Restrict OneDrive access by security group
Some features in this article require Microsoft SharePoint Premium - SharePoint Advanced Management
You can restrict access and sharing of OneDrive content to users in specified Microsoft Entra ID security groups. Even if other users outside of these security groups are licensed for OneDrive, they won’t have access to their own OneDrive or any shared OneDrive content when this policy is in effect. OneDrive access restriction at tenant level is applied when a user attempts to open a OneDrive or a file.
You can use this to prevent new users from accessing any OneDrive content. For example, you can restrict OneDrive access and sharing to your new users, guest or frontline users.
Note that users who are not members of the specified security group can still see files in organization-wide search and Copilot experiences if they have existing permissions to the file prior to the policy configuration. However they will not be able to open the file or OneDrive if they are not part of the specified security group.
Note - If you want to prevent oversharing of OneDrive content also for users with existing permissions, we recommend you to enforce OneDrive site access restriction to an individual user's OneDrive. For more information, see Restrict access to a user's OneDrive content to people in a security group.
To access and use this feature, your organization must have one of the following subscriptions:
- Microsoft SharePoint Premium - SharePoint Advanced Management
- Office 365 E5/A5
- Microsoft 365 E5/A5
To enable this feature:
Go to Access control in the SharePoint admin center, and sign in with an account that has admin permissions for your organization.
Select Restrict OneDrive access.
Select Restrict OneDrive access to only users in specified security groups.
Add the security groups (maximum of 10) you want to be able to use OneDrive.
Select Save.
Important
Users who aren't members of the specified security groups will lose access to their own OneDrive and any shared OneDrive content. Sharing of content will be allowed only with the specified security group or members of the specified security group.
Audit events are available in Microsoft Purview compliance portal to help you monitor restricted access control activities. Audit events are logged for the following activities:
- Enabled Restricted OneDrive access and sharing
- Disabled Restricted OneDrive access and sharing
Restrict access to a user's OneDrive content to people in a security group.