivity label for SharePoint Document Libraries comes to public preview. With this new capability you can now protect your Office documents from the day they are created or uploaded to SharePoint document libraries.
Simply set the appropriate sensitivity label for your document libraries using the Library Settings in the information panel. From that point onwards all documents, newly created or modified, in that library will be automatically labelled. Most importantly they are secured from the get-go with policies that are associated with that label.
Learn more about this capability here: Default label for SharePoint Document Libraries. Try out the preview and let us know your feedback.
Programmatic way to assign sensitivity label to a file in SharePoint, OneDrive, and Teams – Private Preview
Further expanding your ability to classify and label files specifically for developers, today we are delighted to introduce the capability to programmatically assign and extract MIP (Microsoft Purview Information Protection) sensitivity label for Office files.
As part of this capability, we have elevated the labelling experience with a programmatic endpoint in the Microsoft Graph Beta that allows the labelling of files by users and applications. This premium capability allows you to label at scale and is currently under private preview, and we are eager for your feedback!
To learn more about this API, check out this article: Assign Label to files in SharePoint, OneDrive, and Teams.
To participate in the private preview, nominate in this form: Preview form for SharePoint Label API.
Anti-malware scan on file download – General availability
We continue to improve the security posture of files in SharePoint and OneDrive. In addition to our asynchronous antimalware scanning, we have added another layer of protection to perform anti-malware scanning when a file is being downloaded. This ensures the spread of malware is minimized.
Today we are excited to share with you that scan on file download is generally available. All files regardless of file types will be scanned for malware infection during browser or Teams download, if the file is not already scanned.
To learn more, check out this article: Anti-malware scan on file download
Forensic malware identification and extraction – General availability
Forensic analysis plays a key role in understanding how malware enters the system and what kinds of malware the enterprise has been exposed to. One of the challenges faced by analysts is how to retrieve malware infected files without needing to gain access to all files in the source site.
Today we are thrilled to announce the general availability of malware identification and extraction capability. With this capability, using simple SharePoint PowerShell cmdlet administrators can find out what type of malware is present in a file that was marked as infected and extract that file from the site to perform further analysis. All this is possible without needing to elevate their access to the SharePoint or OneDrive site where the content is present.
To learn more, check out this article: Malware identification and extraction
Information Barriers (IB) 2.0: IB modes and multi-segment support – General availability
The compliance landscape is evolving, and we continue to enhance the compliance controls in SharePoint, OneDrive, and Teams to meet those needs. With Microsoft 365 Multi-Geo capabilities you can address data residency compliance needs, while Microsoft 365 Information Barriers helps you to achieve the collaboration and communication isolations among your internal users to meet mandatory regulatory needs like FINRA compliance.
Today we are thrilled to announce information barriers 2.0 that brings IB modes and multi-segment support capabilities, coming to general availability at the end of this calendar year CY22.
With information barriers (IB) modes capability, you can tailor the needs of your users while maintaining the corporate information barriers policies. There are five IB modes, namely: Open, Owner-moderated, Implicit, Explicit, and Mixed. For example, if you want to allow over the wall collaboration but with site/team owners’ discretion then set the IB mode of site/team as Owner-moderated. This allows site/team owners to bring in incompatible segment users to the site/team when needed.
Multi-segment support allows you to associate a user with multiple information barriers (IB) segments so that you can achieve the business need of allowing a user to participate in multiple regulatory projects.
To learn more about IB 2.0, check out here: Microsoft 365 Information Barriers 2.0.
Migration manager was made generally available in 2019 and evolved to a new level over the years. It now enables you to migrate content from file shares, Google Drive, Box, Dropbox, and Egnyte. At Ignite, we are delighted to announce three features to further simplify your migrations in the Google Drive scenario. They are: Bulk download reports, Migration filters, and Estimated time to migrate.
These features will be enabled to other scenarios in the early next calendar year. Stay tuned to the what’s new page for the recently released and upcoming features.
