Privacy in Microsoft SharePoint Online

SharePoint Online and OneDrive for Business are central building blocks for collaboration in Microsoft 365. But “out of the box”, many tenants are configured for maximum openness to make sharing content as easy as possible. From a GDPR and corporate security perspective, this is often problematic.

As an administrator, you are faced with the challenge of balancing the balance: Data must be protected and managed in a GDPR-compliant manner without user productivity suffering due to overly restrictive hurdles. In this guide, we’ll go over the essential settings in the SharePoint admin center that you can use to secure your environment.

Preconditions

Before you start the configuration, make sure that the following points are met:

• Permissions: You need access to your Microsoft 365 tenant, ideally as a Global Administrator or SharePoint Administrator.
  
• Licensing: The basic settings for external sharing described here are available to you in most Microsoft 365 plans
  • from Business Basic to Business Premium to Enterprise (E3/E5). Special features (such as advanced reports or conditional access) may require higher license levels, but are mentioned separately in the appropriate places.
    
• Access: Access is primarily via the SharePoint admin center.

1. The basis: Define the global approval level

The most important lever for security is the global sharing setting. Here you decide how open your tenant can be.

• Path: SharePoint Admin Center > Sharing Policies >
• Recommendation: Set the sliders for SharePoint and OneDrive to “New and existing guests”.
• Why? This will disable the “Everyone” option (anonymous links). External users must authenticate themselves (e.g., with a code or Microsoft account). This ensures that only verified people have access to your sensitive information.

2. Fine-tuning: Restrict external shares

Below the sliders, you’ll find the “More settings for external sharing.” You can refine the control here:

• Domain Restriction: If you only work with certain partners, you can limit sharing to specific domains (allow-list) or exclude competitors (block-list).
• Period of validity: Configure the flow of guest access. This ensures that external rights do not persist indefinitely, but must be renewed regularly.

3. The default link type: “Least Privilege”

Users tend to use the default settings. Therefore, they should be as secure as possible, but as open as necessary.

• Path: File and Folder Links Section
• Link Type: Choose “Specific People” as the default. This prevents links from being accidentally forwarded to the entire organization or externally.
• Eligibility: Set the default permission to “View” (instead of “Edit”). Write permissions should only be explicitly assigned if they are really necessary for collaboration. This minimizes the risk of unauthorized changes or deletions.

Security & Compliance: Monitoring and Limits

The configuration doesn’t end at the sharing links. Organizational and overarching measures are necessary for long-term safe operation:

• MFA (Multi-Factor Authentication): Make sure that MFA is enabled for all administrators and ideally also for guest users (via Entra ID settings).
• Monitoring: Regularly review the release reports and audit logs in the Microsoft Purview Compliance Portal. This is the only way to recognize unusual access patterns in time.

5. SharePoint-specific hardening

In the Settings menu item you will find a list of individual options. Many of them are set to “Open” or “Automatic” by default. To avoid uncontrolled growth and increase safety, we go through this list point by point.

SharePoint Settings

Notifications

• Recommendation: Allow (default).
• Why: This allows push notifications on mobile apps. From a security point of view, this is positive: Users notice unusual activity on their files more quickly if they are proactively informed.

Version History Limits

• Recommendation: Select “Manual” and set a limit (e.g. 500 versions) or use “Automatic”.
• Safety tip: Never deactivate versioning! Version history is your life insurance against ransomware. When a file is encrypted by a virus, it is often saved as a “new version”. You can then simply roll back to the clean previous version.
• GDPR notice: Too high a limit (or “unlimited”) can lead to ancient personal data being stored forever. A limit of 500 versions is a healthy middle ground.

Pages (Modern Pages)

• Recommendation: Deactivate (remove the checkmark).
• Why: If you check the box “Allow users to create modern pages”, users can publish news or content pages independently. In structured intranets, this quickly leads to confusion. It’s better to limit publishing to trained editors.

Site Storage Limits

• Recommendation: Be sure to set this to “Manual”.
• Why: By default, this is set to “Automatic,” which means that a single site can theoretically occupy almost all of your tenant’s storage. Manual sets a default limit (e.g., 250 GB per site). If you need more, you have to get in touch. This prevents uncontrolled “data graves”.

Home Pages

• Setting: Optional / As required.
• Context: This is where you link your SharePoint intranet home page to Viva Connections in Teams. This has less to do with security than with a good user experience (UX) to reach employees centrally.

Website creation

• Recommendation: Deactivate (remove the checkmark).
• Important: This is one of the most important switches against uncontrolled growth! If users are allowed to create sites (and thus M365 groups and teams in the background) on their own, you lose control over permissions and locations.
• Best Practice: Create an approved process (e.g., through Microsoft Forms or Power Automate) to control new workspaces and create them with the right privacy settings.

Stream & OneDrive Settings

Stream (App Launcher Tile)

• Recommendation: Leave the standard.
• Context: Only regulates the linking in the app launcher and is not critical from a security point of view.

OneDrive | Storage

• Recommendation: 30 days (default) or reduced to 14 days.
• Why: Specifies how long a deleted user’s OneDrive content is retained (for example, after termination) before it’s permanently destroyed.
• GDPR: In terms of data economy, a shorter period is better, provided that there are no legal hold obligations against it.

OneDrive | Notifications

• Recommendation: Allow.
• Safety tip: Users receive an email when a large number of files are deleted at once. This serves as an excellent early warning system for malicious attacks or accidental mass deletions.

OneDrive | Memory Limit

• Recommendation: 1024 GB (or less, depending on your needs).
• Why: 1TB is the standard. Ask yourself: Does every user really need 1 TB for personal work files? A smaller limit (such as 100 GB or 500 GB) can reduce the risk of OneDrive being misused as a private backup archive.

OneDrive | Sync

• Recommendation: Limit to domains.
• The problem: Synchronization to local hard drives is a classic gateway for data loss (data leakage).
• The solution: Click Sync, then select the “Allow sync only on computers joined to specific domains” check box. Enter the GUID of your domain there.
• Note: This works primarily for classic Active Directory environments. In cloud-only environments (Entra ID / Intune), this control is regulated more effectively via conditional access policies . In addition, you should exclude potentially dangerous file types (such as .exe or .vbs) from synchronization here.

6. The “Classic” Settings: Hidden but Powerful Levers

In the modern admin center, there are often references to the “classic settings page” at the bottom. Don’t let the old design fool you: This is a fundamental course for the architecture and security of your tenant.

Here are the optimal configurations for the most important items on this list:

Information Rights Management (IRM)

IRM encrypts files at the document level, so that even after a download, they can only be opened by authorized persons.

• Setting: Select Use the IRM service specified in the configuration (assuming Azure Rights Management is enabled).
• Why: This is the last line of defense. If a file does leak (e.g. onto a USB stick), it remains unreadable without the appropriate identity.

Site Creation

This is the most important setting to nip sprawl in the bud.

• Setting: “Hide the ‘Create Website’ command”.
• Why: If this command is visible, any user can create a new site (and often an M365 group) on the SharePoint home page.
• Best Practice: Turn off self-service here. Instead, redirect users to a custom form (option: “Use the form at this URL”). For example, you can point to a Microsoft Form or Power App that asks for the purpose, owner, and classification before the site is approved and built.

Subsite Creation

SharePoint has changed: from deeply nested structures (“sub-subfolders”) to a flat hierarchy.

• Setting: “Disable subsite creation for all sites.”
• Why: Subsites make permission management a nightmare and make later migrations or archiving more difficult.
• The modern alternative: Use hub sites to logically link flat site collections instead of physically nesting them inside each other. This is Microsoft’s current “gold standard”.

Clean up deprecated features (Legacy Cleanup)

To close security gaps and unify the user experience (UX), you should cut off old habits:

1. Connected services (workflows):
   • Setting: Use PowerSHell SharePoint Online Administration to block SharePoint 2013 workflows
   • Reason: The old 2013 workflows are outdated, are being shut down by Microsoft and pose a security risk. Use Power Automate.
2. OneDrive and Office Online / Version Settings:
   • Make sure that the “New Experience” is enforced everywhere and that the creation of old site collections is blocked. There is no longer any reason to use the “Classic Experience”.

