+ - essentials-get-started

+- Essentials-manage

+- essentials-compliance

+- essentials-security

+ - essentials-get-started

+- essentials-compliance

+- essentials-security

+ - M365-collaboration

+ - Essentials-manage

+- essentials-overview

+- essentials-compliance

+- essentials-security

+ - essentials-get-started

+- essentials-manage

+- Essentials-manage

+ Title: "Restrict SharePoint site access with Microsoft 365 groups and Entra security groups"

+- M365-SAM

+description: "Learn how to restrict access to SharePoint sites to members of a Microsoft 365 or Entra security group."

+# Restrict SharePoint site access with Microsoft 365 groups and Entra security groups

+Site access restriction policies are applied when a user attempts to open a site or access a file. Users with direct permissions to the file can still view files in search results. However, they can't access the files if they're not part of the specified group.

+You must enable site-level access restriction for your organization before you can configure it for individual sites.

+To enable site-level access restriction for your organization in SharePoint admin center:

+2. Select **Site-level access restriction**.

+3. Select **Allow access restriction** and then select **Save**.:::image type="content" source="media/rac-spac/restricted-access-control-site-level-restriction-page.png" alt-text="screenshot of site access restriction in sharepoint admin center dashboard." lightbox="media/rac-spac/restricted-access-control-site-level-restriction-page.png":::

+To enable site-level access restriction for your organization using PowerShell, run the following command:

+You can restrict access to non-group connected sites by specifying [Entra security groups](/azure/active-directory/fundamentals/how-to-manage-groups) or Microsoft 365 groups that contain the people who should be allowed access to the site. You can configure up to 10 Entra security groups or Microsoft 365 groups. Once the policy is applied, users in the specified security group who have site access permissions are granted access to the site and its content. You can use [dynamic security groups](/azure/active-directory/enterprise-users/groups-create-rule) if you want to base group membership on user properties.

+1. Select the **Restrict SharePoint site access to only users in specified groups** check box.

+1. Add or remove your security groups or Microsoft 365 groups and select **Save**.

+|Add group |`Set-SPOSite -Identity <siteurl> -AddRestrictedAccessControlGroups <comma separated group GUIDS>` |

+|Edit group |`Set-SPOSite -Identity <siteurl> -RestrictedAccessControlGroups <comma separated group GUIDS>` |

+|View group |`Get-SPOSite -Identity <siteurl> Select RestrictedAccessControl, RestrictedAccessControlGroups` |

+|Remove group |`Set-SPOSite -Identity <siteurl> -RemoveRestrictedAccessControlGroups <comma separated group GUIDS>` |

+## Shared and private channel sites

+> Adding people to the security group or Microsoft 365 group won't give users access to the channel in Teams. It is recommended to add or remove the same users of the teams channel in Teams and the security group or Microsoft 365 group so users have access to both Teams and SharePoint.

+[Audit events](/office/office-365-management-api/office-365-management-activity-api-schema) are available in the Purview compliance portal to help you monitor site access restriction activities. Audit events are logged for the following activities:

+- Essentials-manage

+- essentials-manage

+- Essentials-manage

+- essentials-overview

+This article is for IT admins who manage the OneDrive sync app (OneDrive.exe) in an enterprise environment. It explains how we release updates to the sync app for Windows and the standalone sync app for Mac through rings of validation, and how the app checks for updates. If you deploy the sync app alongside Office (via the Office Deployment Tool or some other means), it continues to check for updates independent of any Office update restrictions you set.

+>

+After we validate updates through rings within Microsoft, we release them to the first public ring, Insiders. To try these latest features, join the [Windows Insider program](https://insider.windows.com/) or the [Office Insider](https://products.office.com/office-insider) program. It takes about three days to roll out to this ring. Later, we release to organizations in the default update ring, Production. We roll them out to a small percentage of users in the ring at first, and slowly roll them out to everyone in the ring. This process typically takes one to two weeks. At each increase along the way, we monitor telemetry for quality assurance purposes. In the rare case when we detect an issue, we suspend the release, address the issue, and release a new update to users in the same order. After updates roll out completely within the Production ring, and remain in Production for at least 60 days, we release them to the next ring, Deferred.

+|1-2 times per week|>|1-2 times per week|>|Every 2-3 months|

+The Deferred ring provides builds that were monitored throughout the Production rollout, so fewer releases are suspended. The Deferred ring also lets you as an admin:

+> Microsoft reserves the right to bypass the 60-day grace period for critical updates.

+- To learn how to set the Deferred ring for the Windows sync app using Group Policy, see [Set the sync app update ring](use-group-policy.md#set-the-sync-app-update-ring).

+- To learn how to set it for the Mac sync app, see [Configure the new OneDrive sync app on macOS](deploy-and-configure-on-macos.md).

+- For info about the Microsoft 365 update process, see [Overview of update channels for Microsoft 365 Apps for enterprise](/DeployOffice/overview-of-update-channels-for-office-365-proplus).

+- For info about the Windows 10 update process, see [Build deployment rings for Windows 10 updates](/windows/deployment/update/waas-deployment-rings-windows-10-updates).

+The OneDrive sync app checks for available updates every 24 hours when it's running. If it stops and doesn't check for updates in more than 24 hours, the sync app checks for updates as soon as it starts. Windows 10 also has a scheduled task that updates the sync app even when it's not running.

+- The latest version released to the update ring is higher than what is installed on the computer. If the installed version is too old to be updated to the current version, the sync app first updates to the minimum version within the ring.

+If both of these conditions are true, OneDrive downloads the update to a hidden folder without any user interaction. After the download is complete, OneDrive verifies and installs it. If OneDrive is running, it stops and then restarts. Users don't need to sign in again, and they don't need administrative rights to install the update.

+> To apply sync app updates, computers in your organization must be able to reach the following: "oneclient.sfx.ms" and "g.live.com." Make sure you don't block these URLs. They are also used to enable and disable features and apply bug fixes. See [More info about the URLs and IP address ranges used in Microsoft 365](/office365/enterprise/urls-and-ip-address-ranges).

+At any given time, the next planned Deferred ring release publishes on the [OneDrive sync app release notes](https://support.office.com/article/845dcf18-f921-435e-bf28-4e24b95e5fc0) page with a link to the corresponding installer and the version's targeted release date. On the specified date, the "Rolling out" version for the Deferred ring becomes the new minimum. All sync apps below that version automatically download the installer from the Internet and update themselves.

+- Essentials-manage

+To install, set up, and provision Access apps for SharePoint in Access Services in SharePoint Server 2016 or 2019, perform the following steps:

+1. Install and configure SQL Server 2016 Enterprise software, because an Access app stores its data in a separate SQL Server back-end database.

+2. Configure SharePoint 2016/2019 for apps for SharePoint, because an Access app is an app for SharePoint.

+For information about how to set up and configure Access Services for Access apps, see the following white paper:

+- [White Paper: Access Services Setup for an On-Premise Installation of SharePoint 2016 and 2019](https://go.microsoft.com/fwlink/?linkid=2212473)

+NOTE: For Access Services for SharePoint 2013, please see - [White Paper: Office 2013--Access Services Setup for an On-Premises Installation](https://go.microsoft.com/fwlink/?LinkId=267146)