Microsoft 365 Blog: Updates & News

Share with Care. How to Share Safely in Microsoft 365

Written by Alex Henry | Jan 8, 2024 10:33:37 PM

How many people in your organization really understand how to share files in Microsoft 365? If you're not sure, it might be time to review some of the options Microsoft 365 admins have to reign in the oversharing of files without compromising worker productivity.

In this article, I'll discuss the sharing types available in Microsoft 365, discuss a couple of best practices for sharing, and show you a simple trick in Orchestry to make sharing more secure.

Remind End-Users How to Use Share Links

And remind them often.

Sharing in M365 has undergone several changes in the last couple of years, such as releasing a simplified sharing experience in mid-2023.  However, the four types of "share links" in Microsoft 365 have largely remained the same:

Anyone: Creates a URL that can be shared internally and externally; no authentication is required, so recipients can forward along.
People in your Organization: Creates a URL that can only be used by people in your tenant.
People with Existing Access Creates a URL that can only be used by people who already have access.
People you choose: Creates a URL that requires email authentication and can be used to share externally.

Regardless if you're sharing a file, a folder, a SharePoint list, a document library or an entire SharePoint site - you'll get a combination of these four types.  Each one has its purpose, but it's up to the end user to decide which is the most appropriate for their situation.

You can help your end-users make the right choice when sharing by providing them with information about how your organization uses the different link types.


Restrict Use of the 'Anyone' Share Link

Convenience comes at a cost, and when it comes to this link type - the cost is security.

While your end-users may find it convenient to use this link to share content across the organization and/or externally, remember that this link doesn't require recipients to authenticate to access the content.  This means that, as the name implies - anyone can use it.

How Do You Restrict Access to the 'Anyone' Share Link?

One way is to remove it as an option at the tenant/organization level. You can modify external sharing permissions from the "Sharing" page in the SharePoint site admin center

Additionally, on the same page, you can change the default link type from 'Anyone' to another type.  For a company-wide default, I lean towards 'Only people in your organization' as a good, safe choice.

Keep reading to learn how Orchestry makes managing share permissions easy.

 

Share at the 'Container' Level Internally

Managing file security and permissions has traditionally been done at the file folder level when everyone worked from local servers.  However, SharePoint is NOT a file server.  

Attempting to replicate the structure of your old file server in SharePoint can be a very difficult road. Especially when it comes to granularly assigning permissions at the folder level.

When I talk about 'containers', I'm referring to Security groups, M365 groups, SharePoint sites, and document libraries. These allow you to manage permissions in bulk, based on department, roles, and any other security requirements your organization has.

Sharing with Microsoft 365 Groups:

Group owners, members and guests have EDIT access to all group apps and content.  Anyone invited to the group will receive EDIT permissions to all group apps and content.

In some situations, you can send share links to entire groups.  This is one of the best ways to share content in bulk.

 

Sharing with SharePoint Sites:

SharePoint site permissions allow you to invite collaborators and consumers to your team and communication sites.  

Similar to M365 groups, you can assign people as 'Owners' or 'Members'.  Both roles have EDIT permissions to all content on the site, and the 'Visitor" role is view-only.  For example, when launching a SharePoint communication site, it's normal to invite the majority of staff members as "visitors" so they can view but not modify content.

 

Sharing Document Libraries:

Instead of setting up complex permissions around folders in a single document library, a popular alternative is to set security and permissions at the library level.  To accomplish this, you can create additional libraries in any SharePoint site.

Let's say you have a SharePoint communication site for sharing resources to all staff members, and leadership has requested that all management resources be stored in a secure place.

If we were working with a file server, you might simply create a new folder called 'Management' and setup permissions so only management could access them.  However, we're talking about SharePoint today and as I mentioned earlier, SharePoint is NOT a file server.

In SharePoint, it's better to create a NEW document library and give it unique permissions so only managers and admins can access it. 

 

Additionally, you can invite groups to your library so you don't need to remember to add/remove individuals from the document library as people come and go from the company.  This in the screenshot above, I added the 'Leadership members' group to add all of my managers at once. 

 

How to Setup SharePoint Workspace Permissions in Orchestry

If you're an Orchestry customer, you can configure the sharing settings in your workspace templates.  This allows you to ensure your sites are setup to make sharing secure and easy for your end-users.

 

1. Open the 'Configuration' tab in the workspace template This tab contains several different configuration options, including M365 group options, workflow approvals, SharePoint site configuration, and more.
2. Choose a setting for external sharing  This field controls whether site content can be shared externally using the four link types discussed earlier.  You can use this to create workspace 
3. Choose a default share link type Help prevent oversharing by setting an from "People in the Org", "People with Existing Access" or "Specific People" as the default option for share links. 

A good default for Team sites is "People with Existing Access".
4. Choose default link permissions Choose between "View" and "Edit".  For collaborative workspaces (like team sites), EDIT is a good default.

Learn More

Ready to see how Orchestry can help you set up and enforce better security practices in your environment?  Contact us today for a demo!

Thanks for reading!