Bulk-download detailed reports
For cloud migrations, you will be able to download detailed reports for the selected tasks in the scans and migrations tab with a single click. That way you don’t have to go through each item one by one to download reports. Plus, we are introducing a recent actions panel where you can access your previously requested reports.
Once you scan your environment, you are ready to migrate. And you often want to filter what files and folders you want to migrate. Soon, you can filter the files and folders containing invalid characters, with an option to replace them with a valid character, exclude by file extensions, and folder names, and filter by creation and modification date. That way, you curate the content you want to migrate onto M365.
Estimated time to migrate
Now that you initiated your migration, you would like to understand how long it would take to finish. Based on your scans, file sizes, and other factors, you will get an estimated time of completion at the project and the task level.
SharePoint Migration Tool (SPMT) improvements
SPMT continues to be a tool of choice when it comes to migrating from On-prem Server sources including 2010, 2013, and 2016. Now you can streamline scan and migration jobs within one tool. Secondly, the page navigation flow is revamped to make it intuitive for you to manage your migration jobs and create migration-by scenarios.
Stay tuned to what’s new page for the released and upcoming features.
Advanced sites lifecycle management
SharePoint data access governance (DAG) insights V1 – General Availability
As the sprawl of Teams and SharePoint sites happen in your organization, the digital estate of your organization is growing exponentially. It is important to know the top sites that require close attention.
A site’s lifecycle starts at creation time and evolves to the active state when users add content and collaborate in the site. During this active state you may wonder how to detect/avoid oversharing or accidental sharing. The help is here, admins can now use data access governance insights dashboard in SharePoint admin center to address these needs.
At last year’s Ignite we announced the public preview of the data access governance insights feature. Today, we are happy to announce that V1 of data access governance (DAG) insights feature is generally available. DAG insights empower you to discover top-100 and top-10,000 sites that matter the most among millions of sites you may have and monitor/validate/tailor sharing and access policies for those sites.
In future, we also look to the end-to-end capability like Site Access Review. This allows an admin to request site owners of the top-most sites to review and attest the access pattern seen is expected.
Interested in learning more? Check out the product article here: SharePoint Data access governance (DAG) insights.
Sites lifecycle policies – Inactive sites – Preview later this calendar year CY22
From the active state a site may enter to the inactive state perhaps after a few years. With the sprawl of sites, how would you discover the sites that moved to the inactive state and then take some actions on them.
Today we are excited to announce the SharePoint inactive sites policy, coming to private preview later this calendar year CY22. With this capability admins can now create a tailored inactive site policy targeting specific SharePoint sites, perhaps Teams created sites or sites labelled as Public or sites with information segment of Research, and trigger alerts to respective site owners. Site owners of these inactive sites can then decide to either keep or delete or take other actions on these sites.
Stay tuned for more updates later this calendar year. Interested to participate in the private preview, add your nomination here: Preview form for Inactive Site Policy.
Site history and recent admin actions – Preview later this calendar year CY22
As SharePoint admins often you are tasked to troubleshoot inaccessible team sites. Also, to know the lifecycle state of a site and to manage its lifecycle it is imperative to know all the activities carried out by site owners. The new Site History capability in SharePoint admin center aims to address these needs.
Similarly, having a panoramic view of all the recent changes you made in SharePoint admin center will come in handy when some of your changes are accidental and disrupts your users. The new recent admin actions panel shows the latest changes you made to site properties such as site name, site URL, sharing settings, storage limit etc., It allows you to export 30 days’ worth of changes.
Today we are thrilled to announce Site History and Recent Admin Actions preview, coming at the end of this calendar year CY22. Site History capability shows all changes made to site properties by all site owners and admins. This historical view can help you to investigate and resolve helpdesk tickets in a matter of hours instead of days. Recent admin actions capability shows the actions taken by you as the SharePoint admin for that given session.
Stay tuned for more updates later this calendar year CY22. Interested to participate in the private preview, add your nomination here: Preview form for Site History and Recent Admin Actions.
Organization lifecycle management
SharePoint Tenant Rename – General Availability
Organizations evolve throughout their life span, rebranding or expanding through acquisitions or reaching the global market by adding satellite locations. Specific to rebranding, you may want to rebrand your organization’s name, say from Contoso to Fabrikam, or you might have started off with a test name for your tenancy like ContosoQA.sharepoint.com and you wanted to rename to your tenancy’s name.
At last year’s Ignite we announced the public preview of SharePoint Tenant Rename capability. Today, we are excited to announce the general availability of SharePoint Tenant Rename, for tenants with less than 10K sites. This allows you to rename your tenant’s SharePoint URL let’s say from contoso.sharepoint.com to fabrikam.sharepoint.com. In future, we are looking to expand this support to large tenants that have more than 10K sites.
To learn more about this capability, check out here: SharePoint Tenant Rename.
OneDrive Cross-tenant User Data Migration – General Availability
Mergers, Acquisitions, and Divestitures (M&A) scenarios are a critical part of an organization’s lifecycle. In fact, many organizations expand their business through M&A.
Imagine Contoso Energy acquires Fabrikam’s Wind Energy unit in Asia to expand their global footprint in the energy industry. Both Contoso Energy and Fabrikam have a presence in Microsoft 365. As part of this M&A transaction, there is a need to move Fabrikam’s Wind Energy unit employees’ OneDrives and Mailboxes to Contoso Energy’s tenancy. We are addressing this need now.
Today we are thrilled to announce the general availability of OneDrive cross-tenant user data migration. With this capability you can now move users’ OneDrives across two tenants using a simple set of SharePoint PowerShell cmdlets. You can also move users’ mailboxes across tenants.
One another notable capability is, upon OneDrive move although the URL of the OneDrive has changed the sharing links to old URLs will continue to work! This is made possible by the cross-tenant redirect capability that ensures any hit to old URLs is redirected to new URL.
To learn more about this capability, check out here: Cross-tenant user data migration for OneDrives.
For licensing information for these new capabilities, check out the respective feature’s product article documentation.
Interested in participating in the private previews of our upcoming new features? Check out available features and sign up here: Preview Form for Ignite 2022 Private Previews.
There are many Teams innovations announced at Ignite’22, for full list check out Teams Announcement blog.
For full list of new SharePoint, OneDrive, Teams capabilities announced at Ignite’22, check out this blog.
We have a beautiful security and compliance cookbook for SharePoint, OneDrive, and Microsoft 365 administrators, you can download SharePoint and OneDrive Security Cookbook for FREE.
To learn more about the above features in detail, check out the product documentation articles below:
- Restricted access control (RAC) policy for SharePoint Sites
- Limit OneDrive Access at Tenant level
- Conditional policy for sites and teams
- Default label for SharePoint Document Libraries
- Microsoft 365 Information Barriers – Overview
- Microsoft 365 Multi-Geo
- Microsoft 365 Information Barriers 2.0 Enhancements
- Migration manager
- SharePoint Data access governance (DAG) insights
- What’s new in SharePoint Admin Center
- SharePoint Tenant Rename
- Cross-tenant user data migration for OneDrives
- SharePoint and OneDrive Security Cookbook
- Labels-based default sharing link types
- Co-authoring and autosave in encrypted Office documents
- Auto labeling enhancements for Office documents in SharePoint and OneDrive
- Continuous Access Evaluation (CAE) support in SharePoint and OneDrive
Interested in participating in the private previews of our upcoming new features? Check out available features and sign up here: Preview Form for Ignite 2022 Private Previews.
If you are new to Microsoft 365, learn how to try or buy a Microsoft 365 subscription.
Hybrid work is here to stay. We have additional resources that highlight hybrid best practices and how we are responding together to COVID-19, visit our Remote Work site. We’re here to help in any way we can.
Thank you! Sesha Mani, Principal group product manager – OneDrive and SharePoint
The above is kindly provided by the Microsoft Tech Community!