OneDrive for Business is a cloud file storage service and collaboration tool available to all MSU faculty, staff, and students. Access and share files from a browser, your desktop or mobile device. Because it is part of Office 365, file saving and sharing is easy to do directly from Microsoft Teams. Microsoft OneDrive keeps your photos and files backed up, protected, synced, and accessible on all your devices. The OneDrive app lets you view and share OneDrive files, documents, photos, and videos with friends and family. You can use the app to automatically back up your phone's photos and videos. OneDrive is a file hosting service that allows users to upload and sync files to a cloud storage and then access them from a Web browser or their local device. Create your best work with the latest versions of Word, Excel, and other Office apps. Plus, get 1 TB of cloud storage, document sharing, ransomware recovery, and more with OneDrive.
Microsoft is pushing Teams- part of Office 365 – hard, and they report adoption rates that outpace Slack. You might not realize that Teams lives on top of SharePoint Online, and you could exacerbate an already complicated and risky SharePoint file sharing problem unless you take preventative measures.
However, Office 365 has many great collaboration features, and in a fast-paced digital workplace, collaboration is key. You can share and work on documents with your co-workers simultaneously. You can request feedback and publish links so others can access your content and more collaborative functionality. Since SharePoint Online is part of Office 365, the system is integrated into Azure AD, Exchange Online, and OneDrive.
Is your Office 365 and Teams data as secure as it could be? Find out with our Free Video Course.
But all that sharing, and collaboration comes at a price – users might not even realize what they are sharing with whom.
Over time, Office 365 can become a mess of public-facing links, unfettered access to sensitive data, and a permissions nightmare in desperate need of wrangling.
In this article, we are going to address some specific security issues with SharePoint Online, and discuss some best practices you can implement to manage Office 365 file sharing more effectively.
Learn advanced Microsoft Office 365 settings and earn CPE credits with our free security training courses.
File Sharing Tools Included in Office 365
The two file sharing systems in Office 365 are SharePoint Online and OneDrive, and they work in concert with each other to provide the total file sharing functionality of the system.
If you want to think of OneDrive as the backend storage and SharePoint as the frontend interface, you wouldn’t be too far off. That is a good enough way to imagine how the system works.
For example, if you send a sharing link from your OneDrive folder, the URL is a link to SharePoint Online.
Not confusing at all, am I right? Let’s look at the major functionality of each of these systems and see what’s included in OneDrive and what’s included in SharePoint.
Office 365 File Sharing Basics
Here are some of the basic workflows you will follow to access and share files in SharePoint Online and OneDrive.
How to Find Files
You might have OneDrive available as an option in Windows Explorer where you can see the sync status, modified date, and use the Find field to locate your files.
You can also use the OneDrive website to see the same information.
And you can see the same folder in Teams.
How to Co-author Files
To co-author a file you need to have permissions to edit the file. You can have permissions through group membership, or the data owner could send you a link to edit the file.
You can share files with one or more users, with anyone with the link, or you could save the file to a folder that your team can access.
Once you can co-author the file, you need to open the file online in a browser or the client on your computer (i.e., Word Online or Word).
Updating and Syncing Files
Updating and syncing files is usually straightforward in Office 365. When you save a file that you are working on, it will sync to the server and tell you if there are changes you don’t have in your copy. If you save a file to your local OneDrive folder on your laptop the files will get uploaded and synced behind the scenes, assuming you have an internet connection.
It’s best practice to make sure you have the most recent changes before you start editing again. I’ve made that mistake on more than one occasion. One way to avoid that problem is to use Word Online when you are editing. If you use the local copy of the file in Word, you aren’t looking at the file “live.”
How to Share Files on Office 365
This section covers what you need to know about file sharing as well as some extra Office 365 file sharing tips.
Internal File Sharing
Internal file sharing is when you share files within the network to other users that are in the same Azure Active Directory (AD) domain with you with non-guest permissions. In Office 365, you can share files from your personal OneDrive or save them to your SharePoint Team Site.
Configuring Internal Sharing
SharePoint automatically creates a Team Site when you create a group in the Office 365 Admin Center. Use this Team Site to save documents for collaboration within your team. Office 365 creates a OneDrive folder for each user account that users should use for personal files that don’t require collaboration.
How to Share Files Internally
All you need to do to share files internally is save them to your SharePoint Teams folder. You can access this folder from the SharePoint website or in your Teams client.
You can also send users a link to the file you want to share.
