Securing SharePoint and OneDrive: Sharing, DLP, and Data Classification

The Problem: Uncontrolled Sharing

SharePoint Online and OneDrive for Business are the central locations where corporate data is stored in Microsoft 365. Every team document, every project file, every client presentation resides in SharePoint or OneDrive. And that is precisely the problem: the default configuration is designed for maximum collaboration, not maximum protection.

In a freshly provisioned tenant, every user can share any file with any external recipient—including anonymous "Anyone" links that work without sign-in. An employee shares a project file via link with an external partner, forgets to set an expiration date, and three months later the link is still active and shareable with anyone who has it. Or worse: a confidential client list is shared via an "Anyone" link, the link falls into the wrong hands, and the file becomes accessible to the entire world.

This is not a hypothetical scenario. Audits regularly uncover SharePoint sites with dozens of active external shares that site owners know nothing about. OneDrive folders containing client data remain externally accessible through long-forgotten links. And nobody has an overview, because the default configuration provides no notifications and no automatic expiration dates.

Sharing Policies: The Foundation

SharePoint Online has four sharing levels that can be configured at the tenant level and individually per site:

Level 1: Anyone (least restrictive) Anyone can create anonymous links that work without sign-in. The link is the only access control. Whoever has the link has access.

Level 2: New and existing guests External users must authenticate with a Microsoft account or a one-time code via email. New guests can be added without prior admin invitation.

Level 3: Existing guests External sharing is only possible with people who already exist as guests in the Entra ID directory. New guests must first be invited by an admin.

Level 4: Only people in your organization (most restrictive) No external sharing possible. Only internal users have access.

The tenant-wide setting is the upper boundary: an individual SharePoint site can be configured more restrictively than the tenant, but never more openly. If the tenant is set to "Existing guests," no site can allow "Anyone" links.

Recommended configuration for SMEs:

Set the tenant-wide setting to "New and existing guests." This allows external collaboration with authenticated guests while preventing anonymous links. For sites containing sensitive data (HR, finance, executive leadership), configure the site-specific setting to "Only people in your organization" or "Existing guests."

Detailed Sharing Settings

Beyond the basic sharing level, there are additional settings you should configure:

Expiration date for guest shares: Set a default expiration date for all external shares. After expiration, access is automatically removed and the user must consciously renew the share. Recommendation: 30 days for regular shares, 90 days for project collaborations.

Expiration date for "Anyone" links: If you allow "Anyone" links at the tenant level (which we do not recommend), set a short expiration of no more than 7 days.

Default link type: Change the default link type from "Anyone" to "People in your organization" or "Specific people." This prevents users from habitually selecting the most open link type.

Permission level for links: Set the default to "View" (read-only) instead of "Edit." Users can still grant edit permissions when needed, but the default is more restrictive.

Domain restrictions: You can configure an allow list or block list for external domains. An allow list containing only your business partners' domains prevents sharing with arbitrary external addresses.

Sensitivity Labels: Data Classification in Practice

Sharing policies are the first line of defense, but they do not distinguish between a harmless meeting protocol and a confidential draft contract. Sensitivity Labels bring this distinction to SharePoint and OneDrive: you classify documents by their protection level according to your classification policy, and the label automatically controls what can be done with the document.

Defining a Classification Scheme

Before setting up labels technically, you need a classification scheme that fits your organization. For most mid-market companies, three to four levels are sufficient, derived from the protection needs assessment:

Public:

• Information that may be shared without restrictions
• Examples: marketing materials, public press releases, general product information
• No technical restrictions

Internal:

• Default classification for most corporate documents
• Examples: meeting minutes, internal presentations, process documentation
• Sharing restricted to the organization

Confidential:

• Sensitive business information with a limited audience
• Examples: financial data, draft contracts, strategy papers, client data
• Encryption enabled, external sharing only to specific domains, no download on unmanaged devices

Highly Confidential:

• Highest protection class for the most sensitive data
• Examples: M&A documents, salary overviews, trade secrets
• Strong encryption, access only for defined user groups, watermarks, no printing, no copying

Setting Up Labels Technically

Sensitivity Labels are created in the Microsoft Purview Compliance Center and distributed to users via Label Policies:

1. Create labels: One label per level with the corresponding protection settings (encryption, access rights, content marking, watermarks).
2. Create a Label Policy: Defines which users see and can use which labels, and whether a default label is automatically applied.
3. Set a default label: "Internal" as the default label for all new documents. This way, every document is automatically given a minimum level of protection.
4. Require justification for downgrade: When a user changes a label from "Confidential" to "Internal," they must provide a justification. This prevents accidental downgrades.

