July 19, 2024
|
min read
Vasil Michev
Vasil is a nine-time Microsoft MVP and expert with over a decade of experience in Microsoft cloud, lifecycle management, migration, adoption, and automation.
data protection and cybersecurity concept

58% of sensitive data is stored in Microsoft Teams, OneDrive, and SharePoint. For IT and security teams, secure file sharing and tight external access policies are a top priority.

SharePoint and OneDrive Tenant Sharing Settings

Tenant settings in SharePoint and OneDrive form the basis for data sharing within an organization. They determine who can access which data and for how long. Configuring these tenant settings in line with company guidelines ensures controlled and secure data sharing. However, it’s not enough to just set them up and forget about them. Regular monitoring ensures these settings don’t change over time, either accidentally or maliciously.

Note: Every time a new team is created in Microsoft Teams, Microsoft 365 automatically sets up a new site collection to facilitate document collaboration. So, while this article doesn’t explicitly focus on Microsoft Teams and Teams governance, many of the configurations and settings for SharePoint directly influence Teams and impact the broader Microsoft 365 environment.

M365 tenant settings are customizable.

While tenant settings provide a framework, they might not address the specific needs of certain groups and departments within the organization. That’s why Microsoft allows for tenant settings to be overridden at the site level. Individual sites or collections can have customized sharing settings, tailored to their specific needs.

Here are some examples below. 

  • HR department
    Given the confidential nature of human resources data, the HR site might require stricter sharing settings. For example, external sharing could be fully disabled, and file links might be set to expire sooner. 
  • Board meetings
    For sites used for Board meetings, where confidential strategic discussions take place, sharing might be restricted to board members only. External sharing options could be turned off, and company-wide sharing links might also be disabled. This prevents widespread sharing across the organization, ensuring access is limited to the intended recipients.
  • Special projects
    For a site dedicated to a time-sensitive project involving external collaborators, sharing settings might allow for external sharing. However, the links should expire once the project is completed. Additionally, the “restrict downloading” feature could be activated. This keeps document versioning consistent and controlled. Plus, it prevents files from being shared with unauthorized users. 
“Effectively managing external sharing in Microsoft 365 is a key challenge for many organizations. This challenge cuts across multiple teams, as collaboration, governance and security perspectives must all be considered when designing an external-sharing approach to meet organizational requirements.” - M. Goss, C. Jackson, Guidance Framework for Managing External Sharing in Microsoft 365, Gartner, 2023

M365 tenant settings require monitoring and remediation. 

Customizable SharePoint site settings make SharePoint and OneDrive cornerstones for collaboration. However, organizations must balance the ease of sharing with data security protocols.

These unique SharePoint site settings pose certain challenges like ensuring consistent application of security policies across all sites, managing permissions effectively to prevent unauthorized access, balancing user convenience with compliance requirements, and handling the complexity of site customization and governance without compromising data integrity and security.

Organizations need a system to continuously monitor these settings. This system should be able to detect anomalies or deviations from the standard. If any irregularities are found, immediate remediation actions should be implemented to correct them.

Learn about the security risks external Microsoft 365 users pose

External sharing options in SharePoint and OneDrive

SharePoint Online offers a range of sharing capabilities, allowing organizations to collaborate with people inside and outside their company. Your sharing practices should always align with your security policies.

To help you choose the right sharing type based on the sensitivity of the content and the desired audience, here’s a breakdown of the external sharing options:

Anyone (also called Anonymous Sharing) Links

This option enables sharing with users who don’t have a Microsoft account. Users receive a link granting access without needing to sign in. It’s ideal for sharing a document or folder with a broad audience without concern over who accesses it, similar to “public” sharing.

This is the least secure option. And, since anyone with the link can access the content, authentication is not required.

New and existing external users sharing (also called Authenticated External Sharing)

This option allows sharing with users who possess a Microsoft account (e.g., Office 365, Outlook.com, Hotmail, or Xbox). This allows for sharing content with specific individuals outside your organization and ensuring only they can access it. This option is more secure than Anonymous Sharing since it requires users to authenticate with a Microsoft account.

External sharing options in SharePoint and OneDrive graphic

Existing external users

This option allows sharing only with external users who have been previously invited to collaborate on your SharePoint Online sites. Use this option for sharing content with external users who have already been granted access to your SharePoint content.

Similarly to new and existing external users, this type of sharing requires account authorization. However, it’s the most secure type of external sharing since it allows control over which users can access the content.

Direct - Only people in your organization

This option allows content only to be shared with users within your organization. It’s the most secure option since it completely blocks external sharing.

External users in your tenant posing security risks?

Learn how to manage and secure your external users in Microsoft 365 with 12 Smart Ways to Manage and Secure External Users in Your Microsoft 365 Tenant.

This resource covers:

  • Top External Sharing Risks to Monitor
  • How to Minimize External User Risks
  • External User Safety Checklist
  • How to Automate External User Management with CoreView

Click the image to download your copy.

Tenant-wide sharing policies in SharePoint and OneDrive

Microsoft 365 provides a tenant setting option to apply your SharePoint and OneDrive sharing policy across all your sites. Below are step-by-step guides for:

How to Configure the SharePoint Sharing Policy

  1. Navigate to the SharePoint Admin Center: https://YOURTENANT-admin.sharepoint.com
  2. From the menu, select “Policies,” and then “Sharing.”
  3. In the “External sharing” section (1), define the level of sharing you wish to permit for SharePoint and OneDrive.
How to Configure the SharePoint Sharing Policy Graphic

How to set the sharing default sharing values in SharePoint and OneDrive

  1. In the SharePoint Admin Center, scroll down to “File and folder links.” Under “Choose the type of link that’s selected by default when users share files and folders in SharePoint and OneDrive” (2) you can define the default method that best suits your organization.
  2. Under “Choose the permission that’s selected by default for sharing links” (3) you can choose the default method that aligns best with your organization’s needs.
  3. Bear in mind that users will still have the option to select a different setting from the allowed methods you’ve previously established.
How to set the sharing default sharing values in SharePoint and OneDrive Graphic
Note: The sharing policy settings established at the tenant level can be overridden at the site collection level, allowing for more granular control. However, you cannot configure the site-level sharing settings to be less restrictive than the tenant-wide ones.

How to Change Sharing Settings at the Site Collection Level

  1. Log into the SharePoint Admin Center.
  2. Navigate to Active sites by clicking on “Sites” and then selecting “Active Sites.”
  3. Choose the desired site collection from the list displayed.
  4. Click on the “Sharing” option available in the toolbar.
  5. Select the policy level you want.
How to Change Sharing Settings at the Site Collection Level Graphic
  1. To modify the default method and the default link permission, open “Advanced settings for external sharing.” Then, choose the value that best suits your site.
Advanced Settings Screen

How to Configure Sharing Settings with PowerShell

Below is a PowerShell script that you can use to configure the sharing settings:

#Set the sharing capability you would like to assign, for example:

$SharingCapability = ExistingExternalUserSharingOnly

#Assign your site collection (which you set into your $url variable) with the sharing capability you previously set: 

Set-SPOSite -Identity $url -SharingCapability $SharingCapability

Below are all the settings that can be assigned to the SharingCapability attribute:

Configuration: How to set sharing policies
SPOSite Module Attribute: SharingCapability
PowerShell Value Corresponding Graphical User Interface (GUI)

ExistingExternalUserSharingOnly

Existing Guests Only

Disabled

Only People in your organization
ExternalUserSharingOnly New and existing guests
ExternalUserAndGuestSharing Anyone
Read about the methods available to automate repetitive Microsoft 365 administration tasks.

How to View Sharing Settings at the Site Collection Level with PowerShell

With various sites configured with different settings, it’s crucial to establish a method to keep all these tenant configurations under control.

Unfortunately, the admin portal doesn’t offer a feature to list SharePoint sites that do not allow any kind of sharing.

Below is a PowerShell script that you can use to gather information about your site collection settings:

$url = Read-Host “Please insert the URL of the site collection you would like to check”
Get-SPOSite -Identity $url | select-object Url, SharingCapability

SharePoint Shared Link Expiration for Secure External Sharing

The SharePoint shared link expiration days setting can help balance collaboration and security in SharePoint. By default, this setting off. Since this feature makes it easy to manage data access, it’s recommended that you enable it.

Here are a few reasons to use this feature:

  1. To ensure access to data is temporary. When data is shared externally, there’s always a risk of it falling into the wrong hands. By setting an expiration date, you ensure that access to the data is temporary. Even if the external party forgets to delete the data or misplaces it, the data will become inaccessible after the set period.
  1. To stay compliant with security and privacy regulations. Many industries face strict regulations surrounding data retention and sharing. For example, organizations abiding by the General Data Protection Regulation (GDPR) must follow its stringent rules about managing data. Implementing an expiration date for external data access ensures that organizations remain compliant with GDPR by limiting external access to data within a specified timeframe.
  1. To reduce your data footprint. The more data circulates, the larger your data footprint. This not only increases the risk of data breaches but also complicates data management. Setting expiration dates ensures that outdated, unnecessary shared data doesn’t persist indefinitely.
  1. To free up IT resources. Imagine having to manually track and revoke access for every piece of data shared externally. It’s a time-consuming task that’s prone to human error. An automatic expiration policy takes care of this, freeing IT teams to focus on more pressing issues.
  1. To prevent users finding (and using) outdated information and data. Data evolves. What’s relevant today might be outdated in six months. By setting an expiration date, you prevent external parties from relying on stale data. This is particularly important for dynamic data sets that undergo frequent updates.
  1. To show your commitment to stakeholders. Knowing that you’re taking proactive steps to secure data reinforces trust among stakeholders. Implementing and communicating expiration policies sends a clear message about your commitment to data security and the protection of shared information.

How the SharePoint expiration days setting works

SharePoint’s expiration date policy is flexible. You can set different expiration dates for various types of data or external parties. This level of granularity gives businesses more control over their data-sharing practices.

Here’s a quick overview of how the sharing expiration day works:

The settings for guest access expiration in SharePoint Online are designed to prevent external collaborators from having indefinite access to your SharePoint and OneDrive platforms. When the set expiration date arrives, the external collaborator’s access is automatically revoked. If necessary, you can either prolong their access duration or send them another invitation.

When you set an expiration date for shared content in SharePoint, the shared link becomes inactive after the specified number of days. This means that once the link expires, users can no longer access the content through that link.

Before the link expires, SharePoint sends a notification to the person who shared the content, allowing them to extend the expiration date if needed.

The expiration setting primarily applies to “Anyone” links (also known as anonymous access links). However, administrators can also enforce expiration for “New and existing guests sharing links.”

How to Use SharePoint’s expiration days setting

Like the sharing policy setting, Microsoft 365 provides a tenant setting that allows you to configure sharing expiration days for SharePoint and OneDrive.

To set up the expiration for external users in SharePoint Online and OneDrive for Business, follow the steps below:

  1. Navigate to the SharePoint Admin Center using the link: https://YOURTENANT-admin.sharepoint.com
  2. From the menu, choose “Policies” and then select the "Sharing" option.
  3. Within the Sharing section, click on “More external sharing settings.” Enable the “Guest access to a site or OneDrive will expire automatically after this many days” option. Then, set the desired duration, for example, 60 days. Please note, this feature is disabled by default.
How to Use SharePoint’s expiration days setting screenshot

Please note that after adjusting these settings, it might take up to 24 hours for the changes to be visible. These changes will impact both SharePoint Online and OneDrive. Additionally, the setting will only affect guest users invited after this feature has been activated.

According to Microsoft’s official guidelines:  

“The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied.”

Note: If you’ve enabled the “Anyone,” “New and existing guest,” or “Existing guests only” sharing option, the expiration of the sharing link is determined by the “Expiration of guest access” configuration. This is visible under the “Advanced setting for external sharing” section on the same settings page. It’s important to remember that this setting applies to both SharePoint Online and OneDrive for Business.

How to Change Sharing Settings at the Site Collection Level

  1. Log into the SharePoint Admin Center.
  1. Once inside, click on “Sites” and then select “Active Sites.”
  1. From the list displayed, pick the site collection you wish to modify.
Note: You cannot configure site-level link expiration settings to be less restrictive than your tenant-wide settings.
  1. With the site collection highlighted, click on the “Sharing” option available in the toolbar.
  1. Navigate to the “Advanced settings for external sharing” section and click on the arrow to collapse it. Here, you’ll find the option to adjust the guest user expiration settings under the “Expiration of guest access” label.
How to Change Sharing Settings at the Site Collection Level screenshot

How to Modify Site Collection Configurations with PowerShell

Use this PowerShell code to modify the site collection configuration according to your requirements:

$expirationDays = Read-Host “Insert a value between 30 and 730”
Set-SPOSite -Identity $url -ExternalUserExpirationInDays $expirationDays

Sharing date screenshot

How to View and Modify Expiration links for site collections with PowerShell

Below is the PowerShell code that allows you to modify the site collection configuration according to your requirements:

$AnonymousLinkExpirationInDays = Read-Host “Please insert a value between 1-730"

Set-SPOSite -Identity $url -AnonymousLinkExpirationInDays $AnonymousLinkExpirationInDays

Unfortunately, Microsoft does not provide a direct report to view the settings applied across various sites. However, you can execute the following PowerShell script to gather the necessary information:

Get-SPOSite -Identity $url | select-object Url, SharingCapability, ExternalUserExpirationInDays, AnonymousLinkExpirationInDays

SharePoint and OneDrive File Download Restrictions

Preventing the download of SharePoint files is of paramount importance for the following reasons:

  1. Enhanced data security: SharePoint files might contain sensitive or proprietary data. Preventing downloads ensures this information remains in a secure, controlled environment, minimizing the risk of unauthorized distribution.
  2. Content consistency: Downloads can result in multiple, potentially conflicting versions of a document. By keeping the file centralized in SharePoint, users always have access to the most recent, approved version.
  3. Document interaction tracking: SharePoint allows for the tracking of file access and interactions. When files are downloaded, this valuable oversight is lost. Keeping files in SharePoint ensures all user interactions with a document are traceable.
  4. Reduced data duplication: Limiting downloads reduces the number of file copies in circulation, decreasing data redundancy and the risk of referencing outdated or conflicting information.
  5. Enhanced collaboration: SharePoint’s built-in tools facilitate real-time collaboration. Users who download files may miss collaborative edits or discussions within the platform, diminishing its collaborative potential.
  6. Effective access management: If a user’s access needs to be revoked (for example, due to role changes or employment termination), it’s easier to manage if they haven’t downloaded the files. Once a file is saved locally, the organization’s control over it decreases.

Microsoft 365 provides several options to prevent users from downloading files. In the following section, we’ll explore the two primary solutions offered by SharePoint, without the need for other solutions such as IRM, DLP, or Conditional Access Policies.

Note: Please note that to use the “Restrict Downloading” and “Restrict Downloading - Advanced Settings” values, you must have the SharePoint advanced management P1/P2 licenses available in your Microsoft 365 tenant. Without these licenses, you won't be able to set both the BlockDownloadPolicy and the additional settings to fine-tune it. For more information, you can refer to this link.

File download permissions can be managed by the user during the link creation or can be forced by the administrator. Let’s explore both methods.

Block Downloads During the Link Creation Process 

In OneDrive or SharePoint, when you share content with others, you have the option to grant them viewing rights without the ability to download. The “Block download” feature can be applied to view-only shared links. This includes Office documents as well as various other file formats like PDFs, images, and audio files, except for .txt and video files.

By enabling the “Block download” option, individuals who access your shared content won’t see options to download, copy, or print the file. Their access is restricted to online viewing, and they cannot launch the files using desktop or mobile applications.

How to Block Downloads during Link Creation

Follow the steps below to enable the “Block download” feature:

  1. Find the file you want to share in OneDrive or SharePoint and select it.
  2. Click on “Share” at the top of the page.
  3. Click on the gear icon located in the upper right corner of the window.
  4. Choose the permission you want to apply.
  5. Under the “More settings” section, select “Can view,” and then turn on “Block download.”
  6. Click the “Apply” button.
  7. Add your message and send the invite.

Recipients will receive a message indicating that they can view, but not download, the file.

How to Block Downloads during Link Creation screenshot

Prevent Downloads at the Site Collection Level

Please note, that to apply the Block Download policy and its related settings, you must have a “SharePoint advanced management” license. For more details, refer to the Microsoft documentation.

Prevent Downloads at the Site Collection Level screenshot

In this scenario, the download block will automatically apply to all shared content.

How to Prevent File Downloads at the Site Collection Level with PowerShell

Unfortunately, Microsoft does not provide the option to manage this setting via the web interface. To configure it, you must use the following PowerShell command:

Set-SPOSite -Identity <SiteURL> -BlockDownloadPolicy $true

For example:

Set-SPOSite -Identity https://contoso.sharepoint.com/sites/research -BlockDownloadPolicy $true 

Configuration: Restrict downloading
SPOSite Module Attribute: BlockDownloadPolicy
PowerShell Value
Corresponding Graphical User Interface (GUI)
TRUE/FALSE Not available

You can fine-tune this cmdlet using the following parameters:

ExcludeBlockDownloadPolicySiteOwners $true

The policy exception above applies to site owners, allowing them to fully download any content from the site.

ExcludedBlockDownloadGroupIds <comma separated group ids>

The exception above applies to users who belong to the specified groups, allowing them to fully download any content from the site.

ExcludeBlockDownloadSharePointGroups <comma separated group ids>

The above policy exception applies to users within the specified SharePoint groups, allowing them to fully download any content from the site.

ReadOnlyForBlockDownloadPolicy $true  

This parameter above marks the site as read-only, in addition to preventing downloads.

Set-SPOSite -Identity $url -ExcludeBlockDownloadPolicySiteOwners
$ExcludeBlockDownloadPolicySiteOwners -ReadOnlyForBlockDownloadPolicy
$ReadOnlyForBlockDownloadPolicy

Configuration: Restrict Downloading - Advanced Settings(*)
SPOSite Module Attribute
PowerShell Value
Corresponding Graphical User Interface (GUI) 
BlockDownloadPolicy  TRUE/FALSE N/A
ExcludeBlockDownloadPolicySiteOwners  TRUE/FALSE N/A
ExcludedBlockDownloadGroupIds  Group Ids N/A
ExcludeBlockDownloadSharePointGroups Group Ids N/A
ReadOnlyForBlockDownloadPolicy  TRUE/FALSE N/A

How to View Download Restrictions on Site Collections with PowerShell

Unfortunately, Microsoft does not provide a report that shows which site collections have download restrictions applied.

You can use PowerShell to get this information, but keep in mind it only works for a specific site.

Here's a PowerShell script to get information for a specific site:

Get-SPOSite -Identity $url | select-object Url, BlockDownloadPolicy

Note: If no identity is provided, the default value “Unknown” is returned—even when using the “Filter” and “Limit” parameters.

And, to gather information across all site collections, use this PowerShell script:

$sites = get-sposite -Limit All
foreach( $site in $sites){
Get-SPOSite -Identity $site.Url | select-object Url, BlockDownloadPolicy
}

Company-Wide Sharing Links for Secure Sharing

As previously discussed, the “Only people in your organization” sharing policy is the most restrictive permission that can be applied by the admin portal at a tenant or site level. However, you might need to further restrict this policy for specific sites to prevent users from inadvertently sharing a document with a large audience.

Microsoft 365 offers an additional option to fine-tune your sharing policy with the “DisableCompanySharingLinks” setting, which accepts the following values: Unknown, Disable, Enable.

With this setting, you can remove the “Only people in your organization” sharing button from the user’s sharing interface. As a result, users won’t be able to create a link to share with anyone in your organization.

This configuration can be particularly useful for sites with sensitive labels or those requiring more control, such as the board site.

How to Disable company-wide sharing links with PowerShell

Please note, Microsoft does not provide a way to adjust this setting via the admin center. The only method to do this is through PowerShell.

Use the following command to disable company-wide sharing links:

$url = Read-Host “type the url of the site collection you would like to manage”
Set-SPOSite -Identity $url -DisableCompanyWideSharingLinks Disabled

After that, the default sharing method becomes “Specific people.”

Unlike other sharing settings, it is not possible to manage it at the tenant level, so you need to manage it site by site.

Restricting sharing to site owners only 

Please note that this setting only applies to Guest/Anonymous sharing. Also, if you enable this setting, members can still share with other internal users.

To configure this option, follow the steps below:

  1. Open the SharePoint site you want to apply this restriction to.
  1. Click on the “Settings” icon in the top right corner, then select “Site permissions.”
Site Permissions screenshot

3. Under the “Site sharing” section, click on the “Change how members can share” button.

Change how members share screenshot

4. Check the box next to “Only site owner can share files, folders, and the site.”

Site sharing settings screenshot

Here’s the PowerShell command to set sharing permissions to “Disable sharing for non-owners” in SharePoint Online:

New-TeamChannel -GroupId fba2668a-ec8e-40fa-adc8-1bd6e8452231 -DisplayName "Production Team"-

MembershipType Private -Owner "ArunrajM@slbnew.onmicrosoft.com"

$url = Read-Host “Type the url you want to manage”
Connect-PnPOnline -URL $Url
$change = Get-PnPWeb -Includes MembersCanShare, AssociatedMemberGroup.AllowMembersEditMembership
$change.MembersCanShare= FALSE
$change.AssociatedMemberGroup.AllowMembersEditMembership = FALSE
$change.AssociatedMemberGroup.Update()
$change.Update()
$change.Context.ExecuteQuery()

Alternative Way to Secure External Sharing in Microsoft 365

Fast-paced collaboration means organizations are sharing documents, creating new collaboration spaces, and sharing sensitive information via Teams, OneDrive and SharePoint faster than security teams can reasonably control. This leads to major security issues like sensitive files becoming accessible organization-wide, anonymous users accessing ungoverned SharePoint sites, Teams and SharePoint sprawl, and anonymous accounts with access to sensitive data.

And, with CoPilot adoption on the rise, excessive sharing must be identified fast. Security by obscurity is no longer an option. That means new governance processes must be put in place to ensure collaboration follows best practices across SharePoint, OneDrive, and Teams.  

Get started today to secure and govern Microsoft 365:

Or, for true end-to-end protection, learn more about the CoreView suite of Microsoft 365 security and governance tools.

Get a personalized demo today

Created by M365 experts, for M365 experts.