Sharepoint Online and Teams site content migration

Question

Hi,

Just imagine, Company name called ABC splits in to two company's ABC & XYZ.

There is requirement for migrate sharepoint online, Teams site and OneDrive data to their company.

We received a request from the business on "data-masking".

There are files that contain sensitive data that are accessible by individuals from both ABC Company and XYZ company today in OneDrive, Teams, or SharePoint. After Day 1, they are 2 separate companies and there are 2 separate Microsoft tenants. However, some of this ABC related content will still be in XYZ and vice versa for accounts where we "copy" the data vs. move. Since our intent is not to delete or clean up any content immediately (we should have a “stabilization” period), how would we “mask”/ hide/ or disable findability to this particular data?

Any inputs or suggestions?

Answer 1

Since you're dealing with a business split, it's essential to manage access to data that should not be visible to the other company during a stabilization period.

Here's a structured approach to achieve data-masking:

1. Identify Sensitive Data

Audit Content: Conduct an audit of the data across SharePoint Online, Teams, and OneDrive to identify content containing sensitive information that should be masked or hidden from the other company.

Categorize Data: Separate data into categories such as confidential, business-critical, and general. Focus on masking sensitive data while leaving general content accessible.

2. Apply Conditional Access Policies

Conditional Access in Azure AD: Implement conditional access policies that restrict access to specific content based on user identity, device, location, or other attributes. This can limit who can access sensitive data.

Custom Access Rules: Create rules that deny access to certain resources based on attributes such as group membership or IP address ranges.

3. Restrict Access with SharePoint Permissions

Modify SharePoint Permissions: Adjust SharePoint permissions to restrict access to sensitive sites or libraries. Remove users from the other company from site collections, libraries, or folders containing sensitive information.

SharePoint Hub Sites: If using hub sites, ensure that users from the other company do not inherit permissions to access sensitive content.

4. Use Sensitivity Labels

Microsoft Information Protection (MIP): Apply sensitivity labels to documents that require masking or restricted access. These labels can enforce encryption, restrict sharing, and limit who can view the content.

Custom Sensitivity Labels: Create custom labels for specific business units or data types, then apply these labels to sensitive content to ensure it's protected even if moved or shared.

5. Apply Data Loss Prevention (DLP) Policies

DLP Policies in SharePoint and OneDrive: Implement DLP policies to identify and restrict access to content that matches certain patterns or keywords. This can help prevent sensitive data from being accessed or shared inappropriately.

DLP Alerts and Notifications: Configure DLP to send alerts when sensitive data is accessed or shared. This can help monitor and respond to unauthorized access.

6. Implement Restricted Sharing

Sharing Settings in OneDrive and SharePoint: Restrict sharing settings to limit external sharing or sharing with specific users. Ensure that sensitive data is not shared with individuals from the other company.

Block External Sharing: Temporarily block external sharing for sensitive sites or libraries during the stabilization period.

7. Use Microsoft Teams Permissions and Policies

Teams Channel Permissions: Modify permissions in Microsoft Teams to ensure users from the other company do not have access to sensitive channels or teams.

Teams Meeting Policies: Adjust meeting policies to restrict who can join meetings or access meeting content.

8. Create Separate Workspaces for Each Company

Separate Sites for ABC and XYZ: Create distinct SharePoint sites, Teams channels, and OneDrive folders for each company. This helps ensure that data from one company is not accessible by the other.

Migration Planning: Plan data migration carefully to ensure that sensitive data is moved to the correct company's workspace.

Answer 2

Hi @Kumar Nesamoodu,

To "mask" or hide sensitive data in SharePoint Online, Teams, or OneDrive, you can use sensitivity labels to classify and protect the data. Sensitivity labels can be applied to files and emails to control access and usage of the data based on its sensitivity level. You can create a sensitivity label that hides the content of the file or email from users who don't have permissions to view it. This can be done by configuring the label to apply encryption or visual markings that hide the content. Additionally, you can configure the label to disable search indexing for the content, making it harder to find.

During the migration process, you can apply sensitivity labels to the files and emails that contain sensitive data to ensure that they are protected in the new tenants. You can use the Microsoft 365 compliance center to create and manage sensitivity labels and policies.

It's important to note that applying sensitivity labels to files and emails does not delete or remove the content. It only controls access and usage of the content based on its sensitivity level.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.