Policy Templates for SaaS Configuration Audit
Skyhigh CASB provides a list of preconfigured Configuration Audit Policy Templates for SharePoint that allows you to find any possible misconfigurations in your Microsoft 365 settings.
Find these templates on the Policy > Policy Templates page.
For instructions on how to find Policy templates that are new or updated due to changed recommendations, see Find New and Updated Policy Templates.
To view the available pre-configured Policy Templates for Security Configuration Audit for SaaS:
- Go to Policy > Policy Templates.
- Click the Table view icon.
- Then filter for:
- Policy Type > Security Configuration
- Service Applicable To > SharePoint (or other Microsoft 365 service).
Policy Templates for SaaS Configuration Audit
The table lists the policy templates provided for Security Configuration Audit for SharePoint (or other Microsoft 365 services).
To check the policy templates that have been deprecated, see Policy Templates for SaaS Security Configuration Audit - DEPRECATED.
| Policy Name | Policy Description |
|---|---|
| Disable users from creating sites | This property controls whether users can create new sites for themselves. |
| Disable auto add or remove users when they request to join or leave a group | Disable auto add or remove users when they request to join or leave a group. |
| Disable guest users from using OneDrive | Disable administrator managed guest users from using OneDrive. |
| Sharing in SharePoint and OneDrive should be restricted at the site level to specific domains | This is useful when administrators want to limit sharing to specific business partners. Administrators can limit sharing invitations to email domains by adding them to the allow list. Or they can add them to the deny list of email domains that users are prohibited from sending invitations to. |
Set the default link type to Internal when users get links for sharing at the Site level |
As a global or SharePoint admin, you can set the default type of link to restrict the level of sharing while still allows users to select other types of links as needed. This setting can be configured at the organization level and at the site level. |
| Set default link permission to view-only when users get links for sharing at the site level | Set the default permission of the link to view-only, while still allowing users to enable edit. This setting can be configured both globally for SharePoint Online and at the Site Collection level. The global settings act as a default for the site collections. |
| Set default link permission to view-only when users get links for sharing | Set the default permission of the link to view-only, while still allowing users to enable edit. This setting can be configured both globally for SharePoint Online and at the Site Collection level. The global settings act as a default for the site collections. |
| The option to edit, copy, and paste files outside the browser for documents should be disabled at the tenant level | Does not allow users to edit SharePoint or OneDrive files in the browser or copy and paste file contents out of the browser windows. |
| Set default link type to Internal when users get links for sharing at the Organization level | Set the default type of link to something more restrictive, while still allowing users to select other types of links as needed. This setting can be configured both globally for SharePoint Online and at the Site Collection level. The global settings act as a default for the site collections. |
| Sharing in SharePoint and OneDrive should be restricted at the tenant level to specific domains | This is useful when administrators want to limit sharing to specific business partners. Administrators can limit sharing invitations to email domains by adding them to the allow list. Or they can add them to the deny list of email domains that users are prohibited from sending invitations to. Organization-wide settings affect all SharePoint Online site collections, including the OneDrive for Business site collection. |
| Control access to SharePoint Online and OneDrive data based on a network location | Define a trusted network boundary by specifying one or more authorized IP address ranges. Any user who attempts to access SharePoint and OneDrive from outside this network boundary (using a web browser, desktop app, or mobile app on any device) will be blocked. |
| Disable company-wide link sharing | Disable company-wide link sharing. |
| Apply conditional access policies to guest users | When the feature is enabled, all guest users are subject to conditional access policies. By default, guest users accessing SharePoint Online files with a passcode are exempt from conditional access policies. |
| Disable external services in SharePoint Online | Disable external services in SharePoint Online. External services are defined as services that are not in Office 365 data centers. |
| Disable permissive browser file handling override | The Strict setting adds headers that force the browser to download certain types of files. The forced download improves security by disallowing automatically executing web content. When the setting is set to Permissive, no headers are added, and certain types of files can be executed in the browser instead of downloaded. |
| Disable ShowAllUsersClaim to restrict users from broadly accepted from broadly sharing within the organization and to users with previously accepted sharing invitations | When ShowAllUsersClaim is disabled, users cannot see All Users listed in the people picker, so they cannot share anything with the entire organization at once. All Users include users who have previously accepted sharing invitations. |
| Disable ShowEveryoneClaim to restrict users from broadly sharing within the organization and to external users | Disable ShowEveryoneClaim to restrict users from broadly sharing within the organization and to external users. |
| Disable ShowEveryone ExceptExternal UsersClaim to restrict users from broadly sharing within the organization | When ShowEveryoneExceptExternalUsersClaim is disabled, users cannot see All Users in the drop-down menu, and cannot share with everyone at once. |
| Enable persistent cookie for the Explorer view | To use the Explorer view to manage files and folders in a library, the client must use a persistent cookie. If you set this property, a user who uses the Explorer view to connect to a machine that’s private is prompted, and will then download the appropriate cookie. This cookie expires after 30 minutes and cannot be cleared by closing the browser or signing out of SharePoint Online. To clear this cookie, the user must log out of their Windows session. |
| Block or limit access to specific SharePoint site collections or OneDrive accounts | Blocking access provides security but comes at the cost of usability and productivity. Limiting access allows users to remain productive while addressing the risk of accidental data loss on unmanaged devices. When you limit access, users on managed devices have full access. The site collection-level setting must be at least as restrictive as the organization-wide setting. |
| Limit access to SharePoint and OneDrive content at the Organization level | Limiting access allows users to remain productive while addressing the risk of accidental data loss on unmanaged devices. When you limit access, users on managed devices have full access. Users on unmanaged devices have browser-only access with no ability to download, print, or sync files. They also cant access content through apps, including Microsoft Office desktop apps. |
| Do not allow users to request to join or leave a group | Do not allow users to request to join or leave a group. |
| Only allow group members to view group membership. | Only allow group members to view group membership. |
| Enable mobile push notifications for users to get changes to their OneDrive for Business content | Enable mobile push notifications for users to get changes to their OneDrive for Business content. |
| Enforce only OneDrive for Business owners to sharing | This lets administrators set a policy on resharing behavior in OneDrive for Business so only the owner can share. |
| Enable antivirus and a local firewall for connecting devices | Configure mobile device management policies to require PCs to have antivirus and a firewall enabled. Otherwise, users would be allowed to connect from devices that are vulnerable to basic internet attacks, leading to potential breaches of accounts and data. |
| Wipe mobile devices on multiple sign-in failures to prevent brute force compromise | Devices without this protection are vulnerable to being accessed physically by attackers who can then steal account credentials, and data, or install malware on the device. |
| Create a compliance policy for Android | Devices that are not compliant are vulnerable to being accessed physically by attackers who can steal sensitive corporate data. |
| Create a compliance policy for Android Enterprise (Android for Work) | Devices that are not compliant are vulnerable to being accessed physically by attackers who can steal sensitive corporate data. |
| Create a compliance policy for iOS | Devices that are not compliant are vulnerable to being accessed physically by attackers who can steal sensitive corporate data. |
| Create a compliance policy for Windows | Devices that are not compliant are vulnerable to being accessed physically by attackers who can steal sensitive corporate data. |
| Enable multifactor authentication for all users in administrative roles | Multifactor authentication provides additional assurance that the individual attempting to gain access is who they claim to be. With multifactor authentication, an attacker would need to compromise at least two different authentication mechanisms, increasing the difficulty of compromise and reducing the risk. |
| Enable multifactor authentication for all users in all roles | Enable multifactor authentication for all users in the Microsoft 365 tenant. Upon logging into Microsoft 365 services each day, users are prompted to authenticate with a second factor. The second factor is most commonly a text message to a registered mobile phone number where the user enters an authorization code or a mobile application like Microsoft Authenticator. |
| Disable default provisioning of the Shared with Everyone Folder in OneDrive | Disable default provisioning of 'Shared with Everyone Folder' in OneDrive for Business. |
| View only restriction for Anyone links | Restrict 'Anyone' links so that users can only provide view permission for files or folders. If you are using file requests, set the link permissions for View and Edit for files, and View, Edit, and Upload for folders. |
| Ensure that mobile devices require a complex alphanumeric password to prevent brute force attacks | Not having a complex password makes devices vulnerable to being accessed physically by attackers who can then steal account credentials, and data, or install malware on the device. |
| Enable password protection for Active Directory in hybrid environments | Azure Active Directory protects an organization by prohibiting the use of weak or leaked passwords. In addition, organizations can create custom-banned password lists to prevent their users from using easily guessed passwords that are specific to their industry. Deploying this feature to Active Directory strengthens the passwords that are used in the environment. |
| Designated between two and four global admins | Designate more than one global administrator so admins can be monitored and to provide redundancy if an admin leaves an organization. Also, if there is only one global tenant administrator, he or she can perform a malicious activity without being discovered by another admin. Designated no more than four global admins for any tenant. If there are more global tenant administrators, the more likely it is that one of their accounts may be successfully breached by an external attacker. |
| Require a password for mobile devices | Require your users to use a password to unlock their mobile devices. Devices without password protection are vulnerable to being accessed physically by attackers who can then steal account credentials, and data, or install malware on the device. |
| Prohibit password reuse for mobile devices | Do not allow users to reuse the same password on their mobile devices. Devices without this protection are vulnerable to being accessed by attackers who can then steal account credentials, and data, or install malware on the device. Making users select unique and unused passwords every time a password changes on mobile devices lessens the likelihood that the password can be guessed by an attacker. |
| Ensure that mobile devices restrict simple passwords to prevent brute force attacks | Not having a complex password makes devices vulnerable to being accessed physically by attackers who can then steal account credentials, and data, or install malware on the device. |
| Make sure that mobile devices are set to never expire passwords | Make sure that users' mobile device passwords never expire. If a user creates a strong password, defined as long, complex, and without any pragmatic words present, it should remain just as strong in 60 days. It is Microsoft's official security position to not expire passwords periodically without a specific reason. |
| Ensure that mobile devices require a complex password with minimum password length to prevent brute force attacks | Not having a complex password makes devices vulnerable to being accessed physically by attackers who can then steal account credentials, and data, or install malware on the device. |
| Do not allow users to connect from devices that are jailbroken or rooted | Jailbroken devices have basic protections disabled to run software that is often malicious and could very easily lead to an account or data breach. |
| Enable mobile device encryption to prevent unauthorized access to mobile data | Require your users to use encryption on their mobile devices. Unencrypted devices can be stolen and their data extracted by an attacker very easily. |
| Enable settings to lock devices after a period of inactivity to prevent unauthorized access | Require your users to configure their mobile devices to lock on inactivity. Attackers can steal unlocked devices and access data and account information. |
| Block OneDrive for Business sync from unmanaged devices | Unmanaged devices pose a risk because their security cannot be verified. Allowing users to sync data to these devices takes that data out of the control of the organization. This increases the risk of the data either being intentionally or accidentally leaked. |
| BCC external sharing invitations | Audit the content shared by internal users with external users in external sharing invitations in order to control and identify leaks of critically important content from the organization. |
| Require modern authentication for SharePoint applications | Modern authentication in Microsoft 365 enables authentication features like multifactor authentication (MFA) using smart cards, certificate-based authentication (CBA), and third-party SAML identity providers. |
Policy Templates for SaaS Configuration Audit - DEPRECATED
The following Policy Template for SaaS Configuration Audit is deprecated in Skyhigh Security Service Edge 6.3.2.
| Policy Name | Policy Description |
|---|---|
| Permission to add and customize pages should be denied to all sites | Permission to add and customize pages should be denied to all sites |