Protecting Student Personal Data

School districts can implement access limitations and other protections for student personal data using Microsoft's School Data Sync in Office 365 and Azure Active Directory. With SDS, you can import your list of students from your SIS or MIS, and automatically mark them as minors so that Microsoft and third-party applications can treat them as such. You can even configure Azure Active Directory to prevent students from using third-party applications.

Option A: Simplified solution with School Data Sync

IT admins for Office 365 for Education can use the simplified solution to apply protections to all students synced by SDS by following the steps below:

Step A1: Student Personal Data Protection

Open School Data Sync and go to Settings -> Student Personal Data Protection

Open School Data Sync and go to Settings -> Student Personal Data Protection.

If you want to mark students as minors, select Mark all students as minors. This setting sets the legal age group classification property on all students synced by SDS to MinorWithParentalConsent, i.e., a minor that the parent/legal guardian has authorized you to use with online services from Microsoft. For more information on the legal age group classification property, see here.

If you want to prevent students from using third-party applications, select Block students from using third-party apps. This setting creates a security group of All Students, and an Azure Active Directory Conditional Access Policy that prevents All Students from using any apps not created by Microsoft.

You may customize this policy to allow students to use specific third-party applications in the Azure Active Directory Portal Conditional Access Policy Editor.

Option B: Apply protections for a subset of your students

The instructions above apply to every student synced with SDS. If you prefer to apply these protections to a subset of your students, use PowerShell and Azure Active Directory:

Step B1: Create a list of the students you want to mark as minors

You may use any method to create this list. For your convenience, Microsoft has provided a script for SDS age gating for students by license that will create a list of all users with an Office 365 Education for Students license.

Step B2: Mark these students as minors

You may mark these students as minors so that Microsoft and third-party applications can treat them as such. Use the SDS age gating with parental consent to mark the list of students you generated in Step 4 as minors.

Step B3: Create a list of the students you want to prevent from signing in to third party apps

You may use any method to create this list, including the script listed in step B1.

Step B4: Create a security group of these students

You may use any method to create this group, including using the list of students provided by the script in Step B1.

Step B5: Create a Conditional Access Policy to block students from using third party apps

Go the Azure Active Directory Portal Conditional Access Policy Editor and create a conditional access policy and do the following:

  • For Assignments->Users and Groups, select the security group you created in Step B4.

    For Assignments->Users and Groups, select the security group you created in Step B4.

  • For Assignments->Cloud Apps, include “All cloud apps” and exclude “Microsoft applications”

    For Assignments->Cloud Apps, include “All cloud apps” and exclude “Microsoft applications”.

    For Assignments->Cloud Apps, include “All cloud apps” and exclude “Microsoft applications”-part 2.

  • For Access Controls->Conditions, select “Block Access”

  • Click Enable Policy

  • Click Save

  • You may customize this conditional access policy to allow the group of students to also use specific third-party applications. To do so, go to Assignments->Cloud Apps->Exclude, select the third party applications you want to allow, then save the policy.