Major Security Hole in O365 / OneDrive
We have discovered what represents a Major Security Hole in O365 / OneDrive, where the domain group "Everyone except external users” is being granted Read permissions for new objects and child objects, a default process that can not be altered.
The Steps to produce the scenario are as follows:
- From a user's OneDrive Go to Site Settings
- Under Site Administration, click on Site Libraries & Lists
- Create a new Object (Library, List, App or Sub-site)
Permissions set for newly created objects (and their items) are:
a. Owner of the site has Full or “Owner” rights
b. Everyone except external users is set to “Read”
This represents a federal regulatory concern (HIPAA) that is accompanied by stiff fines. We need a means to change this behavior at the Tenant level that does not destroy core functionality.
From a governance standpoint, this can not hinge upon the practice the users. We are a large organization and all OneDrive users posess this capability, as all OneDrive users are their own site collection administrators.
In summary, we are requesting a platform Design Change which:
A.) Changes this default so the only permissions applied at the time of object creation are the full rights to the Owner. That Owner can then choose to further extend those permissions, as needed.
-- OR --
B.) Blocks the pathway in OneDrive to create a Library, List, App or Sub-site, in the first place, since none of these are even exposed within the OneDrive view, anyway.