Today I’m going to dig into sharing in OneDrive for Microsoft 365. This topic comes up often because while on the surface sharing seems straight forward, there are a multitude of layers. OneDrive sharing isn’t just about the settings in OneDrive, it’s driven by options all over your Microsoft 365 tenant. While I’m not going to dive into all of the options, I do want to discuss some settings you might not be aware of.
Microsoft settings go from the top down, in other words, your highest level (Tenant level) has to be as permissive as you need your lowest level (Files and Folders). If you’ve worked with Microsoft permissions before this model should make sense, but if you haven’t it can seem a little backwards. Even if you’ve worked with Microsoft permissions before though, Azure Active Directory can make this confusing how it fits in.
With every company having vastly different needs, there’s not a one size fits all for the best way to set up sharing so we’ll just go over some basics. We are going to cover settings in Azure Active Directory, Microsoft 365 admin center and SharePoint admin center, as well as restricting an individual user’s OneDrive settings.
First let’s go over the basic differences between internal sharing and guest sharing. Internal sharing is the most straight forward. Internal users can share documents with other internal users, as this is how we collaborate. There is no way to turn off all internal sharing at the Tenant/AAD level. Guest sharing is similar to internal sharing for a user perspective, but administrators have a lot more control over the who, what, when, and where. Having the ability to block or allow specific domains, set global guest rights, or block external guests all together.
*Some internal sharing may be barred at individual or group level