How-To Guide: Configuring Access Control for Files and Folders in Microsoft OneDrive

In today's digital landscape, ensuring the security of sensitive information is a top priority for organizations of all sizes. Microsoft OneDrive, as a key component of the Microsoft 365 ecosystem, plays a critical role in file storage, sharing, and collaboration. However, without proper access controls, sensitive data can be exposed to unauthorized users, leading to potential data breaches, compliance violations, and reputational harm.

To address these challenges, Microsoft updated its compliance and data governance tools on April 19, 2023, by integrating them into the new Microsoft Purview platform. This enhanced portal offers advanced capabilities for managing sensitivity labels, data loss prevention (DLP), and access control. While the original methods for configuring these settings remain available, Purview introduces centralized management and advanced analytics to streamline security operations.

This guide provides step-by-step instructions for both methods, ensuring flexibility for users familiar with the original process while enabling them to leverage the latest Purview features. Whether you're safeguarding client information, internal documents, or Personally Identifiable Information (PII), this guide ensures that your OneDrive environment aligns with best practices, regulatory requirements, and the latest technological advancements.

For those following the original process:

Step 1: Set Up Sensitivity Labels

Why: Classify files and folders to enforce security policies based on their sensitivity (e.g., Public, Internal, Confidential, PII).

1. Enable Sensitivity Labels: Go to the Microsoft 365 Compliance Center. Navigate to Information Protection > Labels. Create labels such as: Public: For files that can be shared widely. Internal: For internal company use only. Confidential: For sensitive data. Highly Confidential (PII): For Personally Identifiable Information.
2. Publish Sensitivity Labels: After creating labels, publish them to your organization to make them available for use.
3. Apply Sensitivity Labels: In OneDrive, right-click on a file or folder, select Properties, and assign the appropriate sensitivity label.

Step 2: Configure Sharing Settings

Why: Control how files and folders are shared to prevent unauthorized access.

1. Restrict External Sharing: Go to the Microsoft 365 Admin Center. Navigate to SharePoint Admin Center > Policies > Sharing. Configure sharing settings to: Restrict sharing to specific domains (e.g., partner companies). Require external users to authenticate.
2. Limit Anonymous Links: Set sharing links to require sign-in by default. Disable “Anyone with the link” for sensitive data.
3. Set Link Expiration: For shared links, configure expiration dates to minimize risk from old links.

Step 3: Manage Folder Permissions

Why: Ensure users have the appropriate level of access based on their roles.

1. Set Permissions for Folders: Open the folder in OneDrive, right-click, and select Manage Access. Assign permissions: Use View for read-only access. Use Edit for users who need to make changes. Remove unnecessary access (e.g., "Everyone").
2. Use Groups for Permissions: Instead of assigning permissions to individual users, use security groups (e.g., HR, Finance) to simplify management.

Step 4: Enforce Conditional Access Policies

Why: Restrict access based on device compliance, location, and risk level.

1. Set Up Conditional Access in Azure AD: Open Azure Active Directory > Security > Conditional Access. Create a new policy to: Require Multi-Factor Authentication (MFA) for all OneDrive users. Block access from untrusted locations. Allow access only from compliant devices.
2. Test Policies: Simulate policy scenarios to ensure legitimate users are not blocked.

Step 5: Implement Data Loss Prevention (DLP) Policies

Why: Prevent sensitive data from being shared inappropriately.

1. Create DLP Policies: Go to the Microsoft 365 Compliance Center. Navigate to Data Loss Prevention > Policies. Create a new policy to: Detect sensitive information (e.g., SSNs, credit card numbers). Block or warn users when they attempt to share such information externally.
2. Monitor Policy Violations: Set up alerts for DLP policy violations. Review logs regularly to ensure compliance.

Step 6: Enable Logging and Monitoring

Why: Track access and changes to files for auditing and incident response.

1. Enable Audit Logging: In the Microsoft 365 Compliance Center, enable audit logging. Ensure that file access, sharing, and modifications are logged.
2. Monitor Activity: Use Microsoft Defender for Cloud Apps to monitor unusual activity, such as: Bulk file downloads. Access from untrusted IP addresses.

Step 7: Block Syncing to Unmanaged Devices

Why: Prevent sensitive files from being stored on insecure personal devices.

1. Restrict Syncing: Go to the OneDrive Admin Center. Navigate to Devices > Sync. Block syncing to devices that are not compliant with your organization’s policies.
2. Require Device Compliance: Ensure devices meet security requirements (e.g., encryption, antivirus) before syncing files.

Step 8: Review and Update Access Controls Regularly

Why: Ensure permissions remain aligned with current organizational needs.

1. Conduct Regular Audits: Review who has access to sensitive files and folders. Remove unnecessary or outdated permissions.
2. Automate Permission Reviews: Use tools like Access Reviews in Azure AD to automate the process.

Step 9: Provide User Training

Why: Ensure employees understand access control policies and their role in protecting data.

1. Train Users: Educate users about OneDrive sharing settings, sensitivity labels, and DLP policies.
2. Test Awareness: Conduct phishing simulations or policy compliance quizzes to reinforce training.

For those leveraging Microsoft Purview:

Step 1: Access the Microsoft Purview Portal

1. Sign In: Navigate to the Microsoft Purview compliance portal. Use your organizational credentials to sign in.
2. Navigate to Information Protection: In the left-hand navigation pane, select Information Protection.

Step 2: Create and Publish Sensitivity Labels

Sensitivity labels help classify and protect your organization's data.

1. Create a Sensitivity Label: In the Information Protection section, select Labels. Click on + Create a label. Provide a Name and Description for the label (e.g., Confidential, Internal). Configure the desired settings, such as encryption and content marking.
2. Publish the Label: After creating the label, navigate to the Label policies tab. Click on + Publish labels. Select the labels you want to publish and specify the users or groups to whom the labels should be available. Configure policy settings, such as default label and mandatory labeling. Review and finalize the policy.

For detailed instructions, refer to Microsoft's documentation on creating and publishing sensitivity labels.

Step 3: Configure Data Loss Prevention (DLP) Policies

DLP policies help prevent the unintentional sharing of sensitive information.

1. Create a DLP Policy: In the Purview portal, select Data Loss Prevention. Click on + Create policy. Choose a template that matches your requirements (e.g., U.S. Financial Data). Define the policy settings, including: Locations: Specify OneDrive accounts to apply the policy. Conditions: Set conditions to detect sensitive information types. Actions: Determine actions when a policy match occurs (e.g., restrict access, notify user).
2. Review and Finalize: Review the policy settings and click Submit to activate the policy.

For more information, see Microsoft's guide on creating DLP policies.

Step 4: Implement Conditional Access Policies

Conditional Access policies control access to your organization's resources based on specific conditions.

1. Access Azure Active Directory: In the Azure portal, navigate to Azure Active Directory > Security > Conditional Access.
2. Create a New Policy: Click on + New policy. Provide a Name for the policy. Under Assignments, specify: Users or workload identities: Select users or groups. Cloud apps or actions: Choose Office 365 or specific applications. Conditions: Define conditions like sign-in risk or device platform.
3. Define Access Controls: Under Access controls, set Grant controls, such as requiring multi-factor authentication (MFA) or compliant devices.
4. Enable and Review: Set the policy to On and review the settings. Click Create to enforce the policy.

Detailed guidance is available in Microsoft's documentation on Conditional Access.

Step 5: Monitor and Review Access Controls

Regular monitoring ensures that access controls remain effective and compliant.

1. Access Audit Logs: In the Purview portal, navigate to Audit. Search and filter logs to review activities related to file access and sharing.
2. Review Alerts: Set up and monitor alerts for unusual activities, such as mass file deletions or external sharing.
3. Conduct Regular Audits: Periodically review user access and sharing settings to ensure compliance with organizational policies.

For more information, refer to Microsoft's audit log search documentation.

Properly configuring access control in Microsoft OneDrive is an essential step in safeguarding sensitive information and ensuring compliance with security standards and regulations. By implementing the measures outlined in this guide—such as sensitivity labeling, managing folder permissions, enforcing conditional access, and monitoring activity—you can significantly reduce the risk of unauthorized access and data breaches.

As technology evolves and cyber threats become increasingly sophisticated, regularly reviewing and updating your access control configurations is crucial to maintaining a secure environment. Additionally, investing in user training and leveraging advanced tools like Microsoft Defender and Azure Active Directory will further strengthen your organization's security posture. With these strategies in place, you can confidently utilize OneDrive as a secure platform for collaboration and data management.