Restrict access to a user's OneDrive content to people in a group
Some features in this article require Microsoft SharePoint Premium - SharePoint Advanced Management
You can restrict access to an individual user's OneDrive content to users in a security group by using a OneDrive access restriction policy. Users not in the specified group can't access the content, even if they had prior permissions or shared link.
The policy is applied using Microsoft Entra security groups that contain the people who should be able to access files in that OneDrive.
When the policy is applied, the people in the security group aren't granted permissions to any files directly. The OneDrive owner must share the content as they normally would. The OneDrive access restriction policy prevents anyone who isn't in the security group from accessing the OneDrive content even if it's shared with them.
Access restriction policies are applied when a user attempts to access a file. Users can still see files in search results if they have direct permissions to the file, but they won't be able to access the file if they're not part of the specified security group.
You can also restrict access to the OneDrive service itself to people in a security group. For more information, see Restrict OneDrive access by security group.
Requirements
The OneDrive access restriction policy requires Microsoft SharePoint Premium - SharePoint Advanced Management.
Enable site access restriction for your organization
You must enable site access restriction for your organization before you can configure it for a user's OneDrive.
To enable site access restriction for your organization in SharePoint admin center:
Expand Policies and select Access control.
Select Site access restriction.
Select Allow access restriction and then select Save.
To enable site access restriction for your organization using PowerShell, run the following command:
Set-SPOTenant -EnableRestrictedAccessControl $true
It might take up to one hour for command to take effect.
Note
For Microsoft 365 Multi-Geo users, run this command separately for each desired geo-location.
Restrict access to a user's OneDrive content
Each OneDrive can be assigned up to 10 Microsoft Entra security groups. Once a security group is added, only users in the groups have access to content in that OneDrive that has been shared with them. You can use dynamic security groups if you want to base group membership on user properties.
Important
The owner of the OneDrive must be included in one of the security groups that you specify or they will lose access to their OneDrive and its contents.
To manage access restriction for OneDrive, use the following commands:
Action | PowerShell command |
---|---|
Enable access restriction for a given OneDrive. (Run this command before adding security groups.) | Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $true |
Add security group | Set-SPOSite -Identity <siteurl> -AddRestrictedAccessControlGroups <comma separated group GUIDS> |
Edit security group | Set-SPOSite -Identity <siteurl> -RestrictedAccessControlGroups <comma separated group GUIDS> |
View security group | Get-SPOSite -Identity <siteurl> Select RestrictedAccessControl, RestrictedAccessControlGroups |
Remove security group | Set-SPOSite -Identity <siteurl> -RemoveRestrictedAccessControlGroups <comma separated group GUIDS> |
Reset site access restriction | Set-SPOSite -Identity <siteurl> -ClearRestrictedAccessControl |
Auditing
Audit events are available in the Microsoft Purview compliance portal to help you monitor site access restriction activities. Audit events are logged for the following activities:
- Applying site access restriction for site
- Removing site access restriction for site
- Changing site access restriction groups for site