-description: "In this article, you'll learn about planning and deploying a secure and productive file collaboration environment in SharePoint with Microsoft 365."

-# File collaboration in SharePoint with Microsoft 365

-With Microsoft 365 services, you can create a secure and productive file collaboration environment for your users. SharePoint powers much of this, but the capabilities of file collaboration in Microsoft 365 reach far beyond the traditional SharePoint site. Teams, OneDrive, and a variety of governance and security options all play a role in creating a rich environment where users can collaborate easily and where your organization's sensitive content remains secure.

- - How SharePoint relates to other collaboration services in Microsoft 365, including OneDrive, Microsoft 365 Groups, and Teams.

- - How you can create an intuitive and productive collaboration environment for your users.

- - How you can protect your organization's data by managing access through permissions, data classifications, governance rules, and monitoring.

-Also see the [File Protection Solutions in Microsoft 365](/Office365/Enterprise/microsoft-cloud-it-architecture-resources#BKMK_O365fileprotect) diagram for an overview of recommended solutions to protect your data.

- - Protecting your intellectual property

- - Enabling self-service

- - Creating a smooth user experience

-In SharePoint Server on-premises, many organizations chose an IT-focused model where users must request sites and provide a business justification. This was done to prevent site sprawl and to apply governance policies around access to sensitive data.

-In Microsoft 365, SharePoint is integrated with a variety of other services to provide a much richer experience than is possible with on-premises solutions such as SharePoint Server. These integrations affect how you manage user permissions and what your users can do in a collaboration scenario.

-Traditionally, SharePoint permissions have been managed through a set of permissions groups within a site (Owners, Members, Visitors, etc.). In SharePoint in Microsoft 365, each SharePoint team site is part of a Microsoft 365 group. A Microsoft 365 group is a single permissions group that is associated with a variety of Microsoft 365 services, including a SharePoint site, an instance of Planner, a mailbox, a shared calendar, and others. When you add owners or members to the Microsoft 365 group, they are given access to the SharePoint site along with the other connected services.

-For details about how SharePoint and Teams interact, see [How SharePoint and OneDrive interact with Microsoft Teams](/microsoftteams/sharepoint-onedrive-interact).

-For details about deploying Microsoft 365 Apps for enterprise, see [Deployment guide for Microsoft 365 Apps for enterprise](/deployoffice/deployment-guide-microsoft-365-apps).

- - Do you want to allow Microsoft 365 users to share files in OneDrive with people outside your organization?

- - Do you want to restrict file sync in any way ΓÇô such as only to managed devices?

-OneDrive is an important part of the Microsoft 365 collaboration story. For information about how to deploy OneDrive in your organization, see [OneDrive guide for enterprises](/OneDrive/plan-onedrive-enterprise).

-## Securing your data

- - **Control sharing** ΓÇô by configuring sharing settings for each site that are appropriate to the type of information in the site, you can create a collaboration space for users while securing your intellectual property.

- - **Classify and protect information** ΓÇô by classifying the types of information in your organization, you can create governance policies that provide higher levels of security to information that is confidential compared to information that is meant to be shared freely.

- - **Manage devices** ΓÇô with device management, you can control access to information based on device, location, and other parameters.

- - **Monitor activity** ΓÇô by monitoring the collaboration activity happening in Teams and SharePoint, you can gain insights into how your organization's information is being used. You can also set alerts to flag suspicious activity.

- - **Protect against threats** ΓÇô by using policies to detect malicious files in SharePoint, OneDrive, and Teams, you can help ensure the safety of your organization's data and network.

- - Disallow sharing with people outside your organization.

- - Require people outside your organization to authenticate.

- - Restrict sharing to specified domains.

-You can configure these settings for the entire organization, or for each site independently (except private or shared channel sites). For detailed information, see [Turn sharing on or off](./turn-external-sharing-on-or-off.md) and [Turn sharing on or off for a site](./change-external-sharing-site.md).

-See [Limit accidental exposure to files when sharing with guests](/Office365/Enterprise/sharing-limit-accidental-exposure) for additional guidance around sharing with people outside your organization.

- - *Anyone* links give access to the item to anyone who has the link. People using an *Anyone* link do not have to authenticate, and their access cannot be audited.

-

- 

-

- An *anyone* link is a transferrable, revocable secret key. It's transferrable because it can be forwarded to others. It's revocable because by deleting the link, you can revoke the access of everyone who got it through the link. It's secret because it can't be guessed or derived. The only way to get access is to get the link, and the only way to get the link is for somebody to give it to you. *Anyone* links can't be used with files in a Teams shared channel site.

- - *People in your organization* links work for only people inside your Microsoft 365 organization. (They do not work for guests in the directory, only members).

- 

-

- Like an *anyone* link, a *people in my organization* link is a transferrable, revocable secret key. Unlike an *anyone* link, these links only work for people inside your Microsoft 365 organization. When somebody opens a *people in my organization* link, they need to be authenticated as a member in your directory. If they're not currently signed-in, they'll be prompted to sign in.

- - *Specific people* links only work for the people that users specify when they share the item.

- 

-

- A *specific people* link is a non-transferable, revocable secret key. Unlike *anyone* and *people in my organization* links, a *specific people* link will not work if it's opened by anybody except for the person specified by the sender.

-

- *Specific people* links can be used to share with users in the organization and people outside the organization. In both cases, the recipient will need to authenticate as the user specified in the link. For files in a Teams shared channel site, *specific people* links can only be sent to others in the channel.

-It's important to educate your users in how these sharing links work and which they should use to best maintain the security of your data. Send your users links to [Share OneDrive files and folders](https://support.office.com/article/9fcc2f7d-de0c-4cec-93b0-a82024800c07) and [Share SharePoint files or folders](https://support.office.com/article/1fe37332-0f9a-4719-970e-d2578da4941c), and include information about your organization's policies for sharing information.

-Though *Anyone* links do not require people outside your organization to authenticate, you can track the usage of *Anyone* links and revoke access if needed. If people in your organization frequently email documents to people outside your organization, *Anyone* links may be a better option than emailing an attachment.

-Another option is to configure a different link type to be displayed to the user by default. This can help minimize the chances of inappropriate sharing. For example, if you want to allow *Anyone* links but are concerned that they only be used for specific purposes, you can [set the default link type](./change-default-sharing-link.md) to *Specific people* links or *People in your organization* links instead of *Anyone* links. Users would then have to explicitly select *Anyone* links when they share a file or folder.

-For detailed information about data loss prevention, see [Learn about data loss prevention](/microsoft-365/compliance/dlp-learn-about-dlp).

-For example, you could configure a policy that requires Microsoft 365 groups classified as confidential to be private rather than public. In such a case, a user creating a group, team, or SharePoint site would only see the "private" option when they choose a classification of confidential. For information about using sensitivity labels with teams, groups, and sites, see [Use sensitivity labels to protect content in Microsoft Teams, Microsoft 365 groups, and SharePoint sites](/microsoft-365/compliance/sensitivity-labels-teams-groups-sites)

- - If customer information is detected in a document, then users cannot share that document with guests.

- - If a document contains the name of a confidential project, then guests cannot open the document even if it has been shared with them.

-Microsoft Defender for Cloud Apps offers additional granular conditions, actions, and alerts to help you secure your content. These include the ability to remove a user's permissions or quarantine the user when the specified condition is met.

-**User notifications**

-User notifications provide a way to communicate to your users ΓÇô via email or policy tips ΓÇô that data loss prevention has detected something that they should be aware of. The user can then decide the best course of action depending on the situation. For example, if a user unknowingly attempts to share a document that contains a credit card number, the user is prompted that a credit card number has been found and advised of your organization's policy regarding this.

-### Manage access

-Microsoft 365 provides a variety of governance features to help you create an intuitive but secure collaboration environment for your users.

- - Use device management to ensure your organization's information is accessed only by compliant devices.

- - Use conditional access to ensure your confidential data is accessed only from locations and apps that you trust.

- - Monitor information sharing in real time and through reports to ensure your governance requirements are met and sensitive information is being kept secure.

-Additionally, you can use [Azure Active Directory access reviews](/azure/active-directory/governance/access-reviews-overview) to automate a periodic review of group and team ownership and membership.

-**Device Management**

-Through device management, you can take additional steps to secure your organization's information. You can manage pretty much any device that your users might have ΓÇô PCs, Macs, mobile devices, and Linux computers.

-Examples include:

- - Ensure devices have the latest updates before allowing access to Microsoft 365

- - Prevent copy and paste of confidential data to personal or unmanaged apps

- - Erase company data from managed devices

-As you consider your options governing access to information through device management, keep in mind that guests are likely to have unmanaged devices. For sites where you've enabled guest sharing, be sure to provide the needed access to unmanaged devices, even if that's just web access via a PC or Mac. Azure Active Directory conditional access (discussed below) offers some options to reduce the risk of guests with unmanaged devices. [Some settings can be configured directly from SharePoint](./control-access-from-unmanaged-devices.md).

-Microsoft Intune provides detailed device profiling options and can also deploy and manage individual apps such as Office apps and OneDrive. For detailed information about Intune and device management, see [Microsoft Intune overview](/intune/what-is-intune).

-You can configure device management from the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).

-**Conditional access**

- - Block guests from signing in from risky locations

- - Require multi-factor authentication for mobile devices

-**Real-time monitoring with alerts**

-[Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender) services provide an extensive policy infrastructure that you can use to monitor activity that you consider to be risky for your organization's data.

-Examples include:

- - Raise an alert when a confidential file is shared externally.

- - Raise an alert when there's a mass download by a single user.

- - Raise an alert when an externally shared file hasn't been updated for a specified period of time.

-Microsoft 365 Defender can also watch for anomalous behavior such as unusually large uploads or downloads, access from unusual locations, or unusual admin activity.

-By configuring alerts, you can be more confident in allowing an open sharing experience for your users.

-You can see the alerts on the [Microsoft 365 Defender alerts page](https://security.microsoft.com/alerts).

-For detailed information about alerts in Microsoft 365 Defender, see [Investigate alerts in Microsoft 365 Defender](/microsoft-365/security/defender/investigate-alerts).

-**Monitoring with reports**

-For info about how to view data loss prevention reports, see [View the reports for data loss prevention](/microsoft-365/compliance/view-the-dlp-reports).

-For info about how to view Defender for Cloud Apps reports, see [Generate data management reports](/cloud-app-security/built-in-reports).

-### Manage threats

-You can use Safe Attachments for SharePoint, OneDrive, and Microsoft Teams in Microsoft Defender for Office 365 to protect against users uploading malicious files to OneDrive, SharePoint, or Teams.

-When Safe Attachments for SharePoint, OneDrive, and Microsoft Teams discovers a malicious file, that file is locked so that users cannot open, move, or copy the file.

-The locked file is included in a list of quarantined items that you can monitor. You can then delete or release the file as appropriate.

-For detailed info, see [Safe Attachments for SharePoint, OneDrive, and Microsoft Teams](/microsoft-365/security/office-365-security/mdo-for-spo-odb-and-teams).

-## Migrate files from on-premises

-Microsoft 365 offers much greater versatility in collaboration scenarios than on-premises solutions such as SharePoint Server. If you have files in document libraries on SharePoint Server or in file shares, [learn about migrating them to Microsoft 365](/sharepointmigration/migrate-to-sharepoint-online). If your users have files in local Windows known folders, you can also move them to OneDrive for enhanced collaboration capabilities. [Learn about Known Folder Move](/onedrive/redirect-known-folders).

-If the content that your users are collaborating on is located in SharePoint Server or in file shares, we recommend that you migrate it to Microsoft 365 to take advantage of the broader range of collaboration capabilities.

-As part of your migration, you can use the [Azure Information Protection scanner](/azure/information-protection/deploy-aip-scanner) to scan and label sensitive information in your on-premises environment. With this information, you can reorganize your data if needed before migrating it to similarly labeled sites in SharePoint.

-[Create a secure guest sharing environment](/office365/Enterprise/create-a-secure-guest-sharing-environment)

-[Best practices for sharing files and folders with unauthenticated users](/office365/Enterprise/best-practices-anonymous-sharing)

-[Understanding how Microsoft Information Protection capabilities work together](https://youtu.be/FcOMnAL_LKA)

-[Tutorial: Automatically apply Azure Information Protection classification labels](/cloud-app-security/use-case-information-protection)

-# Manage security groups

-As a SharePoint Administrator or Global Administrator in Microsoft 365, you restrict external sharing of SharePoint and OneDrive content so that only users in specific security groups can share externally. Note that the people in these security groups must be allowed to invite guests in the [Azure Active Directory guest invite settings](/azure/active-directory/external-identities/external-collaboration-settings-configure).

-4. In the **Add a security group** box, search for and select the security groups you want to use (up to 12). (Note that Microsoft 365 Groups are not supported).

-By selecting **Anyone**, users in that security group can share links to files and folders externally that donΓÇÖt require users to authenticate (for example, the **Anyone link** in the **Share** dialog box). Forwarded **Anyone links** will work internally or externally, but you can't track who has access to shared items or who has accessed shared items. Users in this group can also share to authenticated guests. This option is best for a security group preferring friction-free sharing, provided files and folders in SharePoint and OneDrive arenΓÇÖt classified as sensitive.

-By selecting **Authenticated guests only**, sharing externally is strictly limited to those guests who authenticate. This option is best for sharing sensitive or proprietary information because it requires guests to verify their identity before they can access the file or folder. Authenticated guests can share with another authenticated guest, but can't forward these links.