Microsoft 365 Sharing Governance Guide

This document is intended to be an overview of the most commonly used settings available for Sharing and Collaboration in the Microsoft 365 platform. For brevity and clarity, there are many options not covered here. Where further detail might be desired, we’ve provided links to Microsoft’s documentation for further reference.

GreenLoop is glad to consult on more complex sharing scenarios not covered in this document.

These settings determine which sharing options are available to users. The most permissive setting is configured by default, as shown in the screenshot below.

For additional help determining which to choose, start by reviewing this document from Microsoft.

Other considerations:

• Most organizations will want to choose a less restrictive default policy, and then implement more restrictive policies for specific sites with more sensitive content (see site-level section below).
• Microsoft considers it a best practice for most organizations to leave “anyone” links enabled (in other words, to leave the org-wide sharing settings as shown in the screenshot above). Instead, disable “anyone” links from being the default option as outlined below. Consider also implementing additional requirements like an expiration date, or changing the default permissions.
• There are other options available to limit org-wide external sharing, including limiting sharing to specific external domains, limiting users allowed to share externally to specific security groups, and setting guest-level access to automatically expire after a certain number of days.
• Some more advanced guest access settings are detailed here. Please reach out to GreenLoop if you have questions about implementing any of these options.

Once the org-level sharing option is selected, you have the option to choose more restrictive settings for individual SharePoint sites or specific user OneDrives. Note that sites cannot have less restrictive sharing options than the org-level setting.

As described previously, you should consider changing the default sharing settings to something more restrictive than the default “anyone with the link” configuration:

As with the sharing settings, the default option selection can be customized at the individual SharePoint site level.

The external access setting controls whether your users are able to communicate with users outside of your organization, at other organizations that use Microsoft Teams. By default, external communication is turned on.

Optionally, you can choose to allow communication only with specific external domains as well.

Teams also allows you to invite users from external organizations to participate in Teams with similar capabilities to your organization users, using the Guest Access feature. By default, Guest Access is turned on, which allows users to be invited by Office 365 Admins, or by Team Owners (more on the Owner role below).

Additional information on Guest Access:

Comparison of Guest vs. User capabilities in Teams

Overview of the Guest-side experience

How to view Guests added to a specific Team

Every Team has its own SharePoint site, which stores the files accessible via the “Files” tab in a Teams channel. The sharing settings on these files are governed by SharePoint sharing settings as outlined in the previous section, so viewing a list of Guests on a Team does not give you a comprehensive view of all external access.

Failing to limit Team Owners adequately is a common root cause of sensitive data leakage. It is important to judiciously select Owners to each Team, and to ensure that they are aware of the implications of adding Members and Owners, especially if the Team has sensitive file contents.

The creator of the team is automatically an Owner, but can be removed if needed. Other owners can also be specified. Owners have the following capabilities:

Full access to Team contents (files, all channels including Private channels, etc).

Add channels (Standard or Private)

Add/remove members

Add/remove other owners

Add/remove guests

Members can automatically access (View and Modify) all Teams content that is not restricted in some other way (typically, by being part of a Private channel).

See here for a full comparison of Owner vs. Member capabilities.

Currently, member-level permissions are controllable at the Team-level only. Team Owners have the ability to change these settings for individual Teams:

Before creating Teams, consider how your teams will be organized, and review  this overview and these best-practices.

Before creating a new Team, consider what you want the privacy mode to be (public, private, or org-wide).

In some cases, creating a Private Channel in an existing Team may be a suitable alternative to creating a new Team. Private Channels are linked to a parent Team, and you can assign access to a subset of the Team’s members.

By default, all users have the ability to create new Teams. Many organizations may want to restrict the ability to create new teams to a limited group of users.

As an alternative, consider creating an expiration policy to automatically remove unused Teams after a period of time.

Apps are a great way to extend the functionality of Teams. However, too many apps in a Team can be confusing, and 3rd-party apps may present additional risks of data leakage.

Controls in the Teams Admin Center allow you to control org-wide app installation settings.

We recommend allowing installation of Microsoft apps in most cases, but you may want to block third-party (store) and custom apps.

Once you’ve reviewed all of these settings, consider formalizing your current and desired configurations into a Governance Document. GreenLoop is happy to assist with developing a Governance Document appropriate to your organizational needs.