+- Microsoft 365 E5/A5 Compliance

+- Microsoft 365 E5 Information Protection and Governance

+- Associating an authentication context to the enterprise application catalog site collection is not supported

+- The ΓÇ£Visualize SharePoint List in Power BIΓÇ¥ feature does not currently support authentication context

+ Title: "Restrict OneDrive access"

+description: "In this article, you learn how to allow only users in specified security groups to access OneDrive."

+# Restrict OneDrive access

+You can use restricted access control policy for OneDrive to allow only users in specified security groups to access OneDrive. Restricted access control of a OneDrive account and its content is managed using SharePoint PowerShell or SharePoint admin center. Even if other users outside of these security groups are licensed for OneDrive, they can't access to their own OneDrive or any shared OneDrive content.

+You can use restricted access control to prevent oversharing of OneDrive content. For example, you can restrict OneDrive access to your users, preventing guests from accessing any OneDrive content even if it's shared with them.

+To access and use the feature, your organization must have **one** of the following subscriptions:

+- Microsoft Syntex - SharePoint Advanced Management

+## Restrict OneDrive access using SharePoint admin center

+### Requirements for SharePoint admin center method

+To access and use restricted access control of OneDrive accounts, your organization must:

+- Enable restricted access control for your organization in SharePoint admin center:

+ 1. Go to [Access control in the SharePoint admin center](https://go.microsoft.com/fwlink/?linkid=2185071), and sign in with an account that has [admin permissions](sharepoint-admin-role.md) for your organization.

+ 2. Select **Restrict OneDrive access**.

+ 3. Select **Restrict OneDrive access to only users in specified security groups**.:::image type="content" source="media/restrictonedriveaccess.png" alt-text="Restrict OneDrive access on the Access control page in the SharePoint admin center":::

+ 4. Add the security groups (maximum of 10) you want to be able to use OneDrive.

+ 5. Select **Save**.

+> [!NOTE]

+> Users who aren't included in the security groups you added will lose access to their own OneDrive and any shared OneDrive content.

+## Restrict OneDrive access using PowerShell

+### Requirements for PowerShell method

+To enable restricted access control of OneDrive accounts as a **Microsoft Syntex - SharePoint Advanced Management subscriber.**:

+1. Download the latest **[SharePoint PowerShell module](/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell)**

+2. Enable **restricted access control for your organization** by running the following command in PowerShell:

+ ```Powershell

+ Set-SPOTenant -EnableRestrictedAccessControl $true

+ ```

+3. Wait for approximately 1 hour.

+> [!IMPORTANT]

+> If you have Microsoft 365 Multi-Geo, you must run this command for each geo-location you want to use restricted access control.

+### Enable restricted access control of a OneDrive account using PowerShell

+To enable restricted access control of a OneDrive account, run the following commands:

+```powershell

+Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $true

+```

+```powershell

+Set-SPOSite -Identity <siteurl> -AddRestrictedAccessControlGroups <comma separated group GUIDS>

+```

+> For restricted access control to be enforced on the site, you must add at least one security group whose members are allowed site access. You can add up to 10 Security Groups for a given site. Once users are added to a security group, access to the site is automatically applied.

+**For example:**

+`Set-SPOSite -Identity <https://contoso-my.sharepoint.com/personal/user_contoso_onmicrosoft_com> -RestrictedAccessControl $true`

+`Set-SPOSite -Identity <https://contoso-my.sharepoint.com/personal/user_contoso_onmicrosoft_com> -AddRestrictedAccessControlGroups afd516b5-c350-4c2a-8339-600b93c56791`

+Once the commands are run, site access is restricted to members of the specified security group (Employees_ResearchDepartment).

+> [!TIP]

+> To identify the corresponding GUID for a given security group such as Employees_ResearchDepartment, run the following commands:

+>

+>```powershell

+>Install-Module -Name MSOnline

+> Import-Module -Name MSOnline

+> Connect- MsolService

+>

+> $group = Get-MsolGroup | Where-Object {$_.DisplayName -eq " Employees_ MarketingDepartment"}

+> $group.ObjectId

+>```

+### Manage restricted access control security groups using PowerShell

+You can add up to 10 Azure AD security groups whose members are allowed access to the site. The specified security groups can be managed as restricted access control groups when the setting is applied. Restricted access control limits the site access to members of the specified security groups. Dynamic membership of security groups is also supported for restricted access control policy.

