Restrict OneDrive Access by Security Groups
In today’s corporate landscape, OneDrive for Business stands out as a reliable choice for secure cloud storage. However, as the digital realm continues to advance, the risks associated with sensitive corporate data are also increasing!
Therefore, granting access to all users is not a prudent strategy when aiming to maintain the confidentiality of this personal storage and its associated files. Microsoft has recognized this concern and has introduced measures to restrict OneDrive access by security groups within organizations. This update, outlined in MC671823, empowers sys admins to exercise greater control over access, reducing the risk of unauthorized access and inactive user accounts.
Now, without further delay, let’s delve into the details of this new feature, “restrict OneDrive access to security groups,” and explore how to enable it effectively.
Microsoft introduced the restricted access control policy for OneDrive to safeguard sensitive data by limiting access and avoiding oversharing of OneDrive. When enabled, only designated security group members can access their OneDrive accounts, while non-members won’t have access to their own OneDrive accounts or shared content within OneDrive even if they are licensed for OneDrive.
Any one of the following licenses is necessary to implement the feature of restricting OneDrive access by security groups in your Microsoft 365 environment.
- Microsoft Syntex – SharePoint Advanced Management
- Office 365 E5/A5
- Microsoft 365 E5/A5
To enable this feature and restrict access to OneDrive, we first need to understand how to create security groups in the Microsoft 365 admin center. Let’s now explore the process of creating security groups.
1. Navigate through the path below to create a security group in Microsoft 365.
Microsoft 365 Admin Center 🡢 Teams & groups 🡢 Active teams & groups 🡢 Security groups 🡢 Add a security group
2. Then, name your security group and write a suitable description for it.
3. Next, select the “Role assignment” checkbox in the ‘Edit settings’ to empower the group with the ability to assign Azure AD roles. Once you have selected this option, the group becomes permanently eligible to assign roles. Therefore, you can efficiently utilize the groups to manage role assignments in your Microsoft 365.
4. Finally, review the security group configurations and hit the “Create group” button.
Despite being an efficient collaboration tool, OneDrive can pose security risks through oversharing of sensitive data with guest users. Hence, to mitigate this risk, you can limit OneDrive access to your users, preventing guest user access to OneDrive and shared content. Without any more delay, let’s delve into the process of restricting access to OneDrive for Business based on security groups.
1. Follow the path below to enable restricted OneDrive access and sharing by security groups.
SharePoint admin center 🡢 Policies 🡢 Access Control 🡢 Restrict OneDrive Access
2. Select the checkbox stating “Restrict OneDrive access to only users in specified security groups” to enable this feature.
3. Add the created security groups or security groups of your choice. Most importantly, you can add up to a maximum of 10 security groups under this feature.
4. Hit the “Save” button to limit the OneDrive access to only added security groups.
5. After saving this configuration, a fly-out page appears to confirm restricted access to OneDrive by security groups.
Hence, rest easy while managing shared files and folders in SharePoint and OneDrive with this latest update at your disposal!
You can also restrict OneDrive for Business access and sharing using the below PowerShell script. Before running the script, connect to Microsoft Graph PowerShell module.
Given the absence of a direct method in PowerShell, the script takes a proactive approach to enhance security within OneDrive. It achieves this by first retrieving the OneDrive site addresses of users and then comparing them with the site addresses of members in a security group. Any discrepancies identified between these addresses trigger the script to block OneDrive access for users whose addresses do not align with those in the security group. This methodology ensures that only authorized individuals can access OneDrive resources, bolstering security even in the absence of a straightforward built-in solution.
$GroupId = Read-Host "Enter the security group objectId" Connect-SPOService -Url "https://contoso-admin.sharepoint.com" #Replace the host name in the URL $Onedrivesites = Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'" $Users = Get-MgUser -All $GroupMemberMails = (Get-MgGroupMember -GroupId $GroupId| select -ExpandProperty AdditionalProperties).mail foreach($user in $users) { if($GroupMemberMails -notcontains $user.mail) { if($Onedrivesites.Owner -contains $user.mail) { $Onedrivesites|?{$_.Owner -eq $User.mail} | Set-SPOSite -LockState NoAccess } } }
Replace the URL with your SharePoint tenant administration site URL and enter the security group Object ID only after executing the script in your PowerShell environment. This method as usual limits OneDrive access by security groups specified during execution.
