SkyDrive Pro Security and Governance on Office 365

I was asked the question the other day, if a global 365 administrator could access a former employee’s sky drive (pro) following their departure from the company.  After doing some investigating, I confirmed this access is not provided by default.  Fortunately, the access can be obtained fairly easily.  For those of you looking under the Sky Drive Pro settings on the SharePoint administration navigation, it’s no wonder this question has popped up.  You won’t find what you need there!    If you aren’t familiar with the details, SkyDrive Pro is actually just a document library that resides within the user’s personal site collection in SharePoint known as “My Site”.  In order to configure security, we actually need to look at user profiles.

In order to gain access to the site, you can follow this article, which works great for a one-off request of transferring permissions: http://blogs.technet.com/b/educloud/archive/2013/05/15/administrator-access-to-skydrive-pro.aspx

However, this does present a challenge if you are needing to deal with a number of employees at the same time.  The above process is manual and requires several steps per each user account.  In looking through the My Sites settings,  it’s clear that there is really a focus on governance and planning ahead of time, rather than dealing with administration after the fact.  When planning governance and security for My Sites/Sky Drive Pro, the following My Site settings should be reviewed and considered.   You can view them by going to Admin > SharePoint > User Profiles > Setup My Sites:

SetupMySites

Initial Configuration Options

*Grant any account/group Read Permission Level on all My Sites

*Enable access delegation –  This is assigned so that once the site is marked for deletion the site content can be reviewed.

**The deletion of a profile/AD account will trigger the transfer of ownership
**By default the user’s manager is transferred access to the site
**You can also specify a default account to be set as a secondary owner in case there is not a manager listed

*Check a box to make all My Sites Public

Options after the My Site has been created

*Manually add a personal My Site administrators to the site through User Profiles > Manage Personal Site (see link above)

*Run eDiscovery searches for audit

*I suspect you could bulk update site permissions using PowerShell…I hope to confirm this after some additional research [Update:  @DanielGlenn looked into this and does not see a way to manage profiles through PowerShell. darn!! ]

Options after the User Profile is Deleted

***You cannot manually add rights to the site at this point because there is no accessible profile under the user profiles***

**The users’ manager as specified in AD will be assigned rights and emailed a notification

**A default secondary owner may be assigned rights, as specified in 1b

It may seem easy to not worry about these settings until ‘later’, but they are critical to ensuring an easy transition as employees come and go from a company.

 

Leave a Reply

Your email address will not be published. Required fields are marked *