Office 365 File Sharing Security: OneDrive for Business, SharePoint and MS Teams

Office 365 is optimized for collaboration. It is a powerful tool for your organization’s teams, especially now that so many folks work together virtually, meet online remotely and share digital files.

This article covers the following topics:

Office 365 file sharing involves two systems:

SharePoint Online, an advanced collaboration tool built for working on files with others and publishing files for everyone to see.
OneDrive, a cloud storage platform that is meant primarily for personal files. An individual’s OneDrive files are private unless they are explicitly shared with others. Underneath the covers, OneDrive is actually just a document library in a SharePoint site collection.

Office 365 allows sharing of both files and folders. When you share a file, you grant access to a single file only; users that have access to the file will not have access to other files, even those located in the same folder, unless you share those files too. When you share a folder, you grant access to the folder and every file and subfolder within it, including any new ones you later create in the shared folder.

Sharing raises some important challenges for system admins who shepherd sensitive data. Here, we’ll cover the basics of how to share files and folders internally and externally. Then we’ll discuss methods admins can use to ensure sharing happens securely.

Internal and External Sharing

Sharing can be internal or external. Internal sharing is limited to the network of users in your Azure Active Directory (AD) domain. External sharing involves sending documents outside of your organization,

Methods for Sharing

You can share files from OneDrive for Business or add them to your SharePoint team site:

OneDrive folder —One way to share a file is to send a link from OneDrive. Generating a file sharing link is easy and enables the user to specify exactly who they want to share the file with and to allow or deny editing and downloading of the file.
SharePoint — SharePoint folders make sharing extremely simple. SharePoint team sites are automatically created when you create a group in your admin center. Once a file is in the SharePoint folder, it can be accessed by anyone in the group.

Restricting Sharing

Administrators can allow or block file sharing in the following applications:

SharePoint Online
OneDrive for Business
Microsoft Teams
Office 365 Groups

When users need to send documents outside of your organization (external sharing), more care is needed to ensure that access is granted appropriately. Guest users have the same access rights to files as team members unless specific parameters are set up on the front end. Guest users become actual users in your Azure AD, and admins can grant access to guests for Microsoft Teams conversations, SharePoint Online sites or data on OneDrive.

Security Tips for File and Folder Sharing

The following best practices will help you reduce the risks that come with sharing files and folders:

Disable third-party storage services. You can prevent files from being shared via Dropbox or other services outside of your purview. Log on to the admin center and go to the Settings Then select “Office on the web” from the Services tab, deselect “third-party storage” and save your changes.
Require multi-factor authentication. You have protocols for your own team members to ensure their accounts aren’t compromised, but guest users may not live up to your standards. Requiring multi-factor authentication for guest accounts improves security.
Enable data classification. Classifying data enables you to set up security controls and policies based on how sensitive your data is. The Microsoft Compliance Center also offers a variety of options for customizing controls for guest access based on data labels. In particular, set up policies for which types of content can be shared with external users.
Create a separate SharePoint team for files intended to be shared externally. You can create a new team for each customer or partner, for example. This way, customers and partners have access to only the SharePoint shared documents specifically meant for them.
Protect against uploading of malicious files. When a guest user is given access to your Office 365 shared folder, they are allowed to upload files as well. In the Microsoft 365 Security admin center, you can set up Advanced Threat Protection (ATP) for SharePoint, OneDrive and Microsoft Teams; ATP scans uploaded documents for malicious content.
Set expiration dates on links — Sharing of files should be limited to the period of collaboration. This option is available in the Advanced Settings when you set up file sharing.
Follow the principle of least privilege — Granting each user only the bare minimum permissions they need to complete their work goes a long way towards mitigating the risks of OneDrive and SharePoint file sharing.

Monitoring Best Practices

No matter how carefully you design your environment, procedures and policies, you also need insight into what is happening in order to protect your sensitive and regulated data properly. In particular, be sure to audit the following:

Data access attempts — This is especially critical when users are allowed to share files and folders with external
Group membership changes — To adhere to the least-privilege principle, you need to know when users are added to groups, especially any group that allows them access to more data or confers admin-level privileges.
Activity around Office 365 applications — You also need insight into application activity. Microsoft offers several native monitoring options, but they have important limitations. In particular, reports must be run individually and have only a handful of predefined options.

Getting Help

Netwrix solutions deliver the deep visibility you need into your SharePoint and OneDrive for Business environments. Netwrix Auditor provides insight into permissions, changes and access activity so you know who has access to your organization’s files and what they’re doing with their access. It also sends alerts when potential threats arise so you can take action before it’s too late.

Meanwhile, Netwrix Data Classification automatically classifies and tags data across your various repositories, making it easier to implement appropriate controls and policies, and improving the effectiveness of both native tools like Microsoft Information Protection (MIP) and third-party security solutions.

Frequently Asked Questions

How can I share files and folders in OneDrive for Business?

You can share files by copying and pasting the content into a message or attaching the file to an email. Alternatively, you can send a link to a OneDrive for Business shared folder or file.

How can I share files and folders in SharePoint Online?

SharePoint makes it easy to share files and folders. Just select the file or folder and click “share.” You’ll be able to specify many options for which users to share with and how much access to grant.

Can you share a OneDrive for Business folder with external users?

Yes, you can share OneDrive folders with external users, provided your administrator has set up the appropriate permissions in OneDrive.

Can you share SharePoint files with external users?

Yes, provided an administrator has set up the appropriate permissions in SharePoint.

How can I ensure secure file sharing in Office 365?

The following best practices will help you make the most of the collaborative features of Office 365 without compromising the integrity of your company’s data:

Limit user permissions to the bare minimum, granting them access to only the files they need to complete their work.
Classify your data and use the labels to develop policies for what data can be share with external users.
Disable external sharing for folders or files that are strictly in-house.
Keep a discrete SharePoint folder for each client.
For the most thorough and airtight monitoring and threat detection, invest in solutions like Netwrix Auditor and Netwrix Data Classification.