OneDrive for Business, often seen as personal cloud storage within Microsoft 365, plays a crucial role in modern workplaces. It stands as a foundation for seamless file sharing, increased productivity, and a centralized hub for essential data.

However, the collaborative nature of this platform exposes it to various threats, including data oversharing, unmanaged device access, data sharing to untrusted domains, etc. Thus, administrators need to understand and implement strong security measures to protect OneDrive data.

In this blog, we will explore the best OneDrive for Business security practices in Microsoft 365, highlighting pivotal settings and measures to fortify your digital workspace.

Fundamental OneDrive for Business Security Practices

Before delving into crucial security practices, it’s essential to know the foundational OneDrive best practices and configurations that every organization should follow. These configurations are vital for heightened OneDrive security.

  1. Enforce Strong Microsoft 365 Passwords:

Prioritize strong passwords to prevent password compromise attempts. You can improve password security by checking and boosting users’ password strength through the following measures.

  1. Encourage OneDrive Users to Add Security Info:

Admins should encourage Microsoft 365 OneDrive users to boost their account security by incorporating security info into their accounts. It involves adding a phone number, alternate email address, and security questions as additional identity verification details. This proactive step ensures users to recover their accounts easily in case of a forgotten password or potential security breach.

  1. Set up Multi-factor Authentication:

Protect your Microsoft 365 users from credential theft by implementing two-factor authentication. This extra layer of security blocks unauthorized access, even if the user credentials are compromised. Thus, it is essential to set up multi-factor authentication for OneDrive users to improve overall Microsoft 365 security.

  1. Enable Data Encryption for OneDrive Mobile Apps:

For enhanced security, advise your users to enable encryption on their iOS or Android devices. It helps to protect sensitive OneDrive files if the mobile device is lost or stolen or unauthorized access occurs.

Essential OneDrive for Business Security Practices

Explore the key OneDrive security best practices outlined below. These security measures are crucial for protecting sensitive data, ensuring compliance, maintaining business continuity, and preventing unauthorized access or data loss due to various threats in OneDrive.

  1. Manage organization-wide external sharing in OneDrive for Business
  2. Limit external sharing for per-user in OneDrive
  3. Restrict OneDrive for Business access from unmanaged devices
  4. Allow access only from specific IP address
  5. Sign-out inactive browser sessions
  6. Restrict OneDrive for Business access by security groups
  7. Create a data loss prevention policy
  8. Set up a OneDrive retention policy
  9. Configure notifications for OneDrive file activity


1. Manage Organization-Wide External Sharing in OneDrive for Business

The SharePoint admin center provides organization-wide sharing controls to manage data access in OneDrive for Business. However, the default external sharing settings “Anyone” may unintentionally expose data due to liberal permissions. So, a vital OneDrive for Business security practice involves monitoring and configuring external sharing settings.

In the SharePoint admin center, you can limit external sharing in OneDrive by domain, set up expiration dates, and control various other external sharing settings for data protection.

Manage external sharing as one of the OneDrive for Business security practices


2. Limit External Sharing for Per-User in OneDrive

OneDrive for Business often stores critical and sensitive business data, including financial records, intellectual property, and customer information. Despite having organization-wide settings in place, it’s essential to utilize additional control over users’ external sharing permissions, especially when dealing with confidential data.

For instance, consider when a team member is working on a sensitive project that involves customers’ private information such as social security numbers. In such cases, you might need to tighten their OneDrive external sharing capabilities. Here’s how to do that:

  1. Sign in to the Microsoft 365 admin center.
  2. Go to the “Users” drop-down and select “Active users”.
  3. Choose the specific user you wish to manage external sharing settings.
  4. Navigate to the “OneDrive” tab, and under “Sharing”, click on “Manage external sharing”.
  5. Adjust the external sharing level as needed and click “Save”.
Limit external sharing for per-user in OneDrive


3. Restrict OneDrive for Business Access from Unmanaged Devices

It’s vital to prevent users accessing OneDrive from unmanaged devices found in public places like airports or hotels. These devices pose a higher risk of data loss when connected to insecure networks. To restrict user access from unmanaged devices, follow these steps:

  1. Navigate to “Access control” under “Policies” in the SharePoint admin center, select “Unmanaged devices.”
  2. Click “Block access” and then “Save.”
Restrict unmanaged devices

NOTE: The policy may take up to 24 hours to activate and will not affect unmanaged devices already signed in.

The setting discussed above applies to all organization users. To restrict a specific user access in OneDrive, you can use Conditional Access policies to block unmanaged devices.

To set up Conditional Access (CA) policies, you need Azure AD P1 or P2 licenses. Besides these methods, you can also limit unmanaged devices by using OneDrive sync to allow synchronization only with specific domains. This reduces the potential risks of synchronizing with unknown PCs. Additionally, you can also block the upload of specific file types to prevent potential data loss and security breaches.

OneDrive for Business security practices OneDrive sync option


4. Allow Access Only from Specific IP Address

Users accessing OneDrive from unfamiliar locations might indicate an account compromise or security breach. Thus, setting up a location-based policy is essential to avoid data exposure.

Define a trusted network boundary with specific IP addresses to block unauthorized access. This policy restricts users from accessing OneDrive outside the configured boundary, including web browsers, desktop apps, and mobile apps on any device.

Location-based access OneDrive for Business security practices

NOTE: When configuring a network location-based policy for OneDrive, it’s crucial to have concern about prominent considerations.


5. Sign-out Inactive Browser Sessions

Blocking access automatically for OneDrive inactive users is crucial for security and efficient data management. When employees leave the organization or an account is compromised, there’s a risk that sensitive company data may be accessed by former employees or by attackers. That’s why signing out inactive users in OneDrive is important to reduce the attack surface. To do this:

  1. Visit “Access control” in the SharePoint admin center and select “Idle session sign-out.”
  2. Turn on “Sign out inactive users automatically”, choose when users should sign out, and set the number of warnings before blocking.
  3. Click “Save.”

By blocking access for inactive OneDrive sessions, you can minimize the risk of outdated or abandoned data.

Idle session sign out


6. Restrict OneDrive for Business Access by Security Groups

Microsoft’s new restricted access control policy, a notable security best practice for OneDrive, limits access to specific security groups to enhance security and prevents data oversharing. It allows designated security group members to access their OneDrive accounts. Non-members won’t have access to their own content or shared content in OneDrive, even with adequate OneDrive licenses.

Restrict OneDrive access by security groups


7. Create a Data Loss Prevention Policy

Data Loss Prevention (DLP) prevents unauthorized sharing of sensitive information and ensures secure data handling in Microsoft 365. It performs in-depth content analysis to identify sensitive items and blocks users from sharing them to others. To safeguard critical OneDrive accounts and information, create a data loss prevention policy in your organization.


8. Set Up a OneDrive Retention Policy

In an unforeseen condition or account compromise, backing up data is essential. To address this, implementing a retention policy on OneDrive becomes crucial. This policy allows organizations to retain the user’s files for a specified period post account deletion. It ensures essential data is preserved for forensic analysis and other purposes without compromising Microsoft 365 security.

To set up a OneDrive retention policy, follow the steps below:

  1. In the SharePoint admin center, go to “Settings.”
  2. Select “Retention” and specify the desired retention period (30 to 3650 days).
  3. Click “Save.”
OneDrive retention policy


9. Configure Notifications for OneDrive File Activity

Enabling user notifications for OneDrive file activity informs users about shared files, changes to anonymous links, and file resharing. It works seamlessly across different devices and apps, enhancing your overall security posture.

To configure OneDrive notifications, open “Settings” in the SharePoint admin center and choose “Notifications”. Check the box for “Allow notifications” and click “Save.”

Notifications one of the best OneDrive for Business security practices


Finally, I hope this blog has provided a comprehensive overview of essential OneDrive best practices for improving security. Configuring OneDrive vital security settings and monitoring OneDrive reports in Microsoft 365 helps admins to step up overall OneDrive management. Share your thoughts and queries in the comments section. Thanks for reading!