- Select the option to share with Specific People, People in your organization, or People with existing access. Use the first to specify one or few people, the second to allow anyone in your entire company, and the last to anyone who already has access to the file – like your team.
- Click the button to allow editing if needed.
- Allow or block download. You might use block download on a sensitive file to make sure there aren’t extra copies of that file floating around.
- Type the name of the person(s) you want to be able to see the file.
- Click “Copy Link”
- Send the link
External File Sharing
External file sharing in Office 365 is when you need to send a file outside of your organization to a person that is not part of your company. External sharing is riskier because you are opening a window to your SharePoint server or potentially sending sensitive data outside of your network.
There are numerous legitimate business reasons to allow external file sharing. Users need to work with partners or customers. Your finance team needs to send documentation to governing bodies. HR needs to send offer letters. You get the idea. You have to be able to share files.
There are several ways to configure external sharing in Office 365. Let’s look at a few options.
Configuring External Sharing
Administrators can enable external sharing from four different applications in Office 365.
- SharePoint Online
- OneDrive for Business
- Microsoft Teams
- Office 365 Groups
One option you have is to enable guest access, and grant external users guest access rights so they can collaborate with your internal resources the same way they would collaborate within their team.
Guests are actual users in your Azure AD. Group owners are the gatekeepers in this case. Group owners can grant guests access to Teams conversations, to SharePoint sites, or data.
SharePoint administrators have four different options of sharing they can enable:
- No external sharing – prevents internal users from sharing any content externally
- Authenticated: Existing guests – allows sharing with users in your Azure AD, you have to add them to Azure AD before they can access data
- Authenticated: New and existing guests – allows sharing with any user authenticated to any Office 365 or Microsoft account. Guests that aren’t in Azure AD get added as guests.
- Anonymous sharing – anyone can share via a link
How to Share Files Externally
Sharing files externally is exactly the same process as sharing them internally. You create a share link, grant the external user access to edit the file or not, and send them the link. They click the link and open the file in their browser.
Office 365 File Sharing Security Best Practices
Here are the top six best practices you can implement to keep your data safe and accessible in Office 365.
1. Require Multi-Factor Authentication
Multi-factor authentication (MFA) is a pretty basic protection method in 2019 and a common cybersecurity tip but still worth mentioning in a list of Office 365 file sharing and security best practices. MFA helps you verify that your users are who they say they are, but it is by no means foolproof.
Check out our Office 365 Man-in-the-middle attack, where we show you how attackers can quickly work around MFA.
2. Enforce Least Privileged Access to SharePoint Online
The principle of least privilege says that each user only gets the minimum access they need to do their job. Getting your Office 365 permissions to a least privileged state will go a long way to keeping your data safe.
Organize user accounts in your company into groups of similar job functions (e.g., IT, HR, Finance, Dev, etc.) and those groups are granted permissions to access their data in Office 365.
Do not allow individual user accounts on access control lists (ACL) in Office 365.
Assign a Data Owner, or in this case, a “Group Owner,” for each group who’s responsible for approving new group members and audits the group on a regular schedule. The Group Owner is the gatekeeper of their group membership and therefore, their data.
Deny all non-group members any access to data via ACLs. Don’t use Limited Access or View Only permissions. Non-members have to request access from a group member using the file sharing rules. Create separate Public SharePoint sites for public-facing documents. Keep Public sites separate from your Team sites.
Office Onedrive Storage
3. Classify Sensitive Data that lives in SharePoint Online
You need to scan and identify the data in Office 365 for PII, HIPAA, GDPR, CCPA, intellectual property, and anything else that could cause either a fine or competitive disadvantage.
Once you have tagged the files correctly, you can make sure they are not over-permissive (see Least Privilege above) and tagged or labeled so other security tools can also identify the data as sensitive and treat it appropriately. For example, encrypt sensitive files, and set up a rule to prevent the file from download to unmanaged devices.
4. Prevent Download to Unmanaged Devices
Speaking of, you need to keep your Team data in house as much as possible. One way to do this is to prevent any download of data to devices that your IT team doesn’t manage. If you have the appropriate authorization, viewing the data in a browser from an unmanaged system is OK – if you have the link and approval of the Group Owner.
5. Limit and Audit External Sharing
OK, this is the big one – and the penultimate best practice in this article.
Office Onedrive
You need to do what you can to limit the exposure of your data to the outside world, but balance that need with the needs of your users to share and collaborate internally and externally. Here are a few different ways you can do both.
In Office 365, users can create a sharing link that they will send to other users so they can see the same document. When users create sharing links, they might grant anyone with the link permission to access the file. Those links can get stolen, intercepted, or potentially brute-forced to allow access to those files — or folders if users create links at that level.
So there are a few things you should do to keep your data as safe as possible.
First, prevent users from creating folder-sharing links that add access to multiple files, either externally or internally. If a user needs to access files owned by another group, they should request access from the Group Owner. External sharing is only available for non-sensitive files. If you need to share sensitive files to third parties, add them as Guests in your Azure AD, and grant them appropriate access that way. Because they are guests and listed in the Group membership, the Group Owners will audit the list and remove any extra users when appropriate.
Next, set all user-created links to expire after a few days to a week. While this means that your users might have to generate more than one link to collaborate on a file, it also means that the number of links to your data doesn’t grow infinitely. If those links expire organically, you effectively remove risk of infiltration continuously. To learn more check out this free Office 365 course with hidden settings and secrets to improve your 365 experience.
6. Monitor SharePoint Online for Shenanigans
Lastly, monitor Office 365 for any potential data breaches or other shenanigans that internal or external bad actors perpetrate on your system. Track file and folder activity, group membership changes, admin activity, and more. Correlate network traffic with that monitored data to detect possible cyberattacks in progress.
Varonis monitors Office 365 to protect your data in OneDrive, SharePoint sites, and Teams, as well as Exchange Online. You can classify your Office 365 data for GDPR, CCPA, HIPAA, and more to identify your sensitive data. You can build a complete workflow to approve, deny, and manage access to your data that makes the Group Owners the true keepers of their data. Varonis creates individual user behavior baselines to detect abnormal Office 365 activity that indicates a potential insider or external attack.
“We wouldn’t even be considering OneDrive if we didn’t have Varonis in place.” –Varonis customer in the Airline industry
Check out the entire Office 365 Case Study and then contact us to see how Varonis can help you with Office 365 security.
-->Microsoft OneDrive is a robust but simple-to-use cloud storage platform for small businesses, enterprises, and everything in between. Unlike other cloud storage providers, most of the advanced enterprise-focused features in OneDrive are available for every subscription type, enabling organizations to use OneDrive in whatever way benefits them the most. This guide focuses on the deployment and configuration options that make the most sense for small businesses looking to use OneDrive. From there, these organizations can select whatever other management capabilities they require. For the full deployment guide, which contains other methods of deploying, configuring, and managing OneDrive, see OneDrive guide for enterprises.
Getting started with OneDrive
OneDrive is effective in even the largest enterprises, but it still has a small, easy-to-implement footprint that small businesses can take advantage of. After all, small businesses are often at highest risk for losing files on failed devices because few are concerned with centralized storage and backups. By using OneDrive, however, your small business can keep files safe, and your users can easily access them from all their devices.
To get started with OneDrive, follow these steps:
Review basic OneDrive information. Start by reviewing the introductory OneDrive information available at the OneDrive help center. You'll get answers to many of your questions, including the OneDrive experience and how it works.
Set up a Microsoft Office 365 subscription. You must set up a subscription to use OneDrive, but you aren't required to purchase all the applications in the Microsoft 365 suite. To get started, follow the steps in Set up Microsoft 365 Apps for business.
Add OneDrive licenses. Review your plan options in Compare OneDrive plans, and then add the licenses you need.
When you've completed these tasks, you're ready to plan for, deploy, and configure the OneDrive sync app and applications. To do that, complete these three simple steps:
Plan for adoption. For small businesses, planning for user adoption can be as simple as individually showing your users how to use OneDrive. Often, small business customers don't consider this step for new applications, and that can negatively affect the application's success. The section Adopt OneDrive provides helpful resources for OneDrive adoption.
Install and configure. Sync apps are available for the Windows and macOS operating systems that provide a seamless experience for users interacting with their files. Most small businesses start by installing the sync app on their users' devices, and then consider the OneDrive mobile apps later. In fact, you may already have the OneDrive client on your devices. Devices running the Windows 10 operating system and devices running Windows or macOS with Microsoft Office 2016 or later will have the OneDrive sync app already. For information about how to install and configure the OneDrive sync app and mobile apps, see the section Install and configure OneDrive.
Manage OneDrive. For many small businesses, managing OneDrive is optional. You could simply install and configure OneDrive and leave it at that. If you want to use advanced features of OneDrive or add device sharing or access restrictions, however, you can easily manage those and other settings in the OneDrive admin center. For more information about managing OneDrive, see the section Manage OneDrive.
Key OneDrive features for small businesses
Unlike most other cloud storage providers, OneDrive not only provides robust features to small businesses out of the box, but it also makes most of its advanced features available to them. This gives small businesses the flexibility to use advanced features based on the needs of their organization.
The features listed in this section address common customer concerns or specific compliance requirements, or provide unique functionality available only in OneDrive. For a full list of features available across OneDrive plans, see Microsoft OneDrive.
Note
The information in this section is for awareness purposes only and is not required to install and use OneDrive.
OneDrive Files On-Demand
OneDrive Files On-Demand enables users to view, search for, and interact with files stored in OneDrive from within File Explorer, without downloading all the files to their device. The feature provides a seamless look and feel for both OneDrive and local files without taking up space on the local hard drive. As shown in the following screenshot, files that have not been downloaded have a cloud icon for their status. For those files that have been downloaded, the status shows a green checkmark.
By default, files are downloaded only when you need to access them. However, if you plan to access a file while disconnected from the internet, simply make the file available offline by right-clicking it, and then selecting Always keep on this device. Alternatively, if you want to free space on your device and remove the downloaded copy of a file, right-click the file, and then select Free up space. The following screenshot shows the right-click menu for OneDrive files on a device running Windows.
For more information about OneDrive Files On-Demand, see Learn about OneDrive Files On-Demand.
Modern attachments
OneDrive integrates with Microsoft Outlook to enable easy sharing of OneDrive files that appear just like email attachments. This feature provides a familiar sharing experience but centralizes storage of attachments in OneDrive. This allows your users to all collaborate on the same file instead of sending different versions back and forth in email. In addition, you can configure sharing permissions on the files directly from within the Outlook client.
To reduce the potential for confusion when users choose to add a copy versus a link to attached OneDrive files, you can set the default behavior of the Outlook client, as demonstrated in How to control default attachment state when you attach a cloud file in Outlook 2016.
Files Restore
The OneDrive Files Restore feature lets users restore files to any point over the past 30 days. To select the desired recovery time, OneDrive presents you with a histogram that shows file activity so that you can determine which recovered time meets your needs. From there, simply select the file history entry to which you want to restore, and all changes after that point will be rolled back.
In addition, because the histogram shows individual activity on a file, you can use this feature to quickly view your files' modification history. For more information about this feature, see Restore your OneDrive.
Recycle bin
OneDrive has a recycle bin similar to the one available on the Windows desktop. Deleted files are moved to the recycle bin and kept for a designated time before being permanently deleted. For work or school accounts, deleted files are purged after 93 days unless configured otherwise. For a demonstration of how the recycle bin works, see Restore deleted files or folders in OneDrive.
Known Folder Move
Known Folder Move enables users to select Windows known folders, such as their desktop, Documents, or Pictures, to automatically synchronize to OneDrive. You can add this feature during the initial setup of OneDrive or after it has been configured. This capability provides a simple migration option for users looking to add known folders to their existing list of synchronized folders. For more information about Known Folder Move, see Protect your files by saving them to OneDrive.
Adopt OneDrive
User adoption is important to the overall success of any new application. Ideally, to feel that you have maximized your investment in Office 365 and OneDrive, you need to maximize user engagement with them. For small businesses, driving user adoption can be as simple as introducing users to OneDrive when you're installing it or showing them any of the videos available at the Office 365 Training Center.
Personally showing your users how to save and share documents in OneDrive tends to be the most effective option for driving adoption, given that you'll likely be performing manual installations. The primary value proposition for small businesses is file availability and redundancy. A document saved on local storage can be lost with a device; a document saved to OneDrive cannot. Simply having this discussion with your users beforehand, coupled with demonstrating the application's ease of use, can drive positive outcomes for this effort.
For information about a more formal Microsoft 365 user adoption strategy, see the Microsoft 365 End User Adoption Guide. For more information about driving user engagement through a similar, more formal process, see Success Factors for Office 365 End User Engagement. You can also contribute to or comment on adoption-related ideas in the Driving Adoption Tech Community.
Install and set up OneDrive apps
You can upload, download, and interact with your OneDrive files from a web browser, but the ideal OneDrive experience comes from the Windows and Mac sync apps and the iOS and Android mobile apps. With these clients and apps, saving files to OneDrive and interacting with them is much easier than visiting a website each time you need something. Through this experience, you can seamlessly integrate OneDrive into your existing file interaction experiences.
You can install OneDrive on any supported device. For small businesses, manual installations typically make the most sense. For some devices, the installation process may be as simple as installing an app from the app store. For others, you may need to delete older versions of OneDrive first. This section walks you through the installation and configuration of OneDrive on iOS and Android mobile devices, Windows devices, and computers running macOS. You may not need to install OneDrive on all these platforms, depending on the devices used in your organization.
Most small businesses start by installing the OneDrive sync app on users' Windows and macOS devices, and then consider the OneDrive mobile apps afterwards. You don't need to install and configure OneDrive on all your devices before you start using it.
Install and configure the sync app on a Windows device
If your Windows device has either Office 2016 or Windows 10, it already has the OneDrive sync app.
For devices running older versions of Windows or on which Office 2016 is not installed, you can download the OneDrive sync app for Windows from https://onedrive.live.com/about/download.
Note
If the device has an older version of the sync app, you'll be asked to uninstall it when you install the new one.
Configuring OneDrive for Windows is simple, but if you want to see a demonstration, see Sync files with the OneDrive sync app in Windows
Install and configure OneDrive on a macOS device
To install the OneDrive sync app on a computer running macOS, just follow the steps in Sync files with the OneDrive sync app on macOS. The setup experience is similar to that for Windows. For more information about OneDrive on macOS, see OneDrive for Mac – FAQ.
Install and configure OneDrive on a mobile device
Installing the OneDrive app on a mobile device is simple: download the app from the app store on any Android, iOS, or Windows mobile device. If you want to simplify the manual installation process even further, go to https://onedrive.live.com/about/download and enter the mobile phone number of the device on which you want to install OneDrive. Microsoft will send a text message to the mobile device with a link to the app in the device's app store. Once installed, start the configuration process by opening the app and responding to the prompts.
To learn how to perform tasks in OneDrive on an iOS device, see Use OneDrive on iOS.
To learn how to perform tasks in OneDrive on an Android device, see Use OneDrive on Android.
Manage OneDrive
Many small businesses use OneDrive without changing any of the options.
If you want to add some basic device and sharing restrictions to OneDrive, you can use the OneDrive admin center. To access the new OneDrive admin center, go to https://admin.onedrive.com. There, you can restrict the people with whom your users can share files, choose the devices your employees can use to access OneDrive, and more.
Settings in the OneDrive admin center are grouped into six categories:
Sharing. Instead of using this page, use the Sharing page in the new SharePoint admin center. To learn more, see Manage sharing settings.
Sync. On the Sync page, you can require that synced devices be joined to your domain or configure sync restrictions based on file type.
Storage. On the Storage page, you specify the default OneDrive storage limit for users within your Office 365 organization. You can also configure how long to keep data for users whose accounts have been deleted (the maximum value is 10 years).
Device Access. Instead of using this page, use the Access control page in the new SharePoint admin center.
Compliance. The Compliance page provides a centralized list of links to auditing, data loss prevention (DLP), retention, eDiscovery, and alerting capabilities within Office 365 that are applicable to OneDrive. (Most small businesses won't use these options.)
Selecting an item's link redirects you to the Office 365 Security & Compliance Center, where you can configure that item. You can create DLP policies from templates that protect certain types of data, such as Social Security numbers, banking information, and other financial and medical content. For a walkthrough of how to create DLP policies in Office 365 and apply them to OneDrive, see Create a DLP policy from a template.
Notifications. On the Notifications page, you define when OneDrive owners should receive notifications about sharing or accessing their data. These settings are helpful for small businesses that likely don't have IT staff who can audit this information. For information about enabling these options, see Turn on external sharing notifications for OneDrive.
Get help with OneDrive
If you need help with OneDrive, you have many ways to find solutions to common issues or request help:
Tech community. Find helpful information from other customers in the community by reviewing the discussions in the OneDrive Tech Community and the Microsoft OneDrive Blog.
Support documentation. For a list of recent issues in OneDrive and how to resolve or work around them, see Fixes or workarounds for recent issues in OneDrive. For getting started info, see Get started with OneDrive, Employee file storage (video training) and Why use OneDrive to store your docs.
Microsoft Support. If you need help from Microsoft to troubleshoot an issue or configure or deploy OneDrive, see Contact Microsoft.
OneDrive UserVoice. You can review and submit feature requests and provide feature feedback at OneDrive UserVoice.
Note
Microsoft will be moving from UserVoice to our own customer feedback solution on a product-by-product basis during 2021. Learn more.