NOTE: However, this method doesn’t restrict OneDrive access for users whose OneDrive for Business account isn’t set up.
Individuals who are not members of the specified security groups will be denied access to their personal OneDrive accounts as well as any shared OneDrive content. Furthermore, individuals who are not part of the security group will find themselves unable to access the site, even if they had previously been granted access to it.
They will see an ‘Access Denied’ message, indicating that ‘[email protected]’ does not have permissions to access this resource.
Imagine a situation where two users, A and B, are sharing files via OneDrive for Business. User A is a security group member, while User B is not part of this group.
- Case 1: A Shares Files with B
When A shares files with B, who is not a member of the security group, the files become inaccessible to B due to restricted OneDrive access by security groups. But the file is still accessible to A.
- Case 2: B Shares Files with A
Before the implementation of the restricted OneDrive access policy, if User B, who is not a member of the security group, shared files with User A, those files will become exclusively accessible to User A once the policy is enforced. User B will lose access to these files due to their lack of the necessary permissions.
In both cases, it’s evident that non-members of the security group are unable to access OneDrive files or shared content, ensuring secure and controlled access.
You can now oversee the control of restricted OneDrive access and sharing events by using the unified audit logs within the Microsoft Purview compliance portal. Within the Microsoft 365 audit logs in Purview, you have the capability to audit the following activities:
- Enabled Restricted OneDrive access and sharing
- Disabled Restricted OneDrive access and sharing
Microsoft’s introduction of updates for enhanced security, such as the ability to restrict OneDrive access by security groups, is undoubtedly beneficial. However, it’s essential to acknowledge that solely relying on this feature may not provide comprehensive security coverage.
This is where AdminDroid Microsoft 365 Reporter comes into play. It simplifies OneDrive monitoring and assists you in identifying every possible potential threat within your organization.
AdminDroid’s OneDrive auditing tool helps you to dive deep into the world of OneDrive activity. It offers granular reports on OneDrive file and folder activities, OneDrive company & anonymous links sharing, users’ sharing events, unusual external file activities, and more. It lends you a hand in shielding against potential cyber-security attacks, keeping you one step ahead.
But that’s not all! AdminDroid’s OneDrive reporting tool doesn’t just scratch the surface; it paints the whole picture of your organization’s OneDrive usage. It provides reports on OneDrive user activities, file-sharing activities, storage trends, active users, and many more, all to supercharge your OneDrive management.
This powerful tool doesn’t stop at OneDrive; it covers a vast array of Microsoft 365 services, from Microsoft Entra ID and Exchange Online to MS Teams, SharePoint Online, Viva Engage, Power BI, and Stream. With over 1800 comprehensive reports and more than 30 smart dashboards at your fingertips, AdminDroid offers you seamless Microsoft 365 administration.
Above all, it’s packed with show-stopping features that will have you cheering. Through lightning-fast alerting, convenient scheduling, fine-tuned access delegation, and advanced customization filters, AdminDroid takes the weight off your shoulders of Microsoft 365 management.
Don’t wait – download AdminDroid now and dive into the expansive world of Microsoft 365 reports. And the best part? You can try it all out with a generous 15-day free trial!
Closing Thoughts
In conclusion, safeguarding your organization’s data integrity, security, and privacy is paramount. Restricting unauthorized access to OneDrive for Business is a crucial step towards achieving these goals and ensuring compliance. Apart from enabling restricted OneDrive access by security groups, you can also use block download policy in OneDrive to prevent unauthorized individuals from gaining access to sensitive information and maintain a tight grip on privacy within your organization.
Furthermore, integrating SharePoint and OneDrive with Azure AD B2B and monitoring OneDrive activity reports allows you to stay vigilant and proactive in safeguarding shared content, thus enhancing overall data security.
We hope that this blog has provided a clear understanding of how to effectively restrict OneDrive for Business access by security groups and enhance your organization’s data protection efforts. We encourage you to share your experiences and thoughts on this topic in the comments section.
