Rolling Out OneDrive for Business
Hey everyone, I wanted to link you to our Podcast on The Cloud Whisperers about how to admin OneDrive for Business. We cover a lot of topics but focus on five things that you, as an Admin for OneDrive in your organization need to be aware of.
When we were on premise for MySites and OneDrive for Business we used to really care about the quotas for their personal drives because all of that storage was in our SQL servers, but with OeDrive for Business in O365 if you have an E license every employee gets 5 TB of space, but the default quota is going to be smaller. The default used to be 1TB, but was changed to 2TB. If you really need more storage, you can increase it even past 5TB, but you will pay for the extra storage. Its important to note that EVERY employee get that storage and it doesn’t count against your tenant limits.
Why is this important?
Well, one reason this can be an issue is that just giving people almost unlimited storage (I’ve personally never seen a use exceed 1TB, but I have heard about many who do) opens you up for eDiscovery headaches and also can impact your search results. If you have an O365 tenant, eDiscovery will find items in OneDrive as well as in email and SharePoint, and you may be required to produce that for a court. As a colleague once mentioned, you don’t tend to find exculpatory things in an eDiscovery so what you are finding tends to be bad. If you have every employee storing every document they ever created your potential exposure goes up.
The other problem is that all of the documents will also turn up in search and that can clutter up results for the end user. My recommendation to deal with both of these issues is to create a retention policy for OneDrive that deletes files that reach a certain age, but to allow users to tag some files to keep them for a longer period (even forever).
The second thing you need to consider is what type of sharing that you will allow in OneDrive for Business, and SharePoint Online for that matter. There are three basic levels of sharing that you can consider:
- Internal Sharing – At this level, users can share documents with other members of your organization, but cannot share with external users. This can be useful as a starting point to allow users to learn how to share, but keeping all data inside of your organization
- External Sharing – At this level, users can share with external users, but each external user will have to authenticate to the tenant using either an O365 account, and Azure AD account, or a Windows Live account. They are managed by their email address and can be given read or edit access to files and folders. This is a great level for most organizations because it allows users to take advantage of sharing a link to a file as opposed to emailing a copy of the file.
- Shareable Links – These are links that if you have the URL you have read or edit access to the file. They used to be called Anonymous Links and they still allow anonymous access to the file, but Shareable Links sounds less ominous. These are also extremely useful if you want to share a file widely, like on your website, or to someone who doesn’t have a Windows Live account. It is STRONGLY recommended that you setup automatic expirations on Shareable Links so that after 30 or 90 or whatever period you desire the link is automatically invalidated. This prevents users from forgetting to revoke the link a a future date.
Couple of notes to remember
First off, your OneDrive settings cannot be more permissive than your SharePoint sharing settings. If you prevent Shareable Links in SPO, then you cannot have them in OD4B. The second is that these sharing settings (for SPO and OD4B) are default settings, but you can make individual site collections (and a OD4B is a site collection) have different settings. So, you could allow Marketing to create Shareable Links, but no one else.
Thirdly, if you do want to have unique settings for sharing, this is done via PowerShell, and you cannot make any site collection have less restrictive permissions than the tenant default. So, in our Marketing example, you would need to set the tenant to allow for Shareable Links and then set each site collection that you don’t want to allow them to a more restrictive setting via Powershell (for OD4B), or the SharePoint Admin console. This can be a lot of work.
One of the more powerful features of OneDrive for Business is its ability to allow users to Sync files to their local computer. This enables users to work with their files via Windows Explorer as opposed to having to work with them via the web interface. Allowing your users to sync their files is the single biggest drive of success for deployment of OD4B. As an Admin you can disable sharing, but this will almost certainly doom your OD4B roll out to not being a success (see my Driving Technology Episode for why this is so). So, what can you control?
- Use the OneDrive Admin Center to restrict syncing to only machines that are joined to the domain. This can allow users to sync to their work computer, but not any computer which allows us to ensure that the sync PC has BitLocker, Defender, etc.
- Blocking certain types of file extensions from being synced. This can enable you to block things like PST files from being synched, but it won’t block them from being uploaded/downloaded via the web interface
I always recommended that whenever you look at putting anything in the Cloud that you also look at how you have setup DLP and other features to control how data may leave your organization. Using DLP and Azure Information Protection can also be used to notify users when they are about to share information that you may not want to leave the organization.
OneDrive for Business Cleanup
When an employee leaves your organization and you remove their license, their OneDrive location is going to be deleted, be default, 30 days after the license is removed. If the user has a person listed as their Manager, then, by default, that individual will be granted access to their old OD4B location for those 30 days so that they can curate and save anything that needs to be saved.
In the OneDrive Admin Center, you can increase the number of says before the OD4B site is deleted. I don’t know the maximum, but I set it to 1,000,000 days and it took it…so…I’m not sure there is a maximum.
There are some other things to consider. If you don’t have Managers setup in Active Directory, then no one will be allowed into the old site. It’s also important to note that the manager isn’t notified that they have access to the departed employees site. This should be part of your off-boarding process so that managers know to look at these sites.
Emergency Admin Access
What happens when a user has managed to mess up their OD4B, or you just need to get access? There are three ways to get Admin access.
- Powershell – you can use Pwoershell to connect to their OD4B site collection and then add an account as a secondary site collection admin
- You can go the SharePoint Admin Console, Click on the User Profiles Section, and then click on Setup My Sites, this will allow you to make a couple of settings for all of your users.
- My Site Cleanup – Here you can make sure that the Enable access delegation box is checked. This will make sure that the Manager gets access to the site. The other option is that you can assign a specific account that will get access when a site is scheduled to be deleted.
- Secondary Site Collection Admin – You can also assign a default secondary site collection admin. You can assign a generic IT account here. Don’t assign an active user account, because you don’t want to always see this data. NOTE: this will only be for new OneDrives created after you make this change. If you want to do this retroactively…you need to use Powershelll
- Office 365 Admin Center – In the Admin center you can pull up a specific user and then click on the OneDrive Settings section of their user pane.
here you can perform the following actions:
- Access their files – If you click this link you can immediately grant yourself access to their files to fix something. Remember to remove that access when you are done
- Modify Sharing Settings for that user – remember that you cannot make it more permissive than the Tenant level defaults
- Log out all current sessions – If you think, or know, that a user’s credentials have been compromised, this will terminate all sessions
Hopefully this will help you plan your successful OneDrive for Business implementation.