SharePoint Online and Security: Overview

12 min read
12 min read

I spent last year delivering sessions and workshops on Office 365 and Microsoft Azure security. It seems these topics are constantly moving target with new services, capabilities and threats being announced and discovered almost weekly.

I wanted to write a bit more in-depth about these interesting and important topics for people who might not normally work that much in securing their data and users. This is part 1 of a longer series in securing SharePoint Online as part of securing Office 365.

Overview on security in SharePoint Online

Once a company decides to trust Microsoft and starts using SharePoint Online as part of acquiring licenses for Office 365, there must be confidence in how the data is stored, secured and accessed.

One of the first resources I share with my customers during any Office 365 deployment or project is the Office 365 Trust Center. This site provides the hard data why Office 365 is a trusted cloud and, it boils down to:

  • Having secure identities with Microsoft Azure Active Directory (Azure AD for short)
  • Securing apps and data with encryption and limited access to data 
  • Securing the infrastructure that comprises of devices users use, the servers that run the services and automatically detecting threats

Much of this, at first, seems like marketing fluff. “Secure? Sure..” is a phrase I’m familiar with having spent countless hours in windowless meeting rooms with companies who are about to move some of their data to Office 365. With GDPR, which to many is just a four-letter acronym about something happening in May, 2018, this is even more relevant today.

Another resource I find useful in it being quite visual is this SharePoint Infographic from Microsoft. It showcases the guiding principles within Office 365: 

  • Platform security 
  • Secure access & sharing 
  • Awareness & insights 
  • Information governance 
  • Compliance & Trust

These are wide and deep topics, that I can only hope to cover in enough detail, as the services are constantly evolving.

Security & Compliance Portal

As an admin for Office 365 you’ve probably gotten used to having multiple browser tabs open for different administrative portals and tools. There’s one more for security, called Security & Compliance, which you can access directly at

Depending on licenses at your disposal, some menu items might not be visible initially. The purpose of this portal is to gather together all reporting views, activities and messages around security for your tenant.

I find myself often being more active in this view, than the regular Office 365 Admin Portal view. This is also the launchpad for Cloud App Security (formerly Advanced Security Management) and Threat Intelligence (with its upcoming Attack Simulator). We’ll talk about these services a bit later in this series. 

Customer Lockbox

Customer Lockbox is a feature that allows tenant admins (typically: you) to approve access to your organization’s data for Microsoft support engineers during troubleshooting. This isn’t something you would normally use on a daily or even weekly basis, as the typical flow for this feature to activate is as follows: 

  1. One of your users has an issue with their mailbox. You spend some time troubleshooting it as the company admin but cannot resolve it. 
  2. You choose to initiate a support request with Microsoft support 
  3. Once the support engineer receives the support ticket they can activate request access through the Customer Lockbox feature. 
  4. You will receive the request to grant or deny access for the support engineer to access your Exchange Online data. Once approved, access is granted for 4 hours for the support engineer.

Customer Lockbox is one of those features that requires the more expensive Office 365 E5 license, which you can purchase for one, some or all your users. Once the license is active, you can configure Customer Lockbox through Office 365 Admin Portal > Settings > Security & privacy.

As the feature is off by default, there’s a switch to enable it for your tenant. 

You can review pending Customer Lockbox requests under Office 365 Admin Portal > Support > Customer Lockbox Requests. 

SharePoint Online Admin Center and security

Together with Protection Center and Office 365 Admin, you’ll also have some configurable security settings in SharePoint Online Admin Center. You can access this directly through https://{tenant}, when you replace {tenant} with your Office 365 tenant name.

The portal is somewhat worn out after so many years of trustworthy service. You can find core security-related settings under each site collection in the main view, and underneath Settings, Sharing and Access Control items on the left navbar. There really isn’t a consistent overall view for security-related settings for SharePoint Online, as several settings are also scattered within site collection-level settings, individual site settings and elsewhere in Office 365.  

Should you have access to the preview Admin Center enabled in your tenant, a link in the upper-right corner takes you to the modern version.

Direct link is https://{tenant}, which only works if your tenant is enabled for the preview SharePoint Online Admin Center.

Obviously, the new portal in preview is still lacking a lot of the detailed controls you’ll need, so using both portals is perfectly fine for now. 

Controlling security for SharePoint Online is performed through these two portals, but majority of the settings are only found (for now) in the classic SharePoint Online Admin Center.

In closing

This was a brief overview on security as it relates to SharePoint Online. In the following articles in this series we’ll have a closer and more hands-on look at securing your users, admins, SharePoint content and data.

Over to you

Why not check out the Security in and with Office 365 using Secure Code eBook by Jethro Seghers. This eBook is solely dedicated to explaining and helping you improve the Security in and with Office 365. Download this eBook for free today!

Get the eBook

Subscribe to our newsletter