ASD's Blueprint for Secure Cloud

Sharing and Access Controls

This section describes the design decisions associated with SharePoint Sharing and Access Controls for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 4 minutes

Sharing and Access controls provide granular control over external sharing and access to SharePoint Online. Sharing and Access control is essential for securing SharePoint Online document and information sharing. Access to SharePoint Sites can be controlled through a variety of means to ensure that the data of the sites is protected. This includes the configuration of:

  • Only allowing access from specific IP address locations
  • Only allowing access from apps that use modern authentication
  • Blocking access from devices which are not managed by the organisation through Microsoft Intune.
  • Sites can be further secured through the implementation of Idle session timeouts. Idle session timeouts essentially act to log a user out of SharePoint after a period of inactivity.

Access Controls provides an administrative tool to restrict access contents in SharePoint.

Configuration

ConfigurationValueDescription
Unmanaged Devices
Unmanaged DevicesAllow limited, web only accessProvide restricted access to devices that are not Microsoft Intune compliant.
Idle session time-out
Sign out inactive users automaticallyOnControls idle time on users logged onto a device.
Sign out users after:1 hourEnsure users are logged out after an idle time.
Give users this much notice:5 minutesEnsure users are notified before they are signed out.
Network Location
Allow access only from a specific IP address rangeOffDefine a trusted network boundary by specifying one or more authorized IP address ranges.
Apps that do not use modern Authentication
Apps that do not use modern AuthenticationBlock accessSome third-party apps and previous versions of Office cannot enforce device-based restrictions. Use this setting to block all access from these apps.

Cloud native deployments

The below are the settings specific to a cloud native deployment of SharePoint Online.

ConfigurationValueDescription
External Sharing
SharePointNew and existing guestsGuest access is available in accordance with Collaboration
More external sharing settingsLimit external sharing by domain: Checked
Add domains that are allowed: Checked
Guests must sign in using the same account to which the sharing invitations are sent.
OneDriveOnly people in the organisationNo external sharing allowed.
File and folder links
Choose the type of link that is created by default when users get linksSpecific peopleInternal link which can only be sent to people in the organisation.
Other settings
Show owners the names of people who viewed their files in OneDriveCheckedThis is to ensure owners are aware of external users who have access to the document.
Let site owners choose to display the names of people who viewed files or pages in SharePointCheckedPermits display of activity on SharePoint sites to foster collaboration.
Use shorter links when sharing files and foldersCheckedEnsure URL are short and concise.
Default link permissionEditUsers will have edit permissions by default to increase usability. If view permissions are required, this is also available.

Hybrid deployments

The below are the settings specific to hybrid deployments of SharePoint Online.

ConfigurationValueDescription
External Sharing
SharePointOnly people in the organisationNo external sharing allowed.
OneDriveOnly people in the organisationNo external sharing allowed.
File and folder links
Choose the type of link that is created by default when users get linksOnly people in the organisationInternal link which can only be sent to people in the organisation.
Other settings
Show owners the names of people who viewed their files in OneDriveCheckedThis is to ensure owners are aware of external users who have access to the document.
Let site owners choose to display the names of people who viewed files or pages in SharePointCheckedPermits display of activity on SharePoint sites to foster collaboration.
Use shorter links when sharing files and foldersCheckedEnsure URL are short and concise.
Default link permissionEditUsers will have edit permissions by default to increase usability. If view permissions are required, this is also available.

Security & Governance

  • None identified

Design

  • None identified

Configuration

  • None identified

References

  • None identified

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra