Governing access in Microsoft 365 groups, Teams, and SharePoint
There are many controls that enable you to govern how people access resources in groups, teams, and SharePoint. Review these options and consider how they map to your business needs, the sensitivity of your data, and the scope of people that your users need to collaborate with.
The following table provides a quick reference for the access controls available in Microsoft 365. Further information is provided in the following sections.
| Category | Description | Reference |
|---|---|---|
| Membership | ||
| Dynamic group membership based on rules | Create or update a dynamic group in Microsoft Entra ID | |
| Control who can share files, folders, and sites. | Set up and manage access requests | |
| Conditional access | ||
| Multifactor authentication | Microsoft Entra multifactor authentication | |
| Control device access based on group, team, or site sensitivity. | Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites | |
| Limit site access for unmanaged devices. | Control SharePoint access from unmanaged devices | |
| Control site access based on location | Control access to SharePoint and OneDrive data based on network location | |
| Enforce more stringent access conditions when users access SharePoint sites. | Conditional access policy for SharePoint sites and OneDrive | |
| Guest access | ||
| Allow or block SharePoint sharing from specified domains. | Restrict sharing of SharePoint and OneDrive content by domain | |
| Allow or block team or group membership from specified domains. | Allow or block invitations to B2B users from specific organizations | |
| Prevent anonymous sharing. | Turn off Anyone links | |
| Control the permissions for anonymous access links. | Set link permissions for Anyone links | |
| Control the expiration of anonymous sharing links. | Set an expiration date for Anyone links | |
| Control the type of sharing link shown to users by default. | Change the default link type for a site | |
| Limit external sharing to specific people. | Limit external sharing to specified security groups | |
| Control guest access to a group, team, or site based on information sensitivity. | Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites | |
| Turn off sharing options. | Limit sharing in Microsoft 365 | |
| User management | ||
| Review team and group membership regularly. | What are Microsoft Entra access reviews? | |
| Automate access management to groups and teams. | What is Microsoft Entra entitlement management? | |
| Limit OneDrive access to members of a specific security group. | Restrict OneDrive access by security group | |
| Restrict teams or site access to members of a group. | Restrict SharePoint site access to members of a group | |
| Information classification | ||
| Classify groups and teams | Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites | |
| Automatically classify sensitive content | Apply a sensitivity label to content automatically | |
| Encrypt sensitive content | Restrict access to content by using sensitivity labels to apply encryption | |
| User segmentation | ||
| Restrict communication between user segments | Information barriers | |
| Data residency | ||
| Store data in specific geo-locations | Microsoft 365 Multi-Geo |
Membership
You can manage membership of a group or team dynamically based on some criteria, such as department. In this case, members and owners can't invite people to the team. Dynamic groups use metadata that you define in Microsoft Entra ID to control who is a member of the group. Be sure the metadata that you're using is complete and up to date as incorrect metadata can lead to users being left out of groups or incorrect users being added.
SharePoint sites provide the ability to add owners, members, and visitors apart from group or team membership. Depending on your requirements, you may want to restrict who can invite people to the site. Also, depending on the sensitivity of the information in a given site, you may want to restrict who can share files and folder. These restrictions are configured by the team, group, or site owner:
Conditional access
With Microsoft 365, you can require multifactor authentication for both people inside and outside your organization. There are many options for the circumstances when people are prompted for a second factor of authentication. We highly recommend that you deploy multifactor authentication for your organization:
If you have sensitive information in some of your groups and teams, you can enforce device management policies based on a group or team's sensitivity label. You can block access entirely from unmanaged devices, or allow limited, web only access:
In SharePoint, you can restrict access to sites from specified network locations.
