OneDrive Security Settings Every Admin Should Configure

OneDrive is one of the most frequently used services in Microsoft 365, but many administrators overlook critical security configurations. Files stored in OneDrive represent sensitive business data, personal information, and intellectual property. For MSPs managing multiple organizations, properly configuring OneDrive security is essential to preventing data breaches and maintaining compliance.

This guide covers the essential OneDrive security settings every administrator should implement.

Understanding OneDrive Security Risks

Before configuring settings, understand the risks OneDrive addresses:

• Accidental external sharing: Users sharing files with external recipients without authorization
• Malicious sharing: Compromised accounts sharing sensitive files with attackers
• Overly permissive permissions: Files accessible to too many internal users
• Inactive account data: Orphaned OneDrive accounts with unprotected data
• Unmanaged device access: Uncontrolled devices accessing OneDrive files
• Data exfiltration: Unauthorized bulk downloads or sync of files

Strategic OneDrive configuration mitigates all these risks.

Foundational Configuration: SharePoint and OneDrive Settings

OneDrive security starts with SharePoint Admin Center since OneDrive leverages SharePoint infrastructure.

1. Configure Sharing Settings

Navigate to:

1. SharePoint Admin Center > Policies > Sharing

Recommended Settings:

Sharing links default type:

• Set to “Internal” (shares only accessible to people in organization)
• Requires users to explicitly choose external sharing

External sharing:

• Set to “Allow external users who have been invited” minimum
• Prevents anonymous sharing
• “Only existing guests” is most restrictive and secure

Implementation rationale: Users can still share externally when business-justified, but defaults prevent accidental external exposure.

File and folder links:

• Default link type: “Specific people” (most restrictive)
• Allow users to select link type: Yes (but default to Specific people)
• “Anyone” links should be disabled if possible

This prevents users from accidentally creating “anyone can access” links.

2. Limit External Sharing Domains

Configuration:

1. In Sharing settings, select “Limit external sharing”
2. Choose “Allow sharing with external users in your organization’s directory” (most restrictive)
3. Or configure allowed domains list

Allowed Domains List:

• Add only partner company domains
• Example: @client-company.com, @vendor.com
• Review quarterly and remove unused domains

This prevents sharing with random external email addresses.

3. Restrict Device Access

Configuration:

1. SharePoint Admin Center > Policies > Access Control
2. Click “Unmanaged devices”

Recommended Settings:

• Allow full access from desktop apps, mobile apps, and Web: No
• Instead select: “Allow limited, web-only access”

Effect:

• Unmanaged devices can view files in browser
• Cannot sync, download, or upload files
• Forces users to use managed devices for sensitive work

This dramatically reduces risk of data exfiltration from attacker devices.

4. Implement Idle Session Timeout

Configuration:

1. SharePoint Admin Center > Policies > Access Control > Idle session timeout
2. Set to “Sign out inactive users”
3. Select time: “30 minutes” for sensitive data, “1 hour” for general

Effect:

• Users inactive for specified time are automatically signed out
• Prevents attackers from using abandoned sessions
• Users just need to sign back in

Especially important in shared workspaces and healthcare environments.

OneDrive-Specific Security Settings

5. Enable File Version Management and Retention

Configuration:

1. Access OneDrive > More > Settings > Version history
2. Set version retention: “Automatic” (keeps indefinite versions)
3. Or set custom retention: “Keep version for 30 days minimum”

Why it matters:

• Ransomware attacks may encrypt current versions
• Previous versions allow recovery
• Compromised accounts can’t delete all versions without admin intervention

6. Configure Expiration Dates for Sharing Links

Configuration:

1. SharePoint Admin Center > Policies > Sharing
2. Set “Links must expire within this many days”: 90 days

Effect:

• Shared links automatically expire
• Prevents perpetual access
• Users re-share consciously rather than indefinitely
• Reduces risk of old links being compromised

7. Enable Password Protection for External Shares

Configuration:

1. SharePoint Admin Center > Policies > Sharing
2. Set “People who use a link must sign in with this organization”: Enable
3. For external sharing links: “Require password” (if configured)

Rationale:

• Even if external link is compromised, attacker needs password
• Prevents casual access
• Demonstrates access control to compliance auditors

8. Disable Specific Share Options

Configuration:

1. OneDrive Settings > Share > Advanced settings

Disable:

• [ ] Allow anonymous users to upload files - Off
• [ ] Allow unauthenticated flow (anonymous access) - Off
• [ ] Allow external users to reshare files - Off

Effect:

• Only authenticated users can interact with shared files
• Guests cannot reshare to additional users without authorization
• Maintains control over data access chain

9. Implement Information Barriers

For organizations with confidentiality requirements:

Configuration:

1. Microsoft 365 Compliance Center > Information barriers
2. Create policy: “Prevent Department A from sharing with Department B”
3. Apply to affected groups

Use Cases:

• Legal departments (can’t share with general staff)
• Medical staff (patient confidentiality)
• Competitive teams (prevents internal conflicts of interest)

This is a technical control enforcing business policy.

Protecting OneDrive from Compromise

10. Configure Retention Policies for Deleted Files

Configuration:

1. OneDrive Admin Center > Settings > Retention
2. Set recycle bin retention: 30 days minimum (Microsoft default 93 days)

Effect:

• Deleted files aren’t immediately gone
• Admins can recover deleted files for 30+ days
• Prevents attackers from permanently deleting evidence

11. Enable Malware Detection and Blocking

Configuration:

1. Microsoft 365 Defender > Email & collaboration > Policy configuration > Safe attachments
2. Enable “Turn on ATP for SharePoint, OneDrive, Teams”
3. Enable “Turn on the wait for scan completion”

Effect:

• Files are scanned for malware before download
• Suspected files are blocked
• Users receive alerts

This prevents malware distribution through OneDrive.

12. Configure Sync Restrictions

For compliance-sensitive environments:

Configuration:

1. SharePoint Admin Center > Policies > Sync
2. Restrict sync to: “Managed domains only”
3. List allowed domains (internal domains)

Effect:

• OneDrive sync only works on corporate domain devices
• Prevents home computer sync of business files
• Reduces exposure of sensitive data on personal devices

Alternatively, use Intune to restrict sync via mobile app policies.

Monitoring and Auditing OneDrive

13. Enable and Review Audit Logs

Configuration:

1. Compliance Center > Audit > Start recording user and admin activity
2. Verify “Audit logging is enabled”

What to Monitor:

1. SharePoint Admin Center > Active sites > OneDrive
2. Click specific OneDrive > Activity tab
3. Review for:
   • Unusual file downloads (indicate exfiltration)
   • External sharing activity
   • Deleted file activity
   • Admin access patterns

Automated Alerts (Premium P2):

1. Microsoft 365 Defender > Alerts & insights
2. Create alert: “Bulk file downloads from OneDrive”
3. Threshold: > 50 files in 24 hours
4. Action: Email security team

14. Implement Guest Access Policies

Configuration:

1. Azure AD > External Identities > External collaboration settings
2. Set “Guest user access permissions” to “Guest users have the same access as members” minimum (most restrictive is “Limited access”)
3. Set “Admins and users in guest inviter role can invite guests”: Yes/No based on policy

Guest Expiration:

1. Set “Guest user access expiration” to “90 days”
2. Requires renewal, prevents orphaned guest accounts

OneDrive Governance for MSPs

15. Implement OneDrive Access Policies

Configuration:

1. Create Conditional Access policy for OneDrive:
   • Target: All users
   • App: SharePoint Online
   • Device compliance: Required
   • Location: Restrict high-risk locations
   • Grant: Require MFA

Effect:

• Only compliant devices can sync OneDrive
• MFA required for all access
• Suspicious locations are blocked

Remediation: Responding to OneDrive Security Issues

If you detect unauthorized external sharing:

1. Immediate: Disable sharing link or reduce permissions
2. Investigation: Review share timestamp and creator
3. Containment: Change file permissions, notify affected parties
4. Remediation: Update sharing policies to prevent recurrence

If you detect suspicious downloads:

1. Check sign-in logs for that user during time of download
2. Verify device type and location against known user patterns
3. If compromised: Reset password, revoke sessions, review for other unauthorized activity
4. Review files downloaded for data sensitivity

Compliance Integration

OneDrive security settings support:

• HIPAA: Encryption and access controls
• GDPR: Retention policies and guest expiration
• SOC 2: Audit logging and access restrictions
• NIST Cybersecurity Framework: Configuration aligns with access controls (AC-3, AC-6)

Common OneDrive Security Mistakes

Mistake: Allowing “Anyone” Links

• Prevents accidental external sharing
• Set default to “Specific people”

Mistake: No Expiration Dates

• Old shared links are compromise vectors
• Implement 90-day expiration minimum

Mistake: Allowing Unmanaged Device Sync

• Attackers can exfiltrate data via personal devices
• Restrict to managed devices only

Mistake: Not Monitoring OneDrive Activity

• Unauthorized sharing goes undetected
• Implement audit logging and automated alerts

Conclusion

OneDrive is powerful for productivity but requires thoughtful security configuration. By implementing these settings:

• You prevent accidental external data exposure
• You block unauthorized access from unmanaged devices
• You maintain audit trails for compliance
• You protect against account compromise scenarios

OneDrive security reflects your overall Microsoft 365 security maturity as an MSP.

Ready to assess your Microsoft 365 security posture? Run a free security assessment at 365 Security Assessment.