Recommended protections for this level include identity and device access policies and protection against malware. Additionally, you can apply conditional access policies and data loss protections as needed.
Pasi de urmat
As a first step, we recommend that you configure basic identity and device-access policies. See Policy recommendations for securing Teams chats, groups, and files for details. We also recommend turning on basic Defender for Office 365 features to guard against malware in documents, attachments, and links. We recommend turning on each of the options in the following table.
|Safe Attachments for SPO, OneDrive and Teams||Safe AttachmentsDefender for Office 365 – SharePoint, OneDrive, and Microsoft Teams|
|Safe Documents||Safe Documents in Microsoft Defender for Office 365|
|Safe Links for Teams||Office 365 Safe Links in TeamsSafe Links|
Teams guest sharing
In each of the tiers, we have the option of sharing with people outside your organization. For the sensitive and highly sensitive tiers, we will have the option to turn guest sharing off at the team level by using sensitivity labels. But the organization-level guest sharing setting must be turned on for guest sharing to work at all in Teams.
To set Teams guest access settings
- Log in to the Microsoft 365 admin center at https://admin.microsoft.com.
- In the left navigation, click Show all.
- Under Admin centers, click Teams.
- In the Teams admin center, in the left navigation, expand Org-wide settings > Guest access.
- Ensure that Allow guest access in Teams is set to On.
- Make any desired changes to the additional guest settings, and then click Save.
Site and file sharing
To reduce the risk of accidentally sharing files or folders with people outside your organization, we recommend changing the default sharing link for SharePoint to Only people in your organization. (If users need to share externally, and you have enabled guest sharing, they can still change the link type when they share.)
To change the default sharing link
- Open the SharePoint admin center, under Policies, select Sharing.
- Under File and folder links, select Only people in your organization.
- Select Save.
Site sharing settings
By default, members of a SharePoint site can invite others to the site. When a site is part of a team, team members are included as site members. However, people added directly to the site don’t have access to the rest of the team. For this reason, we recommend managing permissions exclusively through the team.
To help with permissions management, we recommend configuring the associated site to only allow owners to share the site by itself. This simplifies permissions management and helps prevent access by people without a team owner’s knowledge. Do this for each team that requires baseline protection.
To update the site sharing settings
- In the tool bar for the team, click Files.
- Click Open in SharePoint.
- In the tool bar of the SharePoint site, click the settings icon, and then click Site permissions.
- In the Site permissions pane, under Site sharing, click Change how members can share.
- Under Sharing permissions, choose Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site, and then click Save.