Additional resources:
Guest access
You can restrict guests based on the domain of their email address. SharePoint offers organization-wide and site-specific domain restriction settings. Groups and Teams use the domain allowlists or blocklists in Microsoft Entra ID. Be sure to configure both settings to avoid unwanted sharing and ensure a consistent user experience:
Restrict sharing of SharePoint and OneDrive content by domain
Allow or block invitations to B2B users from specific organizations
Microsoft 365 allows anonymous sharing of files and folders by using Anyone sharing links. Anyone links can be forwarded and anyone with the link can access the shared item. Depending on the sensitivity of your data, consider governing how Anyone links are used - including turning them off entirely, restricting link permissions to read-only, or setting an expiration time for them:
When sharing files or folders, users have several link types to choose from. To reduce the risk of accidental inappropriate sharing, you can change the default link type presented to users when they share. For example, changing the default from Anyone links - which allow anonymous access - to People in your organization links can reduce the risk of unwanted external sharing of sensitive information:
If your organization has sensitive data that you need to share with guests, but you're concerned about inappropriate sharing, you can limit external sharing of files and folders to the members of specified security groups. In this way, you can restrict sharing externally to a specific group of people, or require your users to take training around appropriate external sharing before adding them to the security group:
Groups and Teams have organization-level settings that allow or deny guest access. While you can restrict guest access to specific teams or groups by using Microsoft PowerShell, we recommend doing this by means of a sensitivity label. With sensitivity labels you can automatically allow or deny guest access based on the label applied:
In an environment where you frequently invite guests to groups and teams, consider setting up regularly scheduled guest access reviews. Owners can be prompted to review guests in their groups and teams and approve or deny access.
Microsoft 365 offers many different methods of sharing information. If you have sensitive information and you want to restrict how it's shared, review the options for limiting sharing:
Additional resources:
Best practices for sharing files and folders with unauthenticated users
Limit accidental exposure to files when sharing with people outside your organization
Enable B2B external collaboration and manage who can invite guests
User management
As groups and teams evolve in your organization, a good practice is to review team and group membership on a regular basis. This may be particularly useful for teams and groups with a changing membership, those that contain sensitive information, or those that include guests. Consider setting up access reviews for these teams and groups:
Many organizations have business partnerships with other organizations or key vendors with whom they collaborate in depth. User management and access to resources can be challenging to manage in these scenarios. Consider automating some of the user management tasks and even transitioning some of them to your partner organization:
Private channels in Teams allow for scoped conversations and file sharing between a subset of team members. Depending on your specific business needs, you may want to allow or block this capability.
Shared channels allow you to invite people who are outside the team or outside the organization. Depending on your specific business needs and external sharing policies, you may want to allow or block this capability.
OneDrive provides an easy way for users to store and share content that they're working on. Depending on your business needs, you may want to restrict access to this content to full-time company employees or other groups within the company. If so, you can limit access to OneDrive content to members of a security group.
For some more sensitive teams or sites, you might want to limit access to team or site content to members of the team or to members of a security group.
Additional resources:
Information classification
You can use sensitivity labels to govern guest access, group and team privacy, and access by unmanaged devices for groups and teams. When a user applies the label, these settings are automatically configured as specified by the label settings.
You can configure Microsoft 365 to auto-apply sensitivity labels to files and emails based on the criteria that you specify, including detecting sensitive information types or pattern matching with trainable classifiers.
You can use sensitivity labels to encrypt files, allowing only those with permissions to decrypt and read them.
Additional resources:
User segmentation
With information barriers, you can segment your data and users to restrict unwanted communication and collaboration between groups and avoid conflicts of interest in your organization. Information barriers let you create policies to allow or prevent file collaboration, chatting, calling, or meeting invitations between groups of people in your organization.
Data residency
With Microsoft 365 Multi-Geo, you can provision and store data at rest in the geo locations that you've chosen to meet data residency requirements. In a Multi-Geo environment, your Microsoft 365 tenant consists of a central location (where your Microsoft 365 subscription was originally provisioned) and one or more satellite locations where you can store data.
Related topics
Collaboration governance planning recommendations
Create your collaboration governance plan
Security and compliance in Microsoft Teams