Auto-Labeling (E5 License)

With an E5 license or an Information Protection add-on, you can apply Sensitivity Labels automatically. The system scans the content of documents and emails and applies the appropriate label when certain patterns are detected (e.g., credit card numbers, national ID numbers, health data).

Auto-labeling is especially valuable for organizations that cannot rely on all employees consistently applying labels manually. However, it requires careful configuration and a testing phase to avoid false positives.

DLP Policies for SharePoint and OneDrive

Data Loss Prevention (DLP) complements Sensitivity Labels with active controls: while labels define how a document should be protected, DLP policies prevent protected documents from leaving the organization through unauthorized channels.

Rolling Out DLP Policies Gradually

DLP policies that immediately block will cause frustration and workarounds. Start in test mode and enable blocking only once you understand the false positive rate.

Phase 1: Detection (4 weeks)

• Create DLP policies in test mode (Test it out first)
• Enable Policy Tips (users see a warning but can still share)
• Evaluate: Which policies match? What is the false positive rate? Which departments are affected?

Phase 2: Warning (4 weeks)

• Switch policies to "Show policy tips and send notifications"
• Users are actively warned and can provide a justification to proceed with sharing (User Override)
• Evaluate: How often do users invoke overrides? Are the overrides legitimate?

Phase 3: Blocking

• Switch policies to "Block" for high-risk scenarios
• Maintain User Override for specific low-confidence scenarios
• Regular evaluation and adjustment of policies

Recommended DLP Policies

Personal data (DSGVO/GDPR):

• Patterns: German national ID numbers, tax IDs, social security numbers, IBAN
• Scope: SharePoint, OneDrive, Exchange, Teams
• Action: Warning at low confidence, block at high confidence
• Exceptions: HR department (regularly handles this data, but with a higher threshold)

Financial data:

• Patterns: credit card numbers, bank account details, payroll documents (keyword-based)
• Scope: SharePoint, OneDrive, Exchange
• Action: Block on external sharing, warning on internal forwarding to large groups

Documents with Sensitivity Label "Confidential" or "Highly Confidential":

• Pattern: All files with the corresponding labels
• Scope: SharePoint, OneDrive, Exchange, Teams, Endpoints (Endpoint DLP)
• Action: Block on external sharing, notification to the data protection officer

Versioning and Recycle Bin

SharePoint and OneDrive feature automatic versioning and a two-stage recycle bin that together provide robust protection against accidental or malicious deletion and overwriting.

Configuring Versioning

Every change to a document automatically creates a new version. You can configure the number of retained versions:

• Recommendation: 50–100 major versions for regular document libraries
• For critical libraries: Up to 500 versions
• Minor versions: Enable minor versions for document libraries with formal approval processes

Versioning protects against ransomware that encrypts files: you can restore a previous, unencrypted version. SharePoint even offers a bulk restore feature that rolls back all files in a library to a specific point in time.

Recycle Bin

SharePoint uses a two-stage recycle bin:

1. First-stage recycle bin (93 days): Deleted files land here and can be restored by the user.
2. Second-stage recycle bin (93 days from the time of deletion): When a file is deleted from the first-stage recycle bin, it moves to the second stage and can only be restored by a site admin.

In total, deleted files are recoverable for 93 days before they are permanently removed. For most organizations this is sufficient, but check whether your deletion concept requires different retention periods.

Audit and Monitoring

Without regular monitoring, you lose visibility into the actual shares and access patterns. SharePoint offers several ways to monitor the security posture:

Sharing Reports in the SharePoint Admin Center

The SharePoint Admin Center provides reports on sharing activities:

• Number of external shares per site
• Most frequently externally shared files
• Users with the most external shares
• Active "Anyone" links

Review these reports at least monthly and look for anomalies: unusually high external sharing on a particular site, shares to unknown domains, "Anyone" links on sensitive sites.

Unified Audit Log

The Unified Audit Log records all file activities in SharePoint and OneDrive: access, downloads, uploads, shares, permission changes. Set up Alert Policies for critical events:

• Mass download: A user downloads an unusually large number of files in a short time (potential data exfiltration)
• External sharing of "Confidential" files: A file with the "Confidential" Sensitivity Label is shared externally
• Site permission change: Permissions of a SharePoint site are modified by a non-admin

Access Reviews

With Entra ID P2, you can set up automatic access reviews for SharePoint sites and groups. Site owners are periodically asked to review the access list and remove access that is no longer needed. This is especially valuable for guest accounts that are often forgotten after a project ends.

