I have devoted many articles on my blog to Security & Permissions. The reason for this is that, as I mentioned earlier on my blog, understanding how permissions work in SharePoint requires you to have a Ph.D. in SharePoint, a good sense of humor, and the ability to consume large amounts of alcohol. 😊 Luckily, I possess all of the 3 qualities above, so I feel privileged to have the honor of writing this post for you. Here are, in my opinion, the top 10 best practices to be aware of when you work with security and permissions in SharePoint Online.
Best Practice # 1: Manage security at the site level
This continues to be the biggest conception about SharePoint. As users migrated from file shares and other cloud storage services, users still think in terms of files and folders. In SharePoint, we also have a concept of sites and document libraries. And while a document library is used to organize those files and folders, the site is a container where you manage security. As a matter of fact, I even wrote a post on this topic before.
The bottom line is that you should always try maintaining security at the site level, not the file, folder, or document library level.
Best Practice # 2: Utilize 3 SharePoint security groups for Communication sites
Continuing the above topic, when it comes to securing a site, you should rely on the 3 built-in SharePoint security groups:
- Site Visitors
- Site Members
- Site Owners
With that said, the above advice primarily applies to non-group sites. Communication Sites and Team Sites created without a group. Each of the 3 groups above corresponds to 3 built-in permission levels (Read, Edit, Full Control).
So, while you can create a custom permission level, I strongly recommend sticking to those 3 security groups.
Best Practice # 3: Utilize Group membership for Team Sites
As mentioned above, how we manage security on group sites differs from the Communication site. That is because a Team Site relies on Microsoft 365 Group for its security management.
While you can create unique permissions for the SharePoint Team Site itself, kind of separate from the group membership, this should only be used in special circumstances; otherwise, it will get a bit complicated to manage down the road.
Best Practice # 4: Manage Site Sharing settings
This is another important item many Site Owners just miss. Though you set up security for the sites given any of the methods above, you MUST also configure sharing settings for your site. Until you do this, your members can share the site and its content without your permission. Check out this post to understand how this works and how to configure/lock down your site further.
Best Practice # 5: Manage external sharing settings per site as necessary
By default, SharePoint is set up for easy collaboration, so external sharing is enabled. That means that any site can potentially be shared externally. I know this is a huge concern and main discussion point for many organizations, but the reality is – you should never lock it down completely.
Instead, turn off external sharing on some sites, but not all.
Additionally, your Admin can always configure additional external sharing settings within the SharePoint Admin Center.
Best Practice # 6: Remove Users from shared files and folders as necessary
This is something that users naturally forget to do, but it is extremely important. Users have no problem inviting their colleagues and guests to sites, libraries, files, and folders, but when their access is not required anymore, these users should be removed. I published a separate post on the topic some time ago, so check it out here.
Best Practice # 7: Always give the minimum permissions possible to the site
This is kind of obvious, but it is one of those things that are not maintained by users regularly. I can’t tell you how many times I have seen sites with 10-15 users, all having Full Control at the site level. Why? Full Control means they can delete a site, you know. The same applies to regular members. Many times users should have had read-only access to the site, but end up being members with Edit permissions level. It is like leaving your phone or wallet on a table in a restaurant.
Long story short – always give the minimum permission possible to the users to do their job. You might be a generous person, but don’t be generous regarding security & permissions – this is unnecessary.
Best Practice # 8: Always give the minimum permissions possible when sharing links to files and folders
This is related to the previous tip but applies to sharing files and folders by the team members. By default, SharePoint is a bit generous when users try to share files and folders. By default, the sharing link that comes up is People in your organization.
This means that the link generated will work not just for the user you are sharing a file with, but also for everyone else in the organization should this link/email be forwarded to others.
So I recommend choosing a different type of link (i.e., People you choose).
You can also change the default sharing link within the SharePoint Admin Center. I explained how to do this here.
And, of course, if you totally want to prevent users from sharing files and folders, you can implement the technique I mentioned in Tip # 4 (Manage Site Sharing Settings).
Best Practice # 9: Make a decision about Active Directory vs. Microsoft 365 Groups
The other big decision you would need to make is whether to utilize Active Directory Security Groups or Microsoft 365 Groups when securing your sites, or setting up unique permissions for files and folders. Each method has pros and cons, and I documented all of those in this article.
Best Practice # 10: Conduct some Training, will you?
OK, look, I know it is overwhelming with all these tips and nuances. That is why it is super important to train your staff. While I will be very honored if you share this post with your colleagues, it is always recommended to conduct some live training so that Site Owners and Site Members know the best practices associated with site security. Training is critical from a user adoption standpoint, but is equally important if you want to make sure your content is properly secured as well.