+To manage a restricted access control group for a OneDrive site, run the following command:

+```powershell

+Set-SPOSite -Identity <siteurl> -RestrictedAccessControlGroups <comma separated group GUIDS>

+```

+**For example**:

+`Set-SPOSite -Identity <https://contoso-my.sharepoint.com/personal/user_contoso_onmicrosoft_com> -RestrictedAccessControlGroups afd516b5-c350-4c2a-8339-600b93c56791,053e8286-f18a-40d6-a12a-a323b89c5d63`

+> [!NOTE]

+> The Security Groups specified will automatically get access to the site permissions.

+>

+> The policy is enforced only when it is enabled on the site and has at least one security group added.

+### Remove restricted access control groups of a OneDrive account using PowerShell

+To limit access control on user OneDrive account, remove security groups by running the following command:

+```powershell

+Set-SPOSite -Identity <siteurl> -RemoveRestrictedAccessControlGroups <comma separated group GUIDS>

+```

+**For example**:

+`Set-SPOSite -Identity <https://contoso-my.sharepoint.com/personal/user_contoso_onmicrosoft_com> -RemoveRestrictedAccessControlGroups afd516b5-c350-4c2a-8339-600b93c56791`

+### View restricted access control of a OneDrive account using PowerShell

+To view the restricted access control configuration for a OneDrive account, run the following command:

+```powershell

+Get-SPOSite -Identity <siteurl> | Select RestrictedAccessControl, RestrictedAccessControlGroups

+```

+To view a complete list of security groups added in the restricted access control configuration for a OneDrive account, run the following command:

+```powershell

+Get-SPOSite -Identity <siteurl> | Select -EXPAND RestrictedAccessControlGroups

+```

+### Disable restricted access control of a OneDrive account using PowerShell

+To disable restricted access control for a OneDrive account, run the following command:

+```powershell

+Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $false

+```

+**For example**:

+`Set-SPOSite -Identity <https://contoso-my.sharepoint.com/personal/user_contoso_onmicrosoft_com> -RestrictedAccessControl $false`

+### Reset restricted access control of a OneDrive account

+To remove restricted access control configuration for a OneDrive account, run the following command:

+```powershell

+Set-SPOSite -Identity <siteurl> -ClearRestrictedAccessControl

+```

+**For example**:

+`Set-SPOSite -Identity <https://contoso-my.sharepoint.com/personal/user_contoso_onmicrosoft_com> -ClearRestrictedAccessControl`

+This command resets the restricted access control configuration for the given site by clearing both attributes: RestrictedAccessControl, RestrictedAccessControlGroups.

+### Known experiences

+Restricted access control policy is enforced only when the user is trying to access the OneDrive account or the content in. This behavior is like any other conditional access policies configured for a site.

+Unified Search connected experiences don't enforce restricted access control policy. Users see search results if they have existing access permissions to the content or the site. When the user selects a search result item to open the content, they're denied access if they aren't part of the policy.

+## Auditing

+Audit events are available in [Microsoft Purview compliance portal](/microsoft-365/compliance/microsoft-365-compliance-center) to help you monitor restricted access control activities. Audit events are logged for the following activities:

+1. Applying restricted access control for site

+2. Removing restricted access control for site

+3. Changing restricted access control groups for site

+## Related articles

+With restricted access control, you can manage access of a SharePoint site and its content using **SharePoint PowerShell** or **SharePoint admin center**. As a [SharePoint administrator](sharepoint-admin-role.md), you can grant access to specified users in the group associated with a SharePoint site. Users not added to the specified group can't open the site at access time or open the site content even if they previously had access permissions to the site or the file. **The restricted access control policy applies to Microsoft 365 group-connected sites, non-group connected sites and Microsoft Teams.**

+## Restricted access control using PowerShell

+### Requirements for PowerShell method

+To access and use this feature, your organization must do the following in **PowerShell**:

+- Subscribe to **[Microsoft Syntex - SharePoint Advanced Management](advanced-management.md)** before following these instructions:

+- Download the latest **[SharePoint PowerShell module](/powershell/sharepoint/sharepoint-online/introduction-sharepoint-online-management-shell)**

+- Enable **restricted access control for your organization**:

+ 1. Run the following command in PowerShell:

+

+ ```Powershell

+

+### Teams and Microsoft 365 group-connected sites (PowerShell)

+#### Enable restricted access control for group-connected sites using PowerShell

+#### View restricted access control for group-connected sites using PowerShell

+#### Remove restricted access control for group-connected sites using PowerShell

+### Sites not connected to Teams or Microsoft 365 groups (PowerShell)

+#### Enable restricted access control for non-group connected sites using PowerShell

+`Set-SPOSite -Identity https://contoso.sharepoint.com/sites/marketingdepartment -RestrictedAccessControl $true`

+`Set-SPOSite -Identity https://contoso.sharepoint.com/sites/marketingdepartment -AddRestrictedAccessControlGroups AFD516B5-C350-4C2A-8339-600B93C56791`

+#### Manage restricted access control groups for a non-group site using PowerShell

+`Set-SPOSite -Identity https://contoso.sharepoint.com/sites/LegalDepartmentSite -RestrictedAccessControlGroups afd516b5-c350-4c2a-8339-600b93c56791,053e8286-f18a-40d6-a12a-a323b89c5d63`

+#### Remove restricted access control groups for a non-group site using PowerShell

+`Set-SPOSite -Identity https://contoso.sharepoint.com/sites/LegalDepartmentSite -RemoveRestrictedAccessControlGroups afd516b5-c350-4c2a-8339-600b93c56791`

+`Set-SPOSite -Identity https://contoso.sharepoint.com/sites/LegalDepartmentSite -ClearRestrictedAccessControl`

+#### View restricted access control for a non-group site using PowerShell

+## Restricted access control using SharePoint admin center

+### Requirements for SharePoint admin center method

+To access and use this feature, your organization must:

+- Subscribe to Microsoft Syntex - SharePoint Advanced Management.

+- Enable restricted access control for your organization in SharePoint admin center:

+ 1. Expand **Policies** and select **Access control**.

+ 2. Select **Site access restriction**.

+ 3. Select **Allow access restriction** box to manage restricted access control for the site.

+### Teams and Microsoft 365 group-connected site (SharePoint admin center)

+You can enable restricted access control for your group-connected or Teams-connected sites using Microsoft 365 group membership. Members of the Microsoft 365 group connected to the site are granted access to the site and its content. Users who aren't members of the Microsoft 365 group can't access the site and its content.

+#### Enable restricted access control for group-connected sites using SharePoint admin center

+1. Go to SharePoint admin center, expand **Sites** and select **Active sites**.

+2. Select the site you want to manage and the site details panel appears.

+3. In **Settings** tab, select **Edit** in the **Restricted site access** section.

+4. Select the **Restrict access to this site** box.

+5. Select **Save**.

+#### View restricted access control for group-connected sites using SharePoint admin center

+To view the restricted access control configuration for a site:

+1. Go to SharePoint admin center, expand **Sites** and select **Active sites**.

+2. Select the site you want to manage to view restricted access control on the site details panel.

+#### Remove restricted access control for group-connected sites using SharePoint admin center

+To remove restricted access control policy from a group-connected or Teams-connected site:

+1. Go to SharePoint admin center, expand **Sites** and select **Active sites**.

+2. Select the site you want to manage and the site details panel appears.

+3. In **Settings** tab, select **Edit** in the **Restricted site access** section.

+4. Deselect the **Restrict access to this site** box.

+5. Select **Save**.

+### Sites not connected to Teams or Microsoft 365 groups (SharePoint admin center)

+With restricted access control, you can restrict site access to members of specified Azure AD security groups. Users who aren't members of the specified security groups can't open the site or its content even if they previously had site access permissions. You can apply restricted access control on a site with up to 10 security groups. Dynamic membership of security groups is also supported for restricted access control policy.

+#### Enable restricted access control for a non-group site using SharePoint admin center

+To apply restricted access control policy to a non-group connected site:

+1. Go to SharePoint admin center, expand **Sites** and select **Active sites**.

+2. Select the site you want to manage and the site details panel appears.

+3. In **Settings** tab, select **Edit** in the **Restricted site access** section.

+4. Enter the security group you want to add in the **Add security group** field and select **Save**.

+> [!NOTE]

+> For restricted access control to be enforced on the site, you must add at least one security group.

+>

+> You can add up to 10 security groups for a given site.

+>

+> All users in the security group will automatically have access to the site.

+#### Remove restricted access control security groups from a non-group site using SharePoint admin center

+To remove restricted access control security group from non-group site:

+1. In SharePoint admin center, expand **Sites** and select **Active sites**.

+2. Select the site you want to manage and the site details panel appears.

+3. In **Settings** tab, select **Edit** in the **Restricted site access** section.

+4. Select **X** to remove a specific security group and select **Save**.

+> [!TIP]

+> Security groups removed from restricted access control will continue to have site permissions. We recommend using SharePoint admin center to review site permissions and remove users who no longer require site access permissions.

+#### Remove restricted access control for a non-group site using SharePoint admin center

+To remove restricted access control policy from a non-group connected site:

+1. In SharePoint admin center, expand **Sites** and select **Active sites**.

+2. Select the site and select the **Settings** tab in the site details panel.

+3. Under **Restricted site access**, select **Edit**.

+4. Deselect the **Restrict SharePoint site access to only users in specified security groups** box.

+5. Select **Save**.

+> [!NOTE]

+> The security groups added for this setting are also added to the ***SharePoint members group*** for the site. When disabling the setting, it is recommended to review site permissions and remove users who no longer need access to the site.

+ Enable-OCVForUser -UserSid $user.Sid

+## Test and verify AMSI integration with SharePoint Server

+You can test the Antimalware Scan Interface (AMSI) feature to verify that it's working correctly. This involves sending a request to SharePoint Server with a special test string that Microsoft Defender recognizes is for testing purposes. This test string isn't dangerous, but Microsoft Defender will treat it as if it was malicious so you can confirm how it will behave when it encounters malicious requests.

+If AMSI integration is enabled in SharePoint Server and is using Microsoft Defender as its malware detection engine, the presence of this test string will result in the request being blocked by AMSI instead of being processed by SharePoint.

+The test string is similar to the [EICAR test file](https://www.eicar.org/download-anti-malware-testfile/) but differs slightly to avoid URL encoding confusion.

+You can test AMSI integration by adding the test string as either a query string or an HTTP header in your request to SharePoint Server.

+### Use a query string to test AMSI integration

+```

+amsiscantest:x5opap4pzx54p7cc7$eicar-standard-antivirus-test-fileh+h*

+```

+

+**For example**: send a request to https://servername/sites/sitename?amsiscantest:x5opap4pzx54p7cc7$eicar-standard-antivirus-test-fileh+h*

+### Use an HTTP header to test AMSI integration

+```

+amsiscantest: x5opap4pzx54p7cc7$eicar-standard-antivirus-test-fileh+h*

+```

+**For example**: send a request that looks like the following.

+```

+GET /sites/sitename HTTP/1.1

+Host: servername

+amsiscantest: x5opap4pzx54p7cc7$eicar-standard-antivirus-test-fileh+h*

+```

+Microsoft Defender detects this as the following exploit:

+

+```

+Exploit:Script/SharePointEicar.A

+```

+> [!NOTE]

+> If you are using a malware detection engine other than Microsoft Defender, then you should check with your malware detection engine vendor to determine the best way to test its integration with the AMSI feature in SharePoint Server.

+ - Basic authentication

+### Basic authentication

+For many years, applications have used Basic authentication to connect to servers, services, and API endpoints. Basic authentication simply means the application sends a username and password with requests, making it easier for attackers to capture user credentials, which increases the risk of those stolen credentials being reused against other endpoints or services.

+With these threats and risks in mind, Basic authentication is deprecated but will remain supported for the SharePoint Server Subscription Edition until July 14, 2026. After that date, Basic authentication will no longer be supported and will eventually be removed in SharePoint Server Subscription Edition for all scenarios. Microsoft recommends exploring Trusted Identity provider as the replacement for authentication.