Embed Size (px)
Citation preview
OneDrive for Business: Administration, Security and Compliance
Boston Office 365 User Group – December 2016
Oliver BartholdsonSenior SharePoint ConsultantMicrosoft PTSP
Twitter: @obartholdson LinkedIn: linkedin.com/in/obartholdson
What you will get out of this session
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention
DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Prepare for launch
Protect after launch
Data Migration
Governance Plan
What you will NOT get out of this session
Prepare for launch
Protect after launch
Data Migration
Governance Plan
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention
DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
OneDrive for Business OverviewAll my files inone place
Unlimited Storage Anywhere Access
Sync client
Get work done. Together.
Office client integrationCo-authoringEasy sharing
Search & Discovery
A trusted enterprise-
grade serviceSecurity
ManagementAdmin Control
Add a Secondary Administrator
Global Admin view End user viewSecondary
AdministratorStorage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Add a Secondary AdministratorAutomatically add a secondary administrator during the creation process of the OneDrive site (MySite)
SharePoint Admin Center > User Profiles > Setup MySites
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
For existing OneDrive sites, you must:• Sign in to Office 365 as a Global Administrator• Connect to the tenant using Connect-SPOService• Create a list of all OneDrive for Business sites using
GetOD4BSites.ps1• Assign a user as a site collection administrator across
all OneDrive sites using OD4BAssignSCA.ps1
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Add a Secondary Administrator
Tips• Assign permissions to no more than 2,500
OneDrive for Business sites per day• Keep a record of the OneDrive sites and
administrators• Communicate to users that an
administrative account has been assigned as a site collection administrator to OneDrive for Business sites in your organization
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Add a Secondary Administrator
OneDrive for Business Storage0TB 1TB 2TB 3TB 4TB 5TB 6TB 7TB
Unlimited storage included in all Enterprise plans1TB limit by default, can be increased to 5TBAsk Microsoft for more than 5TB
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Set Storage Quota• Sign in to Office 365 as a Global Administrator• Connect to the tenant using Connect-SPOService• To set a global quota for new OneDrive sites
• Set-SPOTenant -OneDriveStorageQuota <quota>
• To reset an existing OneDrive site to new quota• Set-SPOSite -Identity <siteURL> -StorageQuotaReset
• To set the storage quota for a specific OneDrive site• Set-SPOSite -Identity <siteURL> -StorageQuota <quota>
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Pre-Provision OneDriveWhy pre-provision?• Migrate data from file server or other
repository• Migrate data from OnPrem MySite to
OneDrive for Business• Part of your on-boarding process
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Pre-Provision OneDrive• Configure Secondary Admin and Storage Quota• Set up the SharePoint Online Management Shell• Sign in to Office 365 as a Global Administrator• Connect to the tenant using Connect-
SPOService• Run the Request-SPOPersonalSite cmdlet, or
create a CSV file to provision up to 200 OneDrive libraries at once• Your request will be queued through a timer job
Be sure to assign a license to the Global Administrator account that will be running this PowerShell cmdlet.
