OneDrive sharing policy: how do you prevent per-file share chaos?
People share files from OneDrive all day long. How do you set up tenant-wide policies that encourage secure behaviour without killing productivity?
OneDrive is the personal file storage in M365. Every user has their own OneDrive and can share files directly from it. Tenant-wide sharing policies determine what is and isn't allowed.
\n\nThree default levels
\n- \n
- Only people in your organization: strict — often too strict for sales teams and consultants. \n
- New and existing guests: external sharing is allowed, but guests must authenticate with MFA or an account. \n
- Anyone (anonymous links): open to anyone with the link. A real risk. \n
The SMB configuration
\n- \n
- Default set to "new and existing guests". This lets consultants and clients in, but still requires an account. \n
- Anonymous links: enabled, but with an expiry date (30 days) and read-only by default. \n
- Download block on anonymous links for sensitive file types. \n
- Auto-expire after 90 days of inactivity on a shared link. \n
Notification setup
\nUsers receive a notification whenever someone clicks on their shared file. This raises awareness and helps flag unexpected access.
\n\nDLP for sensitive file types
\nData Loss Prevention rules for: credit card numbers, national insurance numbers, and payroll data sheets. Block external sharing as soon as the DLP engine detects a match. Licence required: Business Premium or E3.
\n\nSee also: SharePoint permissions, M365 pillar.
Volledige gids: Gobernanza de Microsoft 365 para pymes — pragmática, no perfeccionista
Dit artikel is onderdeel van onze uitgebreide Microsoft 365 & Entra ID-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →