Boston Office 365 User Group Presentation. Includes a technical overview of the administration, security and compliance features of OneDrive for Business and Office 365. Real world examples and sample scripts included.
4. What you will get out of this session
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
Prepare for launch Protect after launch
Data MigrationGovernance Plan
5. What you will NOT get out of this session
Prepare for launch Protect after launch
Data MigrationGovernance Plan
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
7. Add a Secondary Administrator
Global Admin view End user view
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
8. Add a Secondary Administrator
Automatically add a secondary administrator during the
creation process of the OneDrive site (MySite)
SharePoint Admin Center > User Profiles > Setup MySites
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
9. For existing OneDrive sites, you must:
• Sign in to Office 365 as a Global Administrator
• Connect to the tenant using Connect-SPOService
• Create a list of all OneDrive for Business sites using
GetOD4BSites.ps1
• Assign a user as a site collection administrator across all
OneDrive sites using OD4BAssignSCA.ps1
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
Add a Secondary Administrator
10. Tips
• Assign permissions to no more than 2,500
OneDrive for Business sites per day
• Keep a record of the OneDrive sites and
administrators
• Communicate to users that an administrative
account has been assigned as a site collection
administrator to OneDrive for Business sites in
your organization
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
Add a Secondary Administrator
11. OneDrive for Business Storage
0TB 1TB 2TB 3TB 4TB 5TB 6TB 7TB
Unlimited storage included in all Enterprise plans
1TB limit by default, can be increased to 5TB
Ask Microsoft for more than 5TB
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
12. Set Storage Quota
• Sign in to Office 365 as a Global Administrator
• Connect to the tenant using Connect-SPOService
• To set a global quota for new OneDrive sites
• Set-SPOTenant -OneDriveStorageQuota <quota>
• To reset an existing OneDrive site to new quota
• Set-SPOSite -Identity <siteURL> -StorageQuotaReset
• To set the storage quota for a specific OneDrive site
• Set-SPOSite -Identity <siteURL> -StorageQuota <quota>
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
13. Pre-Provision OneDrive
Why pre-provision?
• Migrate data from file server or other
repository
• Migrate data from OnPrem MySite to
OneDrive for Business
• Part of your on-boarding process
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
14. Pre-Provision OneDrive
• Configure Secondary Admin and Storage Quota
• Set up the SharePoint Online Management Shell
• Sign in to Office 365 as a Global Administrator
• Connect to the tenant using Connect-
SPOService
• Run the Request-SPOPersonalSite cmdlet, or
create a CSV file to provision up to 200 OneDrive
libraries at once
• Your request will be queued through a timer job
Be sure to assign a
license to the Global
Administrator
account that will be
running this
PowerShell cmdlet.
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
15. OneDrive Retention
• Account gets deleted in Office 365 Admin Center
or removed through Azure AD sync
• OneDrive site is marked for deletion through the
MySite Cleanup Timer Job
• The Manager in AD gets notified via email and
obtains ownership of the OneDrive site
• 30 Days later the OneDrive data is deleted
30
Days
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
16. MySite Cleanup Job
• Add a secondary owner in case the manager field is not
populated in AD
• Increase the retention period for the MySite Cleanup Timer Job
to up to 10 years!
• Set-SPOTenant –OrphanedPersonalSitesRetentionPeriod <number of days>
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
17. Data Loss Prevention Policies (DLP)
• Identify sensitive information across many locations, such as
Exchange Online, SharePoint Online, and OneDrive for Business
• Prevent the accidental sharing of sensitive information
• Get notified or view DLP reports showing content that matches
your organization’s DLP policies
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
18. Data Loss Prevention Policies
• Security and Compliance > Threat Management > DLP
• Protect all OneDrive sites, or just a few
• Create your conditions
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
19. Data Loss Prevention Policies
• Choose a sensitive information type, or
create your own
• Create an action when conditions are met
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
20. Data Loss Prevention Policies
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
21. Next Generation Sync Client
Original Sync Client (groove.exe)
• Windows 7, 8, 8.1, 10
• OneDrive for Business, SharePoint,
Groups
• 20,000 item limit
• 2GB file size limit
• No Selective Sync
• Supports co-authoring from local docs
• Included in Office ProPlus 2013
• MFA App Passwords
Next Gen Sync Client (onedrive.exe)
• Windows 7, 8, 8.1, 10, Mac OS X 10.9
• OneDrive for Business, OneDrive
Consumer, SharePoint, Groups (Preview)
• No item limit
• 10 GB file size limit
• Supports Selective Sync
• Supports real-time co-authoring in Office
2016
• Included in Office ProPlus 2016
• MFA with Modern Authentication
• Control bandwidth consumption
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
22. Next Generation Sync Client
Previous Sync Client New sync client
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
23. Next Generation Sync Client
Already have the old groove sync client installed?
