Best practices for Microsoft SharePoint permissions

1) Encryption of Data in Transit

Data is an irreplaceable asset, and encryption serves as the strongest and the last line of defense in a multi-layered data security strategy.
There are multiple data encryption methods, algorithms and protocols that used by Microsoft for all its products and services to provide a secure path for data to travel through the infrastructure as well as to help protect the confidentiality of data that is stored within the infrastructure.

Data is encrypted when the data is in transit. Data moves from user to the data center, and from server to the data center, which uses 2048 bit keys.
Two different scenarios for data transit:

First Scenario: Client communication with the server.
SSL/TSL connections is used for all SharePoint Online communications across the internet. All SSL connections for ShaePoint Online are established using 2048 bit keys.
Second Scenario: Data movement between different data centers.
The primary reason and the objective to move data form one to another data centers is for geo replication to enable disaster recovery.
For an example – MS Access transaction logs and blob storage deltas travel along this line. Though the data is transmitted through the private network, it is additional protected with best-in-class encryption.

2) Encryption of Data at Rest

Microsoft uses some of the strongest, most secure and safe encryption protocols in the IT industry, act as a barrier against unauthorized access to your data.When data is in the database (rest), two types of encryption are used: disk encryption and file encryption.
On disk level encryption - BitLocker is used to secure data by user id and password.
On file level encryption – Every file is secured with Advanced Encryption Standard (AES) with 256 bit keys. It is a Federal Information Processing Standard (FIPS) 140 2 compliant.

3) Virus Detection in Microsoft SharePoint Online

In Microsoft SharePoint Online, anti-malware protection is in-built feature and automatically provided for files that are already saved or uploaded to document libraries. This protection is provided by the Microsoft anti-malware engine. This anti-malware service runs on all Microsoft SharePoint Online Content Front Ends (CFEs).Files are scanned for viruses before they are uploaded. If a file is found to be infected, a default property is set so that users can’t download it from the browser. Even the file does not sync with the OneDrive Sync client.

4) Control Access Based On Network Location

Microsoft has introduced conditional access capability. One of the major feature is to restrict access on the basis of network location, it can be configured via SharePoint Online Admin center.The policy helps to meet regulatory requirement and prevent data loss and leakage from not trusted networks. IT Administrators can limit and stop the access to specific network from the SharePoint Admin panel. When it  is properly configured any user who attempts to access SharePoint, OneDrive for Business from outside network will be blocked.

5) Custom Script based Restriction

If you want to restrict your users to customize the SharePoint Site collections, this feature helps you to achieve the goal.
As per the different needs of the organization, users can be allowed to customize SharePoint sites and pages by inserting script.
However, users who is inserting script should be aware of the security implications of custom script.
When users allowed to run a custom script, you can no longer enforce scope the capabilities of inserted code, governance, block specific parts of the code, or block all custom codes that have been deployed.The script is allowed, by default, on sites that admins create. The script is not allowed on OneDrive, on sites that users create themselves (such as  Office 365 Group or Modern sites) or on the root site for your organization.

6) Manage External Sharing for SharePoint

External sharing is the widely used key features offered to collaborate with non-licensed external users. However, External sharing is also increasing the possibility of information exposure and data loss. Users can unknowingly share the files with anonymous users and data becomes vulnerable if proper security is not applied.For large organizations that keep their confidential business information on SharePoint Online, we suggest external sharing links disabled for the complete tenant/farm.
Ensure that only authenticated users can access the content which is shared with them.

7) Access, Permission, and Sharing

There are 3 types of different users in Microsoft SharePoint online, namely Administrators, Power user, and End users.Administrators are the service admins or tenant/farm admins who define the policies and manage the service and site creation requests.Power users are those users who utilize the key features of SharePoint services such as managers, leads, and organizers. They are the ones who mostly interact with Tenant/Farm Administrators. Power users are the ones who manage the SharePoint sites as Site Owners or Site Administrators.End users are the actual contributors in SharePoint, who uses file system and almost all the features for productivity.

• Full Control – Contains all available SharePoint permissions. This is also called Tenant/Farm Admin permission.  By default, this permission level is assigned to the owner of the group. It can’t be deleted and edited for permission levels.
• Design – Creates lists and document libraries edit pages and apply themes, borders, and style sheets on the site. There is no SharePoint group that is automatically assigned this permission level.
• Edit – Add, edit, and delete lists; view, add, update, and delete list items and documents. By default, this permission level is assigned to the member’s group.
• Contribute – View, add, update, and delete list items and documents.
• Read – View pages and items in existing lists and document libraries and download documents.
• Approve – Edit and approve pages, list items, and documents. By default, the approver’s group has this permission.
• Manage Hierarchy – Create sites and edit pages, list items, and documents. By default, this permission level is assigned to the hierarchy managers group.
• Restricted Read – View pages and documents, but not historical versions or user permissions.
• View Only – View pages, items, and documents. Any document that has a server-side file handler can be viewed in the browser but not downloaded. File types that do not have a server-side file handler (cannot be opened in the browser), such as video files, .pdf files, and .png files, can still be downloaded.

You can create new permission levels and also edit existing permission levels.

8)All Permission Levels in SharePoint

Microsoft SharePoint Online also allows to create SharePoint-based groups. These groups are associated with permission levels in order to provide access to the users.
To manage easily, you just need to add the users in these SharePoint groups so that they added user can access multiple locations with one single group. For example, if you want to add group “Sales” to folders 1 to 10 and group “Production” to folders 11 to 20, you just need to add the group on the folders once. When a new user becomes a member of any group mentioned above, that user will automatically get access to the respective folders.

SharePoint Online also provide facility to use security groups based on active directory. Which can be added in the SharePoint sites.

Permission settings and Sharing is very easy to manage all users. To manage site level permissions and other settings in SharePoint, the user should have at least Owner permission or Admin rights on that sites.

Manage e-mails on a kanban board in Outlook

When we talk about business communications the first most preferred electronic medium of communication is e-mail. The high volumes of e-mails are difficult to manage and there are chances of missing important information.

The solution Kanban E-mail Manager designed to work with your e-mails on a kanban board inside Outlook. This Outlook add-in is intended for a single user, and once installed in Outlook, it can be used with any e-mail folder in Outlook. Responsive Web Design makes the kanban board adapt to all kinds of screens.
Kanban View
Kanban is a work management method that enables you to optimize the flow of your work and maximize efficiency. When Kanban E-mail Manager is installed it adds a ‘ Kanban View’ button to the Outlook ribbon. In the mailbox, when you select a folder - any folder- and then click on the kanban view button you will see all the e-mails in the selected folder are visualized as a card on a kanban board. Click on a card to open it. Now you can categorize the e-mail and answer or forward it directly from the kanban board.
Drag and drop e-mails
The Kanban E-mail Manager kanban board has phases for the work process, and you can drag and drop the e-mails between the phases to keep track of your conversations. Four phases are default, but you can use as many phases as you prefer.
Categorize e-mails
Kanban E-mail Manager lets you order your e-mails in lanes: horizontal stripes on the kanban board where you can gather types of e-mails, for example, work e-mails and private e-mails. You can use as many lanes as you wish. The Outlook categories are used on the kanban board, and your category colors are visible on the cards.
Filter e-mails
With Kanban E-mail Manager it is easy to filter the e-mails by category, sender and/or priority. Kanban E-mail Manager also has a search feature that filters e-mails by the word or phrase you enter in the search field. You can combine all these filters as you like.
Study e-mail statistics
The information from your kanban board is used in the Kanban E-mail Manager Excel reports. Here you can study your e-mail management from different angles and use all the standard functionality in Excel to visualize it.
In the Kanban E-mail Manager settings, you can specify from what date e-mails should be displayed on the kanban board. Just set the “from date” to the date you prefer. This can be done separately for each e-mail folder, even if the other settings are common for all folders. Here you can also decide if you want to use checklists and time logging, and you can enter categories, phases and lanes, specify colors and customize your Kanban E-mail Manager in various other ways.
Try Kanban E-mail Manager
You are welcome to download and try our e-mail management software free for 30 days without any obligations. We also provide free support during the trial period as well. Contact us at and

Microsoft Office 365 Security

Office 365 is popular because of its mobility, enterprise and collaboration features. However, in a cloud-hosted environment, security is the main concern because alarming threats are constantly introduced. Your organization, therefore, needs to use all the tools at your disposal to secure your customers’ and organization’s data.
That is why Office 365 offers built-in capabilities and organization controls to help customers meet compliance standards. Have a look at the security and governance feature available in all major services.
Office 365 Security
1) Multi-Factor Authentication (MFA Logins)
Multi-factor authentication (MFA) requires more than just a username and password. After users logged in with a username and password, they’ll receive a text message or a phone call (depending on the configuration). Then they either answer the call or enter the access code received via text into the prompted screen.
This can be set up for each user (depending on the preferences). For example, if you only want to set MFA on a particular group such as higher management or company leads and not on the entire organization, it can be done with few clicks.
IP addresses can be whitelisted, when users are in the office, they don’t need to use multi-factor authentication. This will only be required if they’re using not from whitelisted IP addresses.
Multi-factor authentication is a free feature available on all Microsoft Office 365 subscription plans.
2) Password Protection Policy
Every user account that needs to sign in to the Microsoft Office 365 must have a unique user principal name (UPN) or LOGIN ID attribute value associated with their account. Password restrictions are mentioned below:
             8 to 16 characters maximum
             Strong passwords only: Requires 3 out of 4 of the following:
             Lowercase characters
             Uppercase characters
             Numbers (0 to 9)
You can set password expiration as per your organization policy. This configuration can be done via the Microsoft Office 365 Admin Center Security settings or by PowerShell.
After 10 unsuccessful sign-in attempts (entered the wrong password), the user will be locked out for one minute. Further incorrect sign-in attempts will lock out the user for a longer period of time.
 3) Office 365 Security Data & Reports
Detailed Security Reports are available in the Security and Compliance Center. These reports are available in the Report Dashboard and provide a graphical representation of the policies. You can see or download the reports such as Malware detection, Spoof and Spam Detection, DLP policy matches, and many others.
There is one more category of reports available, called Usage and Activity Report. Which gives you data as per service. It can be found in the Office 365 Admin center.
 4) Content Search Engine
The ability to search across data is extremely important, and Microsoft is now offering a quicker way to search across Microsoft Office 365. Content Search can be used to search data in individual or all SharePoint sites, Skype for Business, Exchange mailboxes and OneDrive for Business.
This feature is important to search in terms of searching for a specific type of information stored or shared across the organization. For example, if a user lost some important file that was sent to someone via email or Skype for Business in the past, it can be recovered by searching all mailboxes or Skype for Business where admin only needs to query the name of the attachment.
There is no limit on the number of content locations that the user can search for. There is also no limit on the number of searches that users can run at the same time. When the user runs a content search, the number of content locations displayed in the detail pane along with an estimated number of search results on the Content search page.
 5) Audit Log Search
In large organizations, it is a very common and important requirement to track the user and administrator’s actions on the services. Whether it is an administrator going rogue or a regular user deleting an important and valuable business document, it is harmful to an organization. While there are many ways to restrict and control access to Microsoft Office 365, it is still important that there’s an audit log available with this required information. This is where Audit log search in Microsoft Office 365 Security & Compliance Center requires.
Auditing can be performed on almost all major services and actions in Office 365 such as uploading, editing and deletion of a document, list and pictures in OneDrive, SharePoint and Group sites. Mailbox permissions and personal inbox email activities to user creation to deletion. Auditing can be easily done in the Security and Compliance Center and administrators can also perform a more granular level of auditing via PowerShell.
 6) Application Password
An app password is a code that gives an app or device permission to access a Microsoft Office 365 account of your users. If you’re using Multi-Factor Authentication (MFA) and want to use applications that connect to your Microsoft Office 365 account, you will need to create a Microsoft Office 365 App Password. This is to enable the App to connect to Microsoft Office 365.
For example, if you’re using Microsoft Outlook 2016 or an earlier version, Skype for Business, Apple Mail App or any other third-party client with Microsoft Office 365, you’ll need to create an App Password. Creating a Microsoft Office 365 App Password. One can say it’s another level of security added to the Microsoft Office 365 user login process.
 7) Office 365 Trust Center
Microsoft created a site named Office 365 Trust Center. It covers everything regarding security, including:
         Physical security: Can people walk in and walk out at data centers? How are the buildings secured physically?
         Logical security: How the servers are configured? What kind of network security is applied to this? What kind of auditing is implemented for logical security?
         Data security: How is the data secured? If someone gains access to the database, are they able to read/edit your data?
 8) Role Based User Access Control
Role-Based Access Control (RBAC role) is a feature designed to control administrative access over different services across Microsoft Office 365. It requires the ability to control all these services by separate administrators.
The best example to have such role-based access is the following: you hired a SharePoint Developer, who will be customizing and designing your SharePoint sites, for a short time period. In that case, he will require admin-level access to the SharePoint admin center, and this can only be achieved by assigning the SharePoint administrator's rights. You don’t need to give control of the complete environment to an outsider (for security measures).
Below is the list of User Roles available in Microsoft Office 365:
         Global Administrator
         Billing Administrator
         Exchange Administrator
         SharePoint Administrator
         Password Administrator
         Skype for Business Administrator
         Compliance Administrator
         Service Administrator
         User Management Administrator
         Dynamics 365 (online)
         Dynamics 365 service Administrator
         Power BI Administrator

9) Alerts & Triggers
In the Security and Compliance Center, you can monitor the user’s actions and track a new activity on the portal. You can configure policies to get custom alerts when updates take place. When a user performs any new update activity, a custom alert is triggered as per the conditions applied by the administrator.
10) Mobile Management
Intune is Microsoft’s mobile device & mobile application management solution. It’s typically available as part of Microsoft’s Enterprise Mobility and Security licensing bundle. Intune allows an administrator to manage employee’s mobile devices and apps from a single dashboard. Manage across iOS, Android and Windows devices. It also allows the administrator to centrally manage the deployment of updates and applications to keep your workers at peak productivity. Key features of Intune are mentioned below:
Protect your company information and data by helping to control the way your workforce accesses and shares it.
Manage the mobile devices of your workforce uses to access company data.
Manage the mobile apps of your workforce uses.
Ensure devices and apps are compliant with the company’s latest security requirements.
Apply conditional access policies so users can follow organizational based access policies even when they are not on the office premises.