Manage SharePoint permissions to prevent oversharing of data

  • 4 minutes

Organizations operate at various levels of maturity in governing SharePoint data. While some enterprises strictly monitor permissions and oversharing of content, others don't. The situation is further complicated because many enterprises have legitimate reasons to share "some" data widely within the organization. Sometimes, end users in your organization make choices that result in the oversharing of SharePoint content. For example:

  • Users might save critical files in locations accessible to a wider audience, including external users.
  • Some users prefer sharing with large groups rather than specific individuals, leading to oversharing.
  • Users might not pay close attention to permissions when uploading files.

Services such as Microsoft SharePoint and Microsoft Copilot for Microsoft 365 utilize all data to which individual users have at least View permissions, which might include broadly shared files that the user is unaware of. As a result, users might see these applications as exposing content that was overshared. Oversharing can lead to sensitive information being exposed to unintended recipients. End users, while well intentioned, might not always grasp the implications of their sharing choices. They might overlook permissions or opt for convenience over security.

As a result, it's important to use the permission models in SharePoint to ensure the right users or groups have the right access to the right content within your organization. The following sections describe the key steps that administrators can implement to configure their SharePoint permissions model to help prevent data oversharing.

Note

These steps are provided for SharePoint administrators. Some of the following features require a SharePoint Advance Management license.

Step 1: Review site-level sharing controls and remove "Everyone Except External Users" from the People Picker

By default, SharePoint allows users to share content with a wide audience, including internal users and external collaborators. As such, administrators must encourage users to assign permissions at the site/library/folder level thoughtfully. It's important that they educate users by raising awareness about the effect of oversharing and the importance of setting appropriate permissions.

Setting granular permissions to help prevent oversharing is where the People Picker comes into play. The People Picker is a web control used in SharePoint to find and select users, groups, and claims when assigning permissions to items such as lists, libraries, or sites. When a site, list, or library owner assigns permissions, they utilize the People Picker to search for and designate the appropriate individuals or groups who should have access to specific content. One of the People Picker options is "Everyone Except External Users." This option is a convenient way to share content broadly within the organization. However, it can lead to oversharing if not used judiciously. When end users upload files or save critical content without paying attention to permissions, they might inadvertently share it with a larger audience than intended.

The “Everyone Except External Users” setting includes internal users but excludes external collaborators. If sensitive data is shared this way, it could inadvertently reach external parties. To prevent oversharing, organizations should review site-level sharing controls and disable the “Everyone Except External Users” option. Doing so ensures that only authorized individuals have access to specific content. By excluding this option, you reduce the likelihood of unintentionally sharing content with a wide internal audience. Users can still share with specific individuals or groups, but the default should be more restrictive.

In addition to removing this control, SharePoint administrators should:

  • Educate site admins on the site-level controls they can use to restrict members from sharing. One key setting here ensures that Site Owners are the recipients of access requests.
  • Consider hiding broad-scope permissions from your end users to reduce risks around accidental misuse. This example hides the "Everyone Except External Users" in the People Picker control so that no end user can use it.
  • Consider adopting sharing best practices like changing sharing link defaults from companywide sharing to specific people links.

Step 2: Identify inactive sites, then restrict access or delete

Reduce your surface area for potentially overshared content by identifying SharePoint sites that have been inactive for a long time. See how you can easily do that through the Inactive Site Policies in SharePoint Advanced Management. You can then lock down permissions on these sites through the Restricted Access Control policy. You can also consider deleting these sites.

Step 3: Identify potentially overshared content

A SharePoint administrator can run reports in the SharePoint admin center to discover broad sharing activity happening over the last month. SharePoint Advanced Management’s new data access governance reports can help here. A SharePoint admin can run reports on:

These reports can be downloaded as CSV files. You can also build your own report by using Microsoft Graph Data Connect for SharePoint.

Step 4: Take remediation actions to address oversharing

Once you identify the SharePoint sites with potential oversharing issues, it's time to act. Your actions should consider several factors, including data sensitivity, the severity of the oversharing, and the need to maintain business operations. These actions include:

  • For content that has been overshared and needs immediate action:
    • Configure a Restricted Access Control Policy for such sites. As a result, all existing access to the site is restricted to only the group of users configured by the admin. Accordingly, the content from this site is visible only for this restricted group of users. This policy works for both OneDrive and SharePoint.
    • For high-profile instances, you should determine who/how/when the oversharing took place. Use the Change History feature to see what changes contributed to the oversharing.
  • For cases where the SharePoint administrator needs to consult with site owners/admins for action:
    • The SharePoint admin can reach out to the owners of sites identified in data access governance reports. SharePoint admins can advise site owners on the overshared files/folders in that site and request them to act to manually remove unnecessary access.
    • In 2024, Microsoft is releasing a new SharePoint Advanced Management feature called "Site Access Review" that a SharePoint admin can initiate from any Data Access Governance report. Site owners use a Site Access Review UI to review broadly shared content on their side and either take remediation action to remove overly broad permissions or provide business justification to the SharePoint admin.

Step 5: Set restricted access control and block file download policies on business-critical sites

SharePoint administrators should use Restricted Access Control to proactively protect against oversharing. In doing so, they should consider blocking downloads from selected sites through a block download policy. They can also specifically block the download of Teams meetings recordings. Lastly, they should consider applying encryption action with "extract rights" enforced on business-critical office documents. Learn more here.