Since you're dealing with a business split, it's essential to manage access to data that should not be visible to the other company during a stabilization period.
Here's a structured approach to achieve data-masking:
- Identify Sensitive Data
Audit Content: Conduct an audit of the data across SharePoint Online, Teams, and OneDrive to identify content containing sensitive information that should be masked or hidden from the other company.
Categorize Data: Separate data into categories such as confidential, business-critical, and general. Focus on masking sensitive data while leaving general content accessible.
- Apply Conditional Access Policies
Conditional Access in Azure AD: Implement conditional access policies that restrict access to specific content based on user identity, device, location, or other attributes. This can limit who can access sensitive data.
Custom Access Rules: Create rules that deny access to certain resources based on attributes such as group membership or IP address ranges.
- Restrict Access with SharePoint Permissions
Modify SharePoint Permissions: Adjust SharePoint permissions to restrict access to sensitive sites or libraries. Remove users from the other company from site collections, libraries, or folders containing sensitive information.
SharePoint Hub Sites: If using hub sites, ensure that users from the other company do not inherit permissions to access sensitive content.
- Use Sensitivity Labels
Microsoft Information Protection (MIP): Apply sensitivity labels to documents that require masking or restricted access. These labels can enforce encryption, restrict sharing, and limit who can view the content.
Custom Sensitivity Labels: Create custom labels for specific business units or data types, then apply these labels to sensitive content to ensure it's protected even if moved or shared.
- Apply Data Loss Prevention (DLP) Policies
DLP Policies in SharePoint and OneDrive: Implement DLP policies to identify and restrict access to content that matches certain patterns or keywords. This can help prevent sensitive data from being accessed or shared inappropriately.
DLP Alerts and Notifications: Configure DLP to send alerts when sensitive data is accessed or shared. This can help monitor and respond to unauthorized access.
- Implement Restricted Sharing
Sharing Settings in OneDrive and SharePoint: Restrict sharing settings to limit external sharing or sharing with specific users. Ensure that sensitive data is not shared with individuals from the other company.
Block External Sharing: Temporarily block external sharing for sensitive sites or libraries during the stabilization period.
- Use Microsoft Teams Permissions and Policies
Teams Channel Permissions: Modify permissions in Microsoft Teams to ensure users from the other company do not have access to sensitive channels or teams.
Teams Meeting Policies: Adjust meeting policies to restrict who can join meetings or access meeting content.
- Create Separate Workspaces for Each Company
Separate Sites for ABC and XYZ: Create distinct SharePoint sites, Teams channels, and OneDrive folders for each company. This helps ensure that data from one company is not accessible by the other.
Migration Planning: Plan data migration carefully to ensure that sensitive data is moved to the correct company's workspace.