To encourage users to adopt SharePoint Online over traditional file management systems Microsoft is making the product more user-friendly and efficient than any other enterprise file management system available in the market. However, security is always a concern because it is a cloud service and keeping a company’s confidential files in cloud storage raises many security and compliance-based questions.

In this article we will be sharing some rich security and compliance features with you; some are already in place and others can be configured by you with only a few clicks. We hope this will boost your confidence in this product.


Make sure you’re getting the most out of your SharePoint by checking out our top 5 permissions best practices.


1) Encryption of Data in Transit

Data is an irreplaceable asset, and encryption serves as the last and strongest line of defense in a multi-layered data security strategy. Microsoft uses multiple encryption methods, protocols, and algorithms across its products and services to help provide a secure path for data to travel through the infrastructure as well as to help protect the confidentiality of data that is stored within the infrastructure.

When your data is in transit, it is encrypted as data moves between you and the data center, and between the server and the data center, which uses 2048-bit keys. Below are the two scenarios of data transit:

  • Client communication with the server. Communication to SharePoint Online across the internet uses SSL/TLS connections. All SSL connections are established using 2048-bit keys.
  • Data movement between data centers. The primary reason to move data between data centers is for geo-replication to enable disaster recovery. For instance, SQL Server transaction logs and blob storage deltas travel along this line. While this data is already transmitted by using a private network, it is further protected with best-in-class encryption.

Protocols and technologies examples include:

  • Transport Layer Security/Secure Sockets Layer (TLS/SSL), which uses symmetric cryptography based on a shared secret to encrypt communications as they travel over the network.
  • Internet Protocol Security (IPsec), an industry-standard set of protocols used to provide authentication, integrity, and confidentiality of data at IP packet level as it is transferred across the network.
  • Advanced Encryption Standard (AES)-256, the National Institute of Standards and Technology (NIST) specification for a symmetric key data encryption that was adopted by the US government to replace Data Encryption Standard (DES) and RSA 2048-public key encryption technology.


2) Encryption of Data at Rest

Microsoft uses some of the strongest, most secure encryption protocols in the industry to provide a barrier against unauthorized access to your data.

When data is at rest two types of encryption are used: disk encryption and file encryption.
On disk encryption level a BitLocker is used to secure data and on file encryption level every file is secured with its own key that uses Advanced Encryption Standard (AES) with 256-bit keys, which is a Federal Information Processing Standard (FIPS) 140-2 compliant.

Protocols and technologies examples include:

  • Advanced Encryption Standard (AES)-256, the National Institute of Standards and Technology (NIST) specification for a symmetric key data encryption that was adopted by the US government to replace Data Encryption Standard (DES) and RSA 2048-public key encryption technology.
  • BitLocker encryption that uses AES to encrypt entire volumes on Windows server and client machines, which can be used to encrypt Hyper-V virtual machines when you add a virtual Trusted Platform Module (TPM). BitLocker also encrypts Shielded VMs in Windows Server 2016 in order to ensure that fabric administrators can’t access the information inside the virtual machine. The Shielded VMs solution includes the new Host Guardian Service feature, which is used for virtualization host attestation and encryption key release.
  • Microsoft Azure Storage Service Encryption encrypts data at rest when it is stored in Azure Blob storage. Azure Disk Encryption encrypts your Windows and Linux infrastructure as service (IaaS) virtual machine disks by using the BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption for the operating system as well as the data disk.
  • Transparent Data Encryption (TDE) encrypts data at rest when it is stored in an Azure SQL database.
  • Azure Key Vault helps you to manage and maintain control of the encryption keys used by cloud apps and services easily and cost-effectively via a cloud-based hardware security module (HSM).


3) Virus Detection in SharePoint Online

In SharePoint Online, anti-malware protection is automatically provided for files that are uploaded and saved to document libraries. This protection is provided by the Microsoft anti-malware engine. This anti-malware service runs on all SharePoint Online Content Front Ends (CFEs).

Files are scanned for viruses after they are uploaded. If a file is found to be infected, a property is set so that users can’t download the file from the browser or sync the file in the OneDrive Sync client.

If a user opens a web browser and tries to download an infected file from SharePoint Online, the user is given a warning that a virus has been detected. The user is also given the option to download the file and attempt to clean it using their own virus software as shown in the image below:

Virus Detection in SharePoint Online

Files larger than 25 MB are not scanned. Microsoft recommends to assess and implement anti-malware protection at various layers and apply best practices for securing your enterprise infrastructure.


4) Control Access Based On Network Location

Microsoft has introduced conditional access capability for organizations using SharePoint Online. Restricting access on the basis of network location is one of the major features that can be configured via SharePoint Online Admin center with a few clicks.

Control access based on network location

This policy can help prevent data leakage and meet regulatory requirements to prevent access from untrusted networks. IT administrators can limit access to specific network ranges from the SharePoint Admin console. Once configured, any user who attempts to access SharePoint and OneDrive for Business from outside the defined network boundary (using a web browser, desktop app, or mobile app on any device) will be blocked.