SharePoint and OneDrive Security in the ISMS

The security configuration of SharePoint and OneDrive addresses multiple ISO 27001 controls and belongs as a TOM in your ISMS:

A.5.12 (Classification of information):

• Classification scheme with Sensitivity Labels
• Default label for all new documents
• Auto-labeling rules (with E5)
• Employee training on proper classification

A.5.13 (Labeling of information):

• Visual marking through labels (header, footer, watermark)
• Automatic labeling based on content analysis

A.5.14 (Information transfer):

• Sharing policies at tenant and site level
• DLP policies against uncontrolled data leakage
• Encryption through Sensitivity Labels

A.8.3 (Access restriction to information):

• Site-specific permissions and sharing levels
• Conditional Access for SharePoint access
• Device compliance as an access prerequisite

A.8.10 (Deletion of information):

• Versioning as protection against unintentional deletion
• Recycle bin with 93-day retention
• Retention Policies for compliance-aligned retention and deletion

A.8.12 (Data Leakage Prevention):

• DLP policies for personal and confidential data
• Policy Tips and blocking
• Regular evaluation of DLP reports

Documentation in the ISMS

Document not only the technical configuration for the ISMS but also the associated processes. In ISMS Lite, you can capture sharing policies, DLP configurations, and classification schemes as TOMs and map them to ISO 27001 controls:

• Sharing policy: Who may share what externally? Under what conditions? With what restrictions?
• Classification policy: What levels exist? Who classifies? What happens in case of incorrect classification?
• DLP operations: Who evaluates the DLP reports? How are violations handled? How often are policies reviewed?
• Audit process: How often are external shares reviewed? Who is responsible? What happens when anomalies are found?

Common Mistakes in SharePoint Security

Even though the individual measures are not technically demanding, there are recurring mistakes that negate the security benefits or cause organizational problems.

Restricting sharing at the tenant level but forgetting the site level: The tenant setting is the upper boundary, but sensitive sites need a more restrictive configuration. A global setting of "New and existing guests" does not protect the HR site if no stricter site policy is in place. Identify sites with sensitive data and configure them individually.

Introducing Sensitivity Labels without training: If you roll out labels without training employees, they will either be ignored or misapplied. A misclassified document is worse than an unclassified one because it creates a false sense of security. Plan training sessions that use concrete examples from daily work to show which label fits which situation.

Switching DLP to block mode immediately: DLP policies that block without an evaluation phase cause frustration and workarounds. Employees who cannot share an urgent file will find other ways: personal email, USB drives, a phone photo of the screen. All of these alternatives are less secure than the controlled sharing you were trying to protect with DLP in the first place.

Completely disabling external sharing: The temptation is strong to simply turn off external sharing entirely. In practice, this causes employees to send files as email attachments, share them through personal cloud services, or copy them to USB drives. Controlled external sharing via SharePoint with authentication, expiration dates, and audit logs is more secure than any of these alternatives.

Not regularly reviewing shares: Even with restrictive sharing settings, external shares accumulate over months that site owners no longer know about. Without regular reviews (at least quarterly), stale shares remain active and expand the attack surface.

Practical Example: Sharing Governance for an 80-Person Company

Schneider Consulting GmbH, a consulting firm with 80 employees and Microsoft 365 E3, faces a typical challenge: consultants work intensively with external clients and need to share documents. At the same time, SharePoint contains confidential client data, strategy papers, and internal financial data that must never leak externally.

The solution is a tiered model with three categories of SharePoint sites:

Category 1: Project sites (external collaboration allowed)

• Sharing level: "New and existing guests"
• Expiration for guest shares: 90 days
• Default link type: "Specific people"
• Sensitivity Label: "Internal" (default) or "Confidential" (for sensitive projects)
• Each project site is assigned a guest access manager who reviews the access lists quarterly

Category 2: Department sites (internal only)

• Sharing level: "Only people in your organization"
• No external sharing possible
• Sensitivity Label: "Internal"
• Site owner is the department head

Category 3: Management sites (highly confidential)

• Sharing level: "Only people in your organization"
• Access only for defined groups of people
• Sensitivity Label: "Highly Confidential" (encryption, no download on unmanaged devices)
• Quarterly access reviews

This model allows the necessary collaboration with external clients while protecting internal and confidential data. The categorization is determined when each new site is created and documented as a process in the ISMS.

Checklist: Securing SharePoint and OneDrive

Further Reading

• Securing Microsoft 365: The 15 Most Important Security Settings
• Teams Security: Guest Access, External Sharing, and Compliance
• Securing Exchange Online: Anti-Phishing, Safe Links, and Mail Flow Rules
• Protection Needs Assessment: Methodology and Documentation
• Deletion Concept Under GDPR: Deadlines, Implementation, and Documentation