Governing access in Microsoft 365 groups, Teams, and SharePoint

There are many controls that enable you to govern how people access resources in groups, teams, and SharePoint. Review these options and consider how they map to your business needs, the sensitivity of your data, and the scope of people that your users need to collaborate with.

The following table provides a quick reference for the access controls available in Microsoft 365. Further information is provided in the following sections.

Category Description Reference
Membership
Discovery of private teams Manage discovery of private teams in Microsoft Teams
Dynamic group membership based on rules Create or update a dynamic group in Azure Active Directory
Control who can share files, folders, and sites. Set up and manage access requests
Conditional access
Multi-Factor Authentication Azure AD Multi-Factor Authentication
Control device access based on group, team, or site sensitivity. Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites
Limit site access for unmanaged devices. Control SharePoint access from unmanaged devices
Control site access based on location Control access to SharePoint and OneDrive data based on network location
Guest access
Allow or block SharePoint sharing from specified domains. Restrict sharing of SharePoint and OneDrive content by domain
Allow or block team or group membership from specified domains. Allow or block invitations to B2B users from specific organizations
Prevent anonymous sharing. Turn off Anyone links
Control the permissions for anonymous access links. Set link permissions for Anyone links
Control the expiration of anonymous sharing links. Set an expiration date for Anyone links
Control the type of sharing link shown to users by default. Change the default link type for a site
Limit external sharing to specific people. Limit external sharing to specified security groups
Control guest access to a group, team, or site based on information sensitivity. Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites
Turn off sharing options. Limit sharing in Microsoft 365
User management
Review team and group membership on a regular basis. What are Azure AD access reviews?
Automate access management to groups and teams. What is Azure AD entitlement management?
Allow or block people from creating private channels in Teams. Manage the life cycle of private channels in Microsoft Teams

Membership

Membership of teams and groups is controlled by owners. Members can invite others, but the invitations are sent to owners for approval. While public teams and groups are discoverable by anyone in the organization, you can control whether private teams and groups are discoverable:

You can manage membership of a group or team dynamically based on some criteria, such as department. In this case, members and owners cannot invite people to the team. Dynamic groups uses metadata that you define in Azure Active Directory to control who is a member of the group. Be sure the metadata that you're using is complete and up to date as incorrect metadata can lead to users being left out of groups or incorrect users being added.

SharePoint sites provide the ability to add owners, members, and visitors apart from group or team membership. Depending on your requirements, you may want to restrict who can invite people to the site. Also, depending on the sensitivity of the information in a given site, you may want to restrict who can share files and folder. These restrictions are configured by the team, group, or site owner:

Conditional access

With Microsoft 365, you can require multi-factor authentication for both people inside and outside your organization. There are many options for the circumstances when people are prompted for a second factor of authentication. We highly recommend that you deploy multi-factor authentication for your organization:

If you have sensitive information in some of your groups and teams, you can enforce device management policies based on a group or team's sensitivity label. You can block access entirely from unmanaged devices, or allow limited, web only access:

In SharePoint, you can restrict access to sites from specified network locations.

Additional resources:

Guest access

You can restrict guests based on the domain of their email address. SharePoint offers organization-wide and site-specific domain restriction settings. Groups and Teams use the domain allow and deny lists in Azure AD. Be sure to configure both settings to avoid unwanted sharing and ensure a consistent user experience:

Microsoft 365 allows anonymous sharing of files and folders by using Anyone sharing links. Anyone links can be forwarded and anyone with the link can access the shared item. Depending on the sensitivity of your data, consider governing how Anyone links are used - including turning them off entirely, restricting link permissions to read-only, or setting an expiration time for them:

When sharing files or folders, users have several link types to choose from. To reduce the risk of accidental inappropriate sharing, you can change the default link type presented to users when they share. For example, changing the default from Anyone links - which allow anonymous access - to People in your organization links can reduce the risk of unwanted external sharing of sensitive information:

If your organization has sensitive data that you need to share with guests, but you're concerned about inappropriate sharing, you can limit external sharing of files and folders to the members of specified security groups. In this way, you can restrict sharing externally to a specific group of people, or require your users to take training around appropriate external sharing before adding them to the security group:

Groups and Teams have organization-level settings that allow or deny guest access. While you can restrict guest access to specific teams or groups by using Microsoft PowerShell, we recommend doing this by means of a sensitivity label. With sensitivity labels you can automatically allow or deny guest access based on the label applied:

In an environment where you frequently invite guests to groups and teams, consider setting up regularly scheduled guest access reviews. Owners can be prompted to review guests in their groups and teams and approve or deny access.

Microsoft 365 offers many different methods of sharing information. If you have sensitive information and you want to restrict how it's shared, review the options for limiting sharing:

Additional resources:

User management

As groups and teams evolve in your organization, a good practice is to review team and group membership on a regular basis. This may be particularly useful for teams and groups with a changing membership, those that contain sensitive information, or those that include guests. Consider setting up access reviews for these teams and groups:

Many organizations have business partnerships with other organizations or key vendors with whom they collaborate in depth. User management and access to resources can be challenging to manage in these scenarios. Consider automating some of the user management tasks and even transitioning some of them to your partner organization:

Private channels in Teams allow for scoped conversations and file sharing between a subset of team members. Depending on your specific business needs, you may want to allow or block this capability.

Additional resources:

Collaboration governance planning step-by-step

Create your collaboration governance plan

Security and compliance in Microsoft Teams

Manage sharing settings in SharePoint

Create and manage an external network in Yammer

Configure Teams with three tiers of protection