Access Restricted

It is important to know that, after defining a trusted network boundary, users who use apps or services that don’t support network location-based policies will be blocked, even if they are on a trusted network. For example, users will be able to use the planner to create new plans but they will, however, not be able to create a SharePoint modern group document library to store and access those plans. As a SharePoint Online global administrator, you can also set up this policy via PowerShell.


5) Custom Script Restriction

If you don’t want your users to customize the SharePoint Site collections, this feature will help you to achieve your goal. Allowing users to customize sites and pages in SharePoint by inserting script can give them the flexibility to address different needs in your organization. However, you should be aware of the security implications of custom script. When you allow users to run a custom script, you can no longer enforce governance, scope the capabilities of inserted code, block specific parts of the code, or block all custom codes that have been deployed.

By default, the script is allowed on sites that admins create. It is not allowed on OneDrive, on sites that users create themselves (like Office 365 Group or Modern sites) or on the root site for your organization.

This feature is best managed by the PowerShell that gives you the flexibility to update the settings for a specific site collection. A screenshot of Admin center setting is shown below:

Custom Script Restriction


6) Manage External Sharing

As we all know external sharing is one of the key features offered by Microsoft in order to collaborate with non-licensed external users. However, this also increases the possibility of information exposure and data loss. Users can unknowingly share the files with anonymous users if proper security is not applied.

For large organizations that tend to keep their confidential and business information on SharePoint Online, we suggest keeping anonymous guest link sharing disabled for the complete tenant. Ensure that only authenticated users who can sign in to Office 365 can access the content which is shared with them.

Manage external sharing

The settings above will force external users to log in to Office 365 in order to access SharePoint Online data, which is only possible if an internal user sent a Sharing Invitation to the external user’s email id.

It is suggested to identify your partner companies through which you are going to share the content. Create a list of domains of your partner firms and manage your own sharing whitelist. Additional settings give you an option to limit sharing for users belonging to specific domains. This feature can be managed from the SharePoint admin center sharing settings:

Additional Sharing Settings

There are more options available in SharePoint online to narrow down the sharing restriction for external users, which will help you to secure your environment.


7) Access, Permission, and Sharing

There are 3 types of users in SharePoint online, namely Administrators, Power user and End users.

Administrators are the service admins or tenant admins who define the policies and manage the service and site creation requests. Power users are those who utilize the key features of the services. Most of the power users are managers, leads, and organizers. They are the ones who mostly interact with Tenant Administrators. Power users are the ones who manage the sites as Site Owners or Site Administrators. End users are the contributors in the file system that uses almost all the features for productivity.

It is always necessary to have limited control and access for the users and this can be achieved by having different types of permissions levels. SharePoint Online has a flexible permission hierarchy, which can be applied on each level of the site collection, like when you add a user with edit permission on a folder under library. However, on the library level, this user has no permission. The same user can have full control on a different library in the same site collection. The common permission levels are:

  • Full Control – Contains all available SharePoint permissions. By default, this permission level is assigned to the owner of the group. It can’t be customized or deleted.
  • Design – Creates lists and document libraries edit pages and apply themes, borders, and style sheets on the site. There is no SharePoint group that is automatically assigned this permission level.
  • Edit – Add, edit, and delete lists; view, add, update, and delete list items and documents. By default, this permission level is assigned to the member’s group.
  • Contribute – View, add, update, and delete list items and documents.
  • Read – View pages and items in existing lists and document libraries and download documents.
  • Approve – Edit and approve pages, list items, and documents. By default, the approver’s group has this permission.
  • Manage Hierarchy – Create sites and edit pages, list items, and documents. By default, this permission level is assigned to the hierarchy managers group.
  • Restricted Read – View pages and documents, but not historical versions or user permissions.
  • View Only – View pages, items, and documents. Any document that has a server-side file handler can be viewed in the browser but not downloaded. File types that do not have a server-side file handler (cannot be opened in the browser), such as video files, .pdf files, and .png files, can still be downloaded.

You can create new permission levels and also edit existing permission levels.


Permission Levels

SharePoint Online also allows us to create SharePoint-based groups, which are associated with permission levels in order to provide access to the users. For easier management, you just need to add the users in these SharePoint groups so that they can access multiple locations with one single group. For example, if you want to add group A to folders 1 to 5 and group B to folders 6 to 10, you just need to add the group on the folders once and later, whenever a new user becomes a member of any group, that user will automatically get access to the respective folders.

SharePoint Online also allows us to use active directory-based security groups that you can add in the SharePoint sites.

Sharing and Permission settings are easy to manage by all types of users. To manage site level permissions and other settings you should have at least Owner or Admin rights on the sites.


Download Our Free Whitepaper!

Top 5 Best Practices for SharePoint Permissions

Find out what you can be doing to improve the way you and your customers use SharePoint.

Thank you! We've just sent you your whitepaper.

Written by Nicolas Bouchard Presales Technical Advisor @ SherWeb

Nicolas is a Business Development Specialist at SherWeb. He has worked his way up through SherWeb, starting in Technical Support (level 2) before switching to Sales. He is now in the Business Development team, and his knowledge of Office 365 is extensive. With his broad expertise in cloud computing and service management, he’s an integral part of the SherWeb team.