Afraid of data breach? Locking everything may not be the answer.

Standard
“Cloud first, mobile first” and the news of data breach becoming routine, company owners are more and more sceptical when realising that what we call their “digital company assets” could be available by external users in just one click. I am often asked this question by my clients, “can I lock it down so that nobody can share externally?”. So I thought it was worth a bit of braindump from my experience.

The answer may not be the simplistic one of locking everything down and opt for the ivory-tower policy!

Turning off all external sharing for users may be a short answer to a problem of trust. But they will need to share with external partners, customers so.. trust me ;-) they will find other ways to share, and then it will be even more disastrous if that data is duplicated outside the business’ environment and gets into the wrong hands.
What happens when a child if forbidden to play with fire without being taught the reasons? He will burn himself with something else!
Some 4 years ago, I recall speaking at a SharePoint conference and we were already predicting to customers that in the next decade what we call “end-users” will not be just users but “data agents”. With the reinforcement of the personal data protection in Europe this year, every business owner without exception should now be aware that these new users even have a specific title: data processor or data controller.

Trust vs. training.

Users can make mistakes, they are human! But (unless deliberate mischiefing) they cannot be blamed if they have not been trained on how to use the tools that are available for doing their work.
You mean sit in a training room?!

Training can take several forms

Training nowadays is not just the classic day long listening to a trainer explaining a tool where 70% of it do not apply to the user’s work. It can be a classroom training but can also take different form:
  • workshop activity to define what the user’s tasks are and can be with the tool
  • brainstorming on what a tool is for and what not
  • group demonstration
  • one on one remote screen sharing by the “IT Guy”
  • and my favourite: – have a “Power user” (the champion who has used the tool a lot in the business), to organise breakfast or lunchtime sessions showing how they use the features and warn about pitfalls.
All these activities need to be suggested, if not coordinated within the deployment plan of the tool, otherwise they may not happen at all.

What to do for sharing the right way?

  • Let your users share, but restrict what can be shared
  • Publish clear rules for sharing and how to report when it goes wrong (ie. part of the organisation’s data governance)
  • Train staff on how to share and what to share
  • Define the governance in detail, apply it but also have the power to action it when it is not respected
  • Examples of automated rules include:
    • enforce an expiration time to all sharing
    • allow sharing to only certain domains
    • allow sharing to only certain IP addresses
    • allow sharing of only some sites and not others
  • And finally, review reports on sharing regularly!
Office 365 has some great features to configure and monitor sharing, for instance using activity alerts when a permissions has been loosened but I am more in favour for using a third party tool such as ShareGate. At Paperblade, we talk to business owners on how to make the most of current technologies at the lowest cost and in the most secure, reliable and responsible manner. Governance and sharing policies is a integral part of it.

What do you think?

My views are not set in stone and I do not believe that there is only one correct way, so please comment below or speak me to bounce an idea or start a debate.
Advertisements

Left navigation intranet is so last year!

Standard

I have always been a defender of using the “OOB” Out Of the Box tool of a product before it comes to adding some custom code to it. However, let’s be honest, for years SharePoint was not great at it when only using out-of-the-box features. I even gave a talk in the past where we discussed how to gain the love back from users.

Image result for sharepoint team siteIn the SharePoint world, “Team site” was the default layout for any SharePoint Intranet for years, and still are. Left navigation being super boring, especially when more than 15 links and scrolling 2 meters down the page! So most companies ended to customise their site so much that the next version of SharePoint meant to do it all again.

But with the latest SharePoint modern sites and pages, it’s sleek, minimalist,  MODERNSITE.pngclean and .. well, not clunky anymore! SharePoint owners are now super excited to use them as their intranet pages.

There is just one problem:

we haven’t been told how to use these as the “top level page” of an intranet. The first page that user will see when they click on the SharePoint homepage: https://mydomain.sharepoint.com.

Thanks to this blog article by Jimmy Hang and reading the comments, I have summarised how to do so. And I can confirm to have repeated the steps in 3 different tenants, therefore, no, Microsoft did not remove the ability to use these “workarounds.”

  1. Delete Top Site

    the top site collection of SharePoint already exists (as a boring team site), go to SharePoint admin and delete it (if empty ;-).

  2. Recreate top site collection without selecting a template

    Do not select any template, use the option “Custom / select template later”

    selecttemplate.png

  3. Create a modern communication site anywhere

    Create a new site from the new SharePoint Admin Center or from the “SharePoint” site list, if this option is not disabled for your tenant.

    SaveTemplate.png

  4. Enable to run custom scripts on self-service sites on your tenant

    Preferably from PowerShell for quasi-immediate effect.

    Connect-SPOService -Url https://mydomain-admin.sharepoint.com -credential me@mydomain.onmicrosoft.com
    Set-SPOSite -Identity https://mydomain.sharepoint.com/sites/CommunicationTemplateOnly -DenyAddAndCustomizePages 0
  5. Save this communication site as a template

    Adding /_layouts/15/savetmpl.aspx after the site URL

  6. Open top site collection

    When prompted for a template, upload the template file to solutions, activated it.

  7. Create the site using that template

  8. job done!

But remember, if Microsoft decides to change only one small parameter in the root site or the template, it may break, so don’t do it in a live environment.

Using Nintex Connection Manager with SharePoint Administrator privileges

Standard

A couple of months ago Nintex released the Connection Manager for SharePoint Online which -finally- gives a much awaiting supported feature for using elevated permissions in a Nintex Workflow, previously we always used some workaround but the super user’s credentials had to be passed to the workflow unencrypted (example here).

It all looked fine in principle but my action kept returning an “unauthorised” error after I converted it to that new connection manager.

createsitecol.pngThe action that was failing on was “Create Site Collection”, and it was simply because the new connection I created had rights at List/Library level, Site Level and Site Collection Level, but in my case I needed that permission to apply at Tenant level (higher than all site collection: just like a SharePoint Administrator).

The Nintex connection manager documentation definitely mentioned using it for action Create Site Connection but clearly, it was a fail.

Since I knew that Microsoft would not let a third party tool like Nintex have its settings page on their Central Admin, I sensed that it would be tricky to create the new connection manager at tenant level, so where would that be done?

After a couple of interaction with Nintex support and escalation to product developers, we found out that to tell the connection that to apply the permission to the tenant you had to specify the URL of the SharePoint site to be the Central Admin site, hence just adding -admin to the URL is enough. Since Nintex connection can exist in any site or site collection, setting a tenant-wide connection can be done anywhere too.

NintexConnectionDialog.png

eg.: https://targetdomain-admin.sharepoint.com

The documentation is now reflecting this https://help.nintex.com/en-US/O365/o365/O365WorkFlow/WorkflowActions-INT/Office365CreateSiteCollection.htm

Nintexdoc.png

 

Thanks, Nintex for this precision.

 

Microsoft and LinkedIn published free Office 365 training

Standard

Microsoft and LinkedIn have created new training courses about various Office apps and services. The courses are available for free in the Office Training Center, and cover topics like how to use Outlook 2016 and Excel 2016.

 

Source: New Office training courses from LinkedIn Learning – Office Blogs