Policy recommendations for securing SharePoint sites and files
This article describes how to implement the recommended Zero Trust identity and device access policies to protect SharePoint and OneDrive. This guidance builds on the common identity and device access policies.
These recommendations are based on three different tiers of security and protection that can be applied based on the granularity of your needs: starting point, enterprise, and specialized security. You apply these policies based on the granularity of your needs. For more information, see recommended security policies and configurations introduction.
Also, you need to configure SharePoint sites with the right amount of protection, including appropriate permissions for enterprise and specialized security content.
Updating common policies to include SharePoint and OneDrive
To protect files in SharePoint and OneDrive, the following diagram illustrates which policies to update from the common identity and device access policies.
If you included SharePoint in the scope of the policies when you set them up, you only need to create the new policies. In Conditional Access policies, SharePoint includes OneDrive.
The new policies implement device protection for enterprise and specialized security content by applying specific access requirements to the specified SharePoint sites.
The following table lists the policies that you need to update or create for SharePoint. Each policy links to the associated configuration instructions in Common identity and device access policies.
| Protection level | Policies | More information |
|---|---|---|
| Starting point | Require MFA when sign-in risk is medium or high | Include SharePoint in the assignment of cloud apps. |
| Block clients that don't support modern authentication | Include SharePoint in the assignment of cloud apps. | |
| Apply APP data protection policies | Be sure all recommended apps are included in the list of apps. Be sure to update the policy for each platform (iOS/iPadOS, Android, and Windows). | |
| Use app enforced restrictions in SharePoint | Add this new policy. This setting tells Microsoft Entra ID to use the settings specified in SharePoint. This policy applies to all users, but only affects access to sites included in SharePoint access policies. | |
| Enterprise | Require MFA when sign-in risk is low, medium, or high | Include SharePoint in the assignments of cloud apps. |
| Require compliant PCs and mobile devices | Include SharePoint in the list of cloud apps. | |
| SharePoint access control policy: Allow browser-only access to specific SharePoint sites from unmanaged devices. | This policy prevents editing and downloading of files. Use PowerShell to specify sites. | |
| Specialized security | Always require MFA | Include SharePoint in the assignment of cloud apps. |
| SharePoint access control policy: Block access to specific SharePoint sites from unmanaged devices. | Use PowerShell to specify sites. |
Use app-enforced restrictions in SharePoint
If you implement access controls in SharePoint, Conditional Access policies are created in Microsoft Entra ID that enforce the policies you configure in SharePoint. By default, this policy applies to all users, but only affects access to the sites you specify using PowerShell when you create the access controls in SharePoint. The policy can also be scoped for specific users, groups, or sites.
To configure this policy, see Block or limit access to a specific SharePoint site or OneDrive.
SharePoint access control policies
We recommend that you use device access controls to protect content in SharePoint sites that contain enterprise and specialized security. Create a policy that specifies the level of protection and the sites that receive the protection:
- Enterprise sites: Allow browser-only access. This setting prevents users from downloading, printing, or syncing files.
- Specialized security sites: Block access from unmanaged devices.
For more information, see Block or limit access to a specific SharePoint site or OneDrive.
How these policies work together
It's important to understand that SharePoint site permissions are typically based on business need for access to sites. Site owners manage these permissions, which can be highly dynamic. Using SharePoint device access policies ensures protection to these sites, regardless of whether users are assigned to a Microsoft Entra group associated with starting point, enterprise, or specialized security protection.
The following illustration provides an example of how SharePoint device access policies protect access to sites for a user.
James has starting point Conditional Access policies assigned, but he can get access to SharePoint sites with enterprise or specialized security protection:
- James is a member of a site with enterprise or specialized security protection. When he accesses the site using his PC, access is granted.
- James is a member of a site with enterprise protection. When he accesses the site using his unmanaged phone, he receives browser-only access due to the site's device access policy.
- James is a member of a site with specialized security protection. When he accesses the site using his unmanaged phone, access is blocked due to the site's device access policy. He can only access the site using his managed PC.
Next step
Configure Conditional Access policies for: