| Service | Microsoft Docs article | Related commit history on GitHub | Change details |
|---|---|---|---|
| SharePoint | Control Access From Unmanaged Devices | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/control-access-from-unmanaged-devices.md | Limiting access allows users to remain productive while addressing the risk of a  > [!NOTE]-> Blocking or limiting access on unmanaged devices relies on Microsoft Entra Conditional Access policies. [Learn about Microsoft Entra ID licensing](https://azure.microsoft.com/pricing/details/active-directory/) For an overview of conditional access in Microsoft Entra ID, see [Conditional access in Microsoft Entra ID](/azure/active-directory/conditional-access/overview). -> For info about recommended SharePoint access policies, see [Policy recommendations for securing SharePoint sites and files](/microsoft-365/enterprise/sharepoint-file-access-policies). -> If you limit access on unmanaged devices, users on managed devices must use one of the [supported OS and browser combinations](/azure/active-directory/conditional-access/technical-reference#client-apps-condition), or they will also have limited access. -> Because Microsoft Entra ID does not offer [Muit-Geo Capabilities](https://www.microsoft.com/en-us/microsoft-365/business/multi-geo-capabilities), blocking or limiting unmanaged devices will impact all Geos within the Microsoft 365 tenant. +> - Blocking or limiting access on unmanaged devices relies on Microsoft Entra Conditional Access policies. [Learn about Microsoft Entra ID licensing](https://azure.microsoft.com/pricing/details/active-directory/) For an overview of conditional access in Microsoft Entra ID, see [Conditional access in Microsoft Entra ID](/azure/active-directory/conditional-access/overview). +> - For info about recommended SharePoint access policies, see [Policy recommendations for securing SharePoint sites and files](/microsoft-365/enterprise/sharepoint-file-access-policies). +> - If you limit access on unmanaged devices, users on managed devices must use one of the [supported OS and browser combinations](/azure/active-directory/conditional-access/technical-reference#client-apps-condition), or they will also have limited access. +> - Because Microsoft Entra ID does not offer [Multi-Geo Capabilities](https://www.microsoft.com/en-us/microsoft-365/business/multi-geo-capabilities), blocking or limiting unmanaged devices will impact all Geos within the Microsoft 365 tenant. ## Control device access across Microsoft 365 Using a policy that affects all Microsoft 365 services can lead to better securi > [!NOTE] > It can take up to 24 hours for the policy to take effect. It won't take effect for users who are already signed in from unmanaged devices. -> [!IMPORTANT] -> If you block or limit access from unmanaged devices, we recommend also blocking access from apps that don't use modern authentication. Some third-party apps and versions of Office prior to Office 2013 don't use modern authentication and can't enforce device-based restrictions. This means they allow users to bypass conditional access policies that you configure in Azure. In <a href="https://go.microsoft.com/fwlink/?linkid=2185071" target="_blank">**Access control** in the new SharePoint admin center</a>, select **Apps that don't use modern authentication**, select **Block access**, and then select **Save**. + > [!IMPORTANT] + > If you block or limit access from unmanaged devices, we recommend also blocking access from apps that don't use modern authentication. Some third-party apps and versions of Office prior to Office 2013 don't use modern authentication and can't enforce device-based restrictions. This means they allow users to bypass conditional access policies that you configure in Azure. In <a href="https://go.microsoft.com/fwlink/?linkid=2185071" target="_blank">**Access control** in the new SharePoint admin center</a>, select **Apps that don't use modern authentication**, select **Block access**, and then select **Save**. ## Limit access Using a policy that affects all Microsoft 365 services can lead to better securi  -If you revert back to **Allow Full Access**, it could take up to 24 hours for the changes to take effect. + If you revert back to **Allow Full Access**, it could take up to 24 hours for the changes to take effect. -> [!IMPORTANT] -> If you block or limit access from unmanaged devices, we recommend also blocking access from apps that don't use modern authentication. Some third-party apps and versions of Office prior to Office 2013 don't use modern authentication and can't enforce device-based restrictions. This means they allow users to bypass conditional access policies that you configure in Azure. In <a href="https://go.microsoft.com/fwlink/?linkid=2185071" target="_blank">**Access control** in the new SharePoint admin center</a>, select **Apps that don't use modern authentication**, select **Block access**, and then select **Save**. + > [!IMPORTANT] + > If you block or limit access from unmanaged devices, we recommend also blocking access from apps that don't use modern authentication. Some third-party apps and versions of Office prior to Office 2013 don't use modern authentication and can't enforce device-based restrictions. This means they allow users to bypass conditional access policies that you configure in Azure. In <a href="https://go.microsoft.com/fwlink/?linkid=2185071" target="_blank">**Access control** in the new SharePoint admin center</a>, select **Apps that don't use modern authentication**, select **Block access**, and then select **Save**. -> [!NOTE] -> If you limit access and edit a site from an unmanaged device, image web parts won't display images that you upload to the site assets library or directly to the web part. To work around this issue, you can use this [SPList API](/previous-versions/office/sharepoint-server/mt796229(v%3Doffice.15)) to exempt the block download policy on the site assets library. This allows the web part to download images from the site assets library. -> -> When Access Control for Unmanaged Devices in SharePoint is set to **Allow limited, web-only access**, SharePoint files cannot be downloaded but they can be previewed. The previews of Office files work in SharePoint but the previews do not work in Microsoft Viva Engage. + > [!NOTE] + > If you limit access and edit a site from an unmanaged device, image web parts won't display images that you upload to the site assets library or directly to the web part. To work around this issue, you can use this [SPList API](/previous-versions/office/sharepoint-server/mt796229(v%3Doffice.15)) to exempt the block download policy on the site assets library. This allows the web part to download images from the site assets library. + > + > When Access Control for Unmanaged Devices in SharePoint is set to **Allow limited, web-only access**, SharePoint files cannot be downloaded but they can be previewed. The previews of Office files work in SharePoint but the previews do not work in Microsoft Viva Engage. ## Limit access using PowerShell If you revert back to **Allow Full Access**, it could take up to 24 hours for th Set-SPOTenant -ConditionalAccessPolicy AllowLimitedAccess ``` -> [!NOTE] -> By default, this policy allows users to view and edit files in their web browser. To change this, see [Advanced configurations](control-access-from-unmanaged-devices.md#advanced-configurations). + > [!NOTE] + > By default, this policy allows users to view and edit files in their web browser. To change this, see [Advanced configurations](control-access-from-unmanaged-devices.md#advanced-configurations). ## Block or limit access to a specific SharePoint site or OneDrive The following parameters can be used with `-ConditionalAccessPolicy AllowLimite `-LimitedAccessFileType OtherFiles` Allows users to download files that can't be previewed, such as .zip and .exe. This option offers less security. If this mode is enabled, then for downloading files like .zip or .exe, simply copy the url of the file and paste in browser (example: https://contoso.sharepoint.com/:u:/r/sites/test/Shared%20Documents/test1.zip). -The AllowDownlownloadingNonWebViewableFiles parameter has been discontinued. Please use LimitedAccessFileType instead. +The `AllowDownlownloadingNonWebViewableFiles` parameter has been discontinued. Please use LimitedAccessFileType instead. People outside the organization will be affected when you use conditional access policies to block or limit access from unmanaged devices. If users have shared items with specific people (who must enter a verification code sent to their email address), you can exempt them from this policy by running the following command. |
| SharePoint | Delve Retirement | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/delve-retirement.md | Previously updated : 09/24/2024 Last updated : 11/07/2024 Title: "Guidance for retiring Delve in your organization" The modern search experiences on Microsoft365.com, Office.com, and in SharePoint Both Delve URLs and SharePoint profile URLs will be redirected to the modern search profile pages on Microsoft365.com. For tenants not using Delve today, there will be no change to URLs and their legacy profile experiences in SharePoint. However, they get the extended profile page in modern search and the extended profile cards across Microsoft 365, which will include the properties that are visible in Delve. +Below are all the URLs that will redirect to modern search profile pages on Microsoft365.com. If you are using a third-party solution with crafted Delve URLs or have internal documentation that for some reason is providing URLs not in this list, these will need to be updated. One option is to remove the subdomain and just use the main domain (delve.office.com). Another is to update your solution to support the new profile URLs in modern search. Examples of these URLs can be found at another place on this page. ++`https://delve.office.com`<br/> +`https://gcc.delve.office.com`<br/> +`https://delve-gcc.office.com`<br/> +`https://nam.delve.office.com`<br/> +`https://eur.delve.office.com`<br/> +`https://apc.delve.office.com`<br/> +`https://gbr.dele.office.com`<br/> +`https://can.delve.office.com`<br/> +`https://lam.delveoffice.com`<br/> +`https://sfeur.delve.office.com`<br/> +`https://sfnam.delve.office.com` + ## Where can users edit properties currently editable in Delve? A new edit profile experience, tightly coupled with the profile card, is currently being developed and is targeted for release in November 2024. This will allow users to easily edit their profiles across Microsoft 365. Some properties that are viewable in Delve today aren't editable in Delve, but in the SharePoint edit profile experience. |
| SharePoint | Get Ready Copilot Sharepoint Advanced Management | https://github.com/MicrosoftDocs/OfficeDocs-SharePoint/commits/public/SharePoint/SharePointOnline/get-ready-copilot-sharepoint-advanced-management.md | To minimize accidental content oversharing via Copilot results, it's crucial to Consider educating site admins on the site-level controls they can use to [restrict members from sharing](/powershell/module/sharepoint-online/set-spotenant). One key setting here ensures that Site Owners are the recipients of [access requests](https://support.microsoft.com/office/set-up-and-manage-access-requests-94b26e0b-2822-49d4-929a-8455698654b3). -### Step 2: Clean up unused sites +### Step 2: Ensure all sites have valid owners ++Site owners are the critical role on point for executing governance tasks at scale. Specifically, you need site owners to: ++- Help attest if inactive sites are still needed in next step - **cleaning up unused sites**. +- Perform [Site Access Reviews](/sharepoint/site-access-review#review-everyone-except-external-users-site-access-review-requests-for-site-owners) to confirm whether potentially overshared content is indeed being overshared and take remediation to address oversharing risks in Step 4 ΓÇô control access. ++It's essential to confirm all sites have valid owners before cleaning up unused sites and asking owners to take care of overshared content. SharePoint Advanced Management's [Site Ownership policy](/sharepoint/create-sharepoint-site-ownership-policy) helps identify ownerless sites and find the appropriate owners when needed. ++- You can run a Site Ownership policy in Simulation mode to identify any sites that don't have a minimum of two owners. +- Set up the policy in simulation mode to identify owners based on your desired criteria. Then upgrade the policy to Active mode to enable notifications to site owner candidates. ++### Step 3: Clean up unused sites Identify inactive sites, then take action to reduce your governance footprint and improve Copilot response quality. Inactive sites often contain outdated content, cluttering CopilotΓÇÖs data source and leading to less accurate responses. Removing these sites helps Copilot focus on current information for better results. Currently, you can identify unused sites by running an inactive site policy and ask site owners to attest if the site is still needed. - With less than five minutes you can set up and run an [Inactive Site policy ](/sharepoint/site-lifecycle-management#create-an-inactive-site-policy) in Simulation mode to identify sites that haven't been accessed for an extended (configurable) period of time.-- Once the report is generated, select the Get AI insights button to [get AI insights](/sharepoint/advanced-management#ai-insights) generated for the report to help you identify issues with the sites and possible actions to address these issues. -- Once ready, set the policy to Active mode to notify the Site Owner to attest whether the site is still needed.+- Once the report is generated, select the Get AI insights button to [get AI insights](/sharepoint/advanced-management#ai-insights) generated for the report to help you identify issues with the sites and possible actions to address these issues. +- After identifying inactive sites, set the policy to Active mode to notify the Site Owner to attest whether the site is still needed. +- If the site owners confirm the sties aren't needed, you need to put the sites either in [read-only mode](/sharepoint/site-lifecycle-management#read-only-mode). These sites will be moved to [Microsoft 365 Archive](/microsoft-365/archive/archive-overview) after a configurable duration (3, 6, 9, or 12 months). -### Step 3: Identify sites with potentially overshared content +> [!TIP] +> Sites moved to Microsoft 365 Archive are no longer accessible by anyone in the organization outside of Microsoft Purview or admin search. This means Copilot won't include content from these sites when responding to user prompts. If you want to keep the site in case you need to retrieve its content later, use Inactive sites - Archive. ++### Step 4: Identify sites with potentially overshared content Without looking at the actual content, how do you quickly identify sites with potentially overshared content? Usually, if you see there's content on a site that is being shared with one of the following options: ΓÇ£**Everyone Except External Users**ΓÇ¥, ΓÇ£**People in your organization**ΓÇ¥ and ΓÇ£**Anyone**ΓÇ¥, there's a bigger chance that the content is overshared. Currently, SAM activity based reports let you quickly identify most actively overshared sites, by running three individual reports: Without looking at the actual content, how do you quickly identify sites with po Sites with these three types of usage are at a greater risk of oversharing compared to those without such usages. Once the report is generated, select the Get AI insights button to [get AI insights](/sharepoint/advanced-management#ai-insights) generated for the report to help you identify issues with the sites and possible actions to address these issues. -### Step 4: Control access to content +### Step 5: Control access to content When you use Microsoft Copilot, the results come from content in Microsoft Graph, based on each individual userΓÇÖs profile and permissions. In Step 3, you have identified sites with potentially overshared content. Next, you want to ensure Copilot only has access to content when appropriate. Currently, you can initiate a Site Access Review for site owners to confirm overshared content and take remediation steps. Meanwhile, you as the SharePoint admin can use the Restricted Access Control Policy to restrict access to a site with overshared content. When you use Microsoft Copilot, the results come from content in Microsoft Graph Until the Site Access Review is complete, you as the SharePoint Admin may want to take action to mitigate oversharing risks. To restrict access to a site with overshared content, the SharePoint Admin can set up a [Restricted Access Control Policy](/sharepoint/restricted-access-control). As a result, all access to the site is restricted to only the group of users specified in the policy. Accordingly, the content from this site is visible in Microsoft 365 Copilot *only for this restricted group of users*. You can restrict access to individual sites or OneDrive. -### Step 5: Take proactive measures on business-critical sites +### Step 6: Take proactive measures on business-critical sites For business-critical sites, you want to take proactive measures to ensure the content is appropriately shared, and access to content is limited to the minimum level. You can lock down your most important sites with the following measures: For business-critical sites, you want to take proactive measures to ensure the c > [!IMPORTANT] > The following policies are currently in preview and will soon be generally available. [*Sign up to participate in the preview by following instructions here*](https://forms.office.com/pages/responsepage.aspx?id=v4j5cvGGr0GRqy180BHbRw8ueKeaH4JIsskRInqtJE5UNjhYVkg5NDRNWkMxRlI0TFVDR0FYSUNGUi4u&route=shorturl). -### Use the Site Ownership policy to ensure all sites have valid owners --Site owners are the critical role on point for executing governance tasks at scale. Specifically, you need site owners to: --- Help attest if inactive sites are still needed in Step 2- cleaning up unused sites. -- Perform [Site Access Reviews](/sharepoint/site-access-review#review-everyone-except-external-users-site-access-review-requests-for-site-owners) to confirm whether potentially overshared content is indeed being overshared and take remediation to address oversharing risks in Step 4 ΓÇô control access. --It's essential to confirm all sites have valid owners before cleaning up unused sites and asking owners to take care of overshared content. SharePoint Advanced Management's Site Ownership policy helps identify ownerless sites and find the appropriate owners when needed. --- Coming up, you can run a Site Ownership policy in Simulation mode to identify any sites that don't have a minimum of two owners.-- Set up the policy in simulation mode to identify owners based on your desired criteria. Then upgrade the policy to Active mode to enable notifications to site owner candidates.--### Use the Inactive Sites ΓÇô Read only and Inactive Sites ΓÇô Archive policies to clean up unused sites --In Step 2 of this article, we discussed identifying inactive sites. After identifying inactive sites, you'll ask site owners to attest if the sites are still needed. If the site owners confirm the sties aren't needed, you need to put the sites either in read-only mode, or move the sites to Microsoft 365 Archive. Coming soon, you are able to do these at scale, by using the Inactive Sites ΓÇô Read only and Inactive Sites ΓÇô Archive capabilities to: --- Make the site read-only--- Move the site to Microsoft 365 Archive--> [!TIP] -> Sites moved to Microsoft 365 Archive are no longer accessible by anyone in the organization outside of Microsoft Purview or admin search. This means Copilot won't include content from these sites when responding to user prompts. If you want to keep the site in case you need to retrieve its content later, use Inactive sites - Archive. --- Move the site to [Microsoft 365 Archive](/microsoft-365/archive/archive-overview) -- ### Use the Oversharing Baseline Report for Sites, OneDrives, and Files policy to identify oversharing risks -In Step 3, we discussed how to run three usage reports to identify potentially overshared content. Coming soon, you'll be able to Run a single report to learn where content overexposure risk exists in all sites on your tenant, regardless of site activities. +In Step 4, we discussed how to run three usage reports to identify potentially overshared content. Coming soon, you'll be able to Run a single report to learn where content overexposure risk exists in all sites on your tenant, regardless of site activities. - You'll be able to start with running an ΓÇ£Oversharing Baseline Report for Sites, OneDrives and FilesΓÇ¥ report from the Data Access Governance (DAG) PowerShell commands in SharePoint Online PowerShell module. This report scans all sites in your tenant, and lists sites that share content with more than a specified number of users (you specify the number). In Step 3, we discussed how to run three usage reports to identify potentially o ### Use the Restricted Content Discoverability policy to further control accidental content discoverability -In Step 4ΓÇöcontrol access to content, it's advised to begin with the Site Access Review policy to verify if the potentially overshared content identified in Step 3 is truly overshared. Following this, apply the Restricted Access Control policy to limit access to designated user groups. Soon, a new policy, the Restricted Content Discoverability policy, will be available to further control accidental content discoverability. +In Step 5 ΓÇö **control access to content**, it's advised to begin with the Site Access Review policy to verify if the potentially overshared content identified in Step 3 is truly overshared. Following this, apply the Restricted Access Control policy to limit access to designated user groups. Soon, a new policy, the Restricted Content Discoverability policy, will be available to further control accidental content discoverability. -In addition, in Step 5, to further protect content on your business-critical sites, you can use Restricted Content Discoverability to leave permissions in place, but prevent the content from being available to Microsoft 365 Copilot and Organization-wide search experiences. +In addition, in Step 6, to further protect content on your business-critical sites, you can use Restricted Content Discoverability to leave permissions in place, but prevent the content from being available to Microsoft 365 Copilot and Organization-wide search experiences. The Restricted Content Discoverability policy leaves site access unchanged but prevents the siteΓÇÖs content from being surfaced in Microsoft 365 Copilot or organization-wide Search. The SharePoint Admin can set Restricted Content Discoverability on that site. ### Use AI Powered Semantic matching to find similar sites -You discovered a site containing crucial business data that lacks proper protection. Are there more sites like this one that might have similar vulnerabilities? Soon, AI Powered Semantic matching helps you locate these sites using the site you discovered as the example. The AI powered semantic matching tool reads through all the sites you have, including content, files, metadata, and give you a list of similar sites based on your example site. -+You discovered a site containing crucial business data that lacks proper protection. Are there more sites like this one that might have similar vulnerabilities? Soon, AI Powered Semantic matching helps you locate these sites using the site you discovered as the example. The AI powered semantic matching tool reads through all the sites you have, including content, files, metadata, and give you a list of similar sites based on your example site. |