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
OneDrive Retention• Account gets deleted in Office 365 Admin
Center or removed through Azure AD sync• OneDrive site is marked for deletion
through the MySite Cleanup Timer Job• The Manager in AD gets notified via email
and obtains ownership of the OneDrive site• 30 Days later the OneDrive data is deleted
30 Days
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
MySite Cleanup Job• Add a secondary owner in case the manager field is not
populated in AD
• Increase the retention period for the MySite Cleanup Timer Job to up to 10 years!• Set-SPOTenant –OrphanedPersonalSitesRetentionPeriod <number of days>
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Data Loss Prevention Policies (DLP)• Identify sensitive information across many locations,
such as Exchange Online, SharePoint Online, and OneDrive for Business• Prevent the accidental sharing of sensitive information• Get notified or view DLP reports showing content that
matches your organization’s DLP policies
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Data Loss Prevention Policies• Security and Compliance > Threat Management > DLP• Protect all OneDrive sites, or just a few• Create your conditions
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Data Loss Prevention Policies• Choose a sensitive information type,
or create your own
• Create an action when conditions are met
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Data Loss Prevention Policies
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Next Generation Sync ClientOriginal Sync Client (groove.exe)• Windows 7, 8, 8.1, 10• OneDrive for Business, SharePoint,
Groups• 20,000 item limit• 2GB file size limit• No Selective Sync• Supports co-authoring from local
docs• Included in Office ProPlus 2013• MFA App Passwords
Next Gen Sync Client (onedrive.exe)• Windows 7, 8, 8.1, 10, Mac OS X 10.9• OneDrive for Business, OneDrive
Consumer, SharePoint, Groups (Preview)• No item limit• 10 GB file size limit• Supports Selective Sync• Supports real-time co-authoring in Office
2016• Included in Office ProPlus 2016• MFA with Modern Authentication• Control bandwidth consumption
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Next Generation Sync ClientPrevious Sync Client New sync client
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Next Generation Sync ClientAlready have the old groove sync client installed?• The next gen sync client with automatically take over
syncing• Groove.exe with stop syncing OneDrive sites• OneDrive.exe starts syncing the same OneDrive site without
re-downloading the content• Groove.exe stops running and removes itself from automatic
startup, unless it’s syncing other content like SharePoint site libraries or OnPrem OneDrive for Business
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Next Generation Sync Client• System Center Configuration
Manager (SCCM) or Group Policy can be used to deploy the sync client• Deploy OneDrive.exe to your
users• Launch OneDrive.exe to allow
users to setup the sync client • Set update cadence (Optional)
Download the sample SCCM package. Just update the OneDrive.exe path and the application owner.
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Next Generation Sync ClientKey Administration Settings via Group Policy• Set the default location for the OneDrive
folder• Prevent users from changing the location of
their OneDrive folder• Prevent users from synchronizing their
personal OneDrive accounts• Set maximum upload bandwidth percentage
that OneDrive.exe uses
Download the OneDrive Deployment Package to get the adml and admx group policy files
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Next Generation Sync ClientSet-SPOTenantSyncClientRestriction• Block sync to non-domain joined machines• Control the list of allowed domains• Block Mac sync since they do not support domain join• Block specific file extensions from synching• Prevent users from synchronizing their personal OneDrive
accounts• Block the old sync client
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Classic vs. Modern OneDrive
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
External Sharing Tenant level options Site collection options
Site collection sharing cannot be less restrictive than the tenant setting
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
External SharingAll or nothing OneDrive sharing
Enable for all, block for some• Set-SPOSite –Identity
https://<yourtenant>-my.sharepoint.com –SharingCapability Disabled
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
External SharingYou can setup a list of approved domains or blocked domains but not both
These settings apply to both SharePoint Online and OneDrive for Business!
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Protect after launch
End User Activity ReportsWho has viewed that document?Who is sharing files with external parties?Who deleted those files?Who created an anonymous link to this file?Who is using the sync client to download files?Who deleted the compliance administrator from their OneDrive?
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
End User Activity Reports
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Advanced Alerts
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Content Search
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Content Search
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Content Search
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
eDiscovery Case Management
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Preservation Hold Library
Document Library
Preservation Hold Library
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
eDiscovery Case Management
Preserve Identify Search Analyze Review
Identifying Relevant Data
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Advanced eDiscovery
Secondary Administrator
Storage Quota
Pre-Provision OneDrive
OneDrive Retention DLP Policies Sync Client Modern
ExperienceExternal Sharing
End User Activity Reports
Content Search eDiscovery
Questions
ResourcesDownloadsOneDrive Deployment Packagesample SCCM packageGetOD4BSites.ps1OD4BAssignSCA.ps1
References Add a Secondary AdministratorAssign eDiscovery Permissions to OneDriveOneDrive for Business StorageSet OneDrive Storage QuotaPre-Provision OneDrive SitesOverview of OneDrive Retention and DeletionOneDrive Retention PowerShell cmdlet
Data Loss Prevention PoliciesNext Generation Sync Client OverviewDetermine Version of Sync ClientTransition to the Next Gen Sync ClientDeploying the Next Gen Sync ClientAdministrative Settings for the Next Gen Sync ClientBlock Sync From Non-Domain Joined MachinesOverview of External SharingEnd User Activity ReportsAdvanced Alerts in Office 365Run a Compliance SearcheDiscovery Case ManagementAdvanced eDiscoveryStay Up to Date with the Sync Client Release Notes
Thank you!Don’t forget to follow me:
Twitter: @obartholdson LinkedIn: linkedin.com/in/obartholdson