• The next gen sync client with automatically take over syncing
• Groove.exe with stop syncing OneDrive sites
• OneDrive.exe starts syncing the same OneDrive site without re-
downloading the content
• Groove.exe stops running and removes itself from automatic startup,
unless it’s syncing other content like SharePoint site libraries or OnPrem
OneDrive for Business
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
24. Next Generation Sync Client
• System Center Configuration
Manager (SCCM) or Group Policy
can be used to deploy the sync
client
• Deploy OneDrive.exe to your users
• Launch OneDrive.exe to allow users
to setup the sync client
• Set update cadence (Optional)
Download the
sample SCCM
package. Just
update the
OneDrive.exe
path and the
application
owner.
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
25. Next Generation Sync Client
Key Administration Settings via Group Policy
• Set the default location for the OneDrive folder
• Prevent users from changing the location of
their OneDrive folder
• Prevent users from synchronizing their
personal OneDrive accounts
• Set maximum upload bandwidth percentage
that OneDrive.exe uses
Download the
OneDrive
Deployment
Package to get the
adml and admx
group policy files
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
26. Next Generation Sync Client
Set-SPOTenantSyncClientRestriction
• Block sync to non-domain joined machines
• Control the list of allowed domains
• Block Mac sync since they do not support domain join
• Block specific file extensions from synching
• Prevent users from synchronizing their personal OneDrive accounts
• Block the old sync client
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
27. Classic vs. Modern OneDrive
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
28. External Sharing
Tenant level options Site collection options
Site collection sharing cannot be less
restrictive than the tenant setting
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
29. External Sharing
All or nothing OneDrive sharing
Enable for all, block for some
• Set-SPOSite –Identity
https://<yourtenant>-
my.sharepoint.com –
SharingCapability Disabled
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
30. External Sharing
You can setup a list of approved
domains or blocked domains
but not both
These settings apply to both
SharePoint Online and OneDrive
for Business!
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
31.
32. End User Activity Reports
Who has viewed that document?
Who is sharing files with external parties?
Who deleted those files?
Who created an anonymous link to this file?
Who is using the sync client to download files?
Who deleted the compliance administrator from their OneDrive?
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
33. End User Activity Reports
Secondary
Administrator
Storage
Quota
Pre-
Provision
OneDrive
OneDrive
Retention
DLP
Policies
Sync Client
Modern
Experience
External
Sharing
End User
Activity
Reports
Content
Search
eDiscovery
43. Resources
Downloads
OneDrive Deployment Package
sample SCCM package
GetOD4BSites.ps1
OD4BAssignSCA.ps1
References
Add a Secondary Administrator
Assign eDiscovery Permissions to OneDrive
OneDrive for Business Storage
Set OneDrive Storage Quota
Pre-Provision OneDrive Sites
Overview of OneDrive Retention and Deletion
OneDrive Retention PowerShell cmdlet
Data Loss Prevention Policies
Next Generation Sync Client Overview
Determine Version of Sync Client
Transition to the Next Gen Sync Client
Deploying the Next Gen Sync Client
Administrative Settings for the Next Gen Sync Client
Block Sync From Non-Domain Joined Machines
Overview of External Sharing
End User Activity Reports
Advanced Alerts in Office 365
Run a Compliance Search
eDiscovery Case Management
Advanced eDiscovery
Stay Up to Date with the Sync Client Release Notes
How many using OneDrive today?
How many have moved customers to OneDrive?
How certain are you that the data is secure and not being shared with the wrong people? 80, 90, 100
Do you know how to access employee data when they quit? How long will you retain it?
If you are hit with a lawsuit, do you know how to review employees personal documents?
Are people logging from home and downloading everything in bulk?
These are all questions my customers have asked me and that I’m planning to share with you today!
Also explain the provisioning process – predecessor etc.
Demo where to find this
Explain provisioning process
Explain why you might want to pre-provision
Must wait for the crawl
Demo
Explain syncing
If you see:
A white icon with this hover text: "OneDrive - Personal"
And you're using:
Windows 10, 8, 7, or Vista
You're using the new OneDrive sync client.
If you see:
A white icon with hover text like this: "Files are up to date"
And you're using:
Windows 8.1 or RT 8.1
You're using the previous OneDrive personal sync client.
If you see:
A blue icon with this hover text: "OneDrive - <your company>"
And you're syncing:
OneDrive for Business in an Office 365 business subscription
You're using the new OneDrive sync client.
If you see:
A blue icon with this hover text: "OneDrive for Business"
And you're syncing:
An on-premises instance of OneDrive for Business in SharePoint Server
OR SharePoint site libraries
You're using the previous OneDrive for Business sync client.
Allow sharing with people inside the directory – turns off user sharing – very restrictive
MySite host will impact all OneDrives
Have to be enabled first.. Talk about alerts - demo
Demo
Alert