Mobile push notifications

• Setting: “Allow” (for SharePoint and OneDrive).
• Note: This is in line with the settings we’ve already discussed in the modern menu. If discrepancies arise here, the more restrictive attitude often wins. We recommend allowing to increase transparency for the end user (quick info on file changes).

7. Other functions: Special tasks and “legacy issues”

The menu item More features is the bridge to the classic administration pages. Even though Microsoft is gradually modernizing them, some of the most important levers for governance and compliance are still hidden here.

Here are the top three areas you need to look at:

1. User Profiles

This is probably the most important area under “Other functions” for daily administration.

• Manage OneDrive access: If an employee leaves the company or is absent due to illness, you can designate an admin for their OneDrive here (“Manage user profiles”). This is the only GDPR-compliant way to secure data without resetting passwords or logging in as the user.
• Control OneDrive creation: Under Manage user permissions, you can control who can create a OneDrive for Business in the first place.
  • Best Practice: Revoke function accounts, admin accounts or kiosk users the right to create a personal OneDrive. This minimizes the attack surface and prevents data from being stored in the wrong places.

4. Search

While modern Microsoft Search does a lot of things automatically, you can customize the search scheme (Managed Properties) here.

• Security aspect: While the search respects permissions (security trimming), check here occasionally to see if sensitive metadata has been inadvertently configured as “searchable” that should not appear in the preview.

2. Apps (SharePoint Store)

Here you control which third-party extensions are allowed to land in your tenant.

• Protection against shadow IT: Configure the settings so that users are not allowed to simply install apps from the SharePoint Store, but have to request them.
• Why? Apps often have extensive access rights to your data. An approval process ensures that you can check the app’s trustworthiness and privacy compliance before it processes data.

Records Management (Legacy) & InfoPath

Many items in this menu are relics from old SharePoint versions.

• Records Management: This point refers to the classic “Data Record Center”.
  • Note: Don’t start a new archive here! Today, modern, audit-proof archiving and retention labels take place centrally in the Microsoft Purview Compliance Portal . Use this menu item only if you still need to migrate old archive sites.
• InfoPath: If you’re no longer using old form-based processes, disable the “Browser-Based InfoPath Forms.” Outdated services that are not used are unnecessary security risks. Modern forms should run through Microsoft Power Apps .

4. Hybrid Picker

This point is often confusing for pure cloud administrators, but crucial for traditional IT infrastructures.

• What is it about? The wizard automates the connection between your on-premises SharePoint Server and SharePoint Online (e.g., for a shared search or synchronized profiles).
• Recommendation: Ignore this point completely if your company works “cloud only”.

Security tip: If you actually need to operate a hybrid environment, be sure to use this wizard instead of manual intervention. It sets up the complex trust relationships (server-to-server trust / OAuth) in a standardized and secure manner. Manual configurations are extremely error-prone and can tear unwanted security holes into your on-premises environment.

Organizational measures & conclusion

Technical settings are only half the battle. An effective compliance strategy is based on four other pillars:

1. Privacy Policy: Specify in writing how sensitive data is to be handled. This policy is the basis for your technical configuration.
2. Training: Regular awareness training is essential. Employees need to know why they are not allowed to share certain files externally.
3. Encryption (Customer Key): For organizations with extremely high compliance requirements (e.g., banking, healthcare), Microsoft offers “Service Encryption with Customer Key” to maintain full control over encryption keys.
4. DPIA (Data Protection Impact Assessment): Perform regular analyses to identify risks early on and adjust your configuration.

Security in SharePoint and OneDrive is not a one-time project, but an ongoing process. In addition to the technical hardening (deactivation of anonymous links, restriction of synchronization), a clear strategy and the targeted assignment of roles are crucial. Responsible, well-thought-out use of these tools strengthens trust in IT and forms the basis for modern, secure collaboration.

Related Links

• Microsoft 365 Compliance Documentation
• SharePoint admin center documentation
• GDPR Basics (European Commission)

This post is also available in: Deutsch English