Policy recommendations for securing SharePoint Sites and files

This article describes how to implement the recommended identity and device access policies to protect SharePoint Online and OneDrive for Business. This guidance builds on the Common identity and device access policies.

These recommendations are based on three different tiers of security and protection for SharePoint files that can be applied based on the granularity of your needs: baseline, sensitive, and highly regulated. You can learn more about these security tiers, and the recommended client operating systems, referenced by these recommendations in the the overview.

In addtion to implementing this guidance, be sure to configure SharePoint sites with the right amount of protection, including ensuring permissions for sensitive and highly regulated content are appropriate. For more information on creating sites for baseline, sensitive, and highly regulated protection, see Secure SharePoint Online sites and files.

Updating common policies to include SharePoint and OneDrive for Business

The following diagram illustrates the set of recommended policies for protecting files in SharePoint Online and OneDrive for Business. It indicates which policies will be updated or newly created to add protection for SharePoint Online and OneDrive for Business.

Summary of policies for SharePoint Online and OneDrive

If you included SharePoint Online when you created the common policies, you only need to create the new polcies. When configuring conditional access rules, SharePoint Online includes OneDrive for Business.

The new policies implement device protection for sensitive and highly regulated content by applying specific access requirements to SharePoint sites that you specify.

The following table lists the policies you either need to review and update or create new for SharePoint Online. The common policies link to the associated configuration instructions in the Common identity and device access policies article (links coming soon).

Protection level Policies More information
Baseline Require MFA when sign-in risk is medium or high Include SharePoint Online in the assignments of cloud apps.
Block clients that don't support modern authentication Include SharePoint Online in the assignments of cloud apps.
Define app protection policies Be sure all recommended apps are included in the list of apps. Be sure to update the policy for each platform (iOS, Android, Windows).
Require compliant PCs Include SharePoint Online in list of cloud apps.
Use app enforced restrictions in SharePoint Online Add this new policy. This tells Azure AD to use the settings specified in SharePoint Online. This rule applies to all users but only affects access to sites included in SharePoint Online access policies.
Sensitive Require MFA when sign-in risk is low, medium or high Include SharePoint Online in the assignments of cloud apps.
Require compliant PCs and mobile devices Include SharePoint Online in the list of cloud apps.
SharePoint Online access control policy: Allow browser-only access to specific SharePoint sites from unmanaged devices This prevents edit and download of files. User PowerShell to specify sites.
Highly regulated Always requrie MFA Include SharePoint Online in the assignments of cloud apps.
SharePoint Online access control policy: Block access to specific SharePoint sites from unmanaged devices Use PowerShell to specify sites.

Use app enforced restrictions in SharePoint Online

If you implement access controls in SharePoint Online, you must create this conditional access policy in Azure AD to tell Azure AD to enforce the policies you configure in SharePoint Online. This rule applies to all users, but only affects access to the sites you specify using PowerShell when you create the access controls in SharePoint Online.

To configure this policy see "Block or limit access to specific SharePoint site collections or OneDrive accounts" in this article: Control access from unmanaged devices.

SharePoint Online access control policies

Microsoft recommends you protect content in SharePoint sites with sensitive and highly regulated content with device access controls. You do this by creating a policy that specifies the level of protection and the sites to apply the protection to.

  • Sensitive sites — Allow browser-only access. This prevents users from editing and downloading files.
  • Highly regulated sites — Block access from unmanaged devices.

See "Block or limit access to specific SharePoint site collections or OneDrive accounts" in this article: Control access from unmanaged devices .

Next steps

Secure SharePoint Online sites and files