Overview
A SharePoint site that looks great and contains the right content is only half the job. The other half is ensuring that content is protected against accidental deletion, unauthorized sharing, and data loss. This guide covers 15 security settings and features every SharePoint site owner should review — from tenant-wide external sharing controls and domain restrictions, through permission architecture and custom levels, to retention policies, DLP, and the most underrated control of all: user training.
Prerequisites
- SharePoint Online as part of Microsoft 365
- SharePoint Administrator role (for tenant and admin center settings)
- Site Owner role (for site-level settings)
1 — Configure External Sharing in the SharePoint Admin Center
External sharing is enabled by default on all Team Sites linked to Microsoft 365 Groups. If your site contains purely internal content, disabling external sharing is the single most effective step you can take to prevent accidental data leakage.
Tenant-level external sharing
- Open the SharePoint admin center.
- Select Policies → Sharing.
- In the External sharing section, choose the appropriate level for SharePoint and OneDrive.
- Click Save.
Tenant-level settings are the ceiling for all sites. Site-level settings can only be more restrictive than the tenant — never more permissive. OneDrive sharing also cannot be configured to a more permissive level than SharePoint.
Site-level external sharing
- In the SharePoint admin center, select Sites → Active sites.
- Click the small ⓘ icon beside the site name to open the site details panel.
- In the External sharing section, click Edit.
- Select the appropriate sharing level for this specific site and save.
2 — Configure Default File and Folder Sharing Links
When users click Share or Copy link, the default link type presented to them is controlled in the admin center. The three options are:
| Link Type | Who Can Use It | Recommended Default? |
|---|---|---|
| Anyone with the link | Anyone, no sign-in required | No — anonymous links are untrackable |
| Only people in your organization | Internal users only | Yes — Microsoft default, recommended |
| Specific people | Named individuals only | Yes, for sensitive sites |
Navigate to SharePoint admin center → Policies → Sharing and scroll to the File and folder links section to set the default. You can also set the default link permission to View only to prevent accidental edits.
3 — Restrict Sharing by Domain
If external sharing is required, restrict it to specific trusted domains (your clients or vendors) and block public domains such as gmail.com or yahoo.com.
Block domains at tenant level
- In the SharePoint admin center, go to Policies → Sharing.
- Expand More external sharing settings.
- Check Limit external sharing by domain, click Add domains, select Block specific domains, enter the domains, and click Save.
Block domains at site level
- In the SharePoint admin center, go to Active sites, check the box beside the target site, and click Sharing.
- Under Advanced settings for External sharing, select Limit sharing by domain and configure the blocked domains.
When a user attempts to share with a blocked domain, SharePoint displays an error inline in the sharing dialog — the share is not processed and no notification is sent to the external recipient.
4 — Restrict Access by Network Location / IP Address
If your organization has specific office locations from which SharePoint should be accessible, you can configure an IP address allow-list in the SharePoint admin center under Policies → Access control → Network location. Requests from IP addresses outside the defined ranges are blocked. This is most effective in environments with static office IP addresses and may require review for remote or hybrid workforces.
5 — Configure Adequate Site Permissions
SharePoint’s permission model is based on three default groups that every site carries from creation. Understanding these groups and assigning users to the correct one is the foundation of effective site security.
| Group | Default Permission Level | What They Can Do |
|---|---|---|
| Site Owners | Full Control | Everything — including managing security, navigation, web parts, and deleting the site |
| Site Members | Edit | Add, edit, and delete content; share files and folders with others |
| Site Visitors | Read | View and download content only — no edits |
Additional built-in permission levels include Contribute (add/edit but not delete), Design (includes layout and approval), and View Only (view without download). Assign the minimum permissions users need to perform their work — never Full Control unless the role genuinely requires it.
Key permission behaviours to know
- Security inheritance — When you create a subsite, it inherits parent site permissions by default. Anyone with parent site access automatically has access to the subsite. Be deliberate about this when sharing subsites externally.
- SharePoint Groups cannot be nested — You cannot add one SharePoint Group inside another. You can, however, add Microsoft 365 Groups, Security Groups, and mail-enabled groups inside a SharePoint Group.
- Content inherits site security — Granting site access grants access to all pages, lists, libraries, and web parts on that site by default.
- Sharing files breaks inheritance — Each time a user shares a file or folder directly, SharePoint breaks security inheritance at that item level.
- Members can share by default — Any Site Member can click Share and add a new person to the Members group. See setting 7 to restrict this.
- Only Site Owners can un-share — Members cannot revoke sharing they or others have granted.
- Permission-based visibility — Users with no access to a site cannot see it in navigation or in search results. SharePoint does not reveal the existence of sites they cannot access.
6 — Create Custom Permission Levels If Needed
If no built-in permission level matches your requirement — for example, users who can add and edit documents but not delete them — you can create a custom permission level. In Site Settings → Site Permissions → Permission Levels, click Add a Permission Level and select only the individual permissions the role requires.
Custom permission levels add maintenance overhead. Create them only when no existing level fits. The more custom levels a site has, the harder it becomes to audit and govern over time.
7 — Change Site Sharing Settings
Configuring permissions correctly is only half the equation. By default, any Site Member with Edit permissions can share the entire site with anyone they choose — bypassing whatever security structure you put in place. Restrict this by configuring Access Request Settings:
- Go to Site Settings → Site Permissions → Access Request Settings.
- Uncheck Allow members to share the site and individual files and folders.
- Configure whether access requests should be sent to an owner for approval.
- Click OK.
8 — Prevent Page Editing
If you want site members to edit documents but not modify site pages, break permission inheritance between the Site Pages library and the site itself, then assign Read permission to the Members group on that library specifically. This allows users to interact with content without risking accidental changes to the site’s navigation or layout.
9 — Disable Document Library Sync
OneDrive sync allows users to sync SharePoint libraries to their local drives. A significant source of accidental deletions occurs when users “clean” their local drives and delete synced files, which propagates the deletion back to SharePoint. For sensitive libraries, disable sync:
- Open the library, click the Settings gear → Library settings → Advanced settings.
- Under Offline Client Availability, select No to prevent this library from being synced.
10 — Enable Audience Targeting
Audience Targeting is not strictly a security control, but it reduces exposure by showing content only to users whose role or security group membership matches a configured target. It can be enabled on navigation links, documents, pages, and the Highlighted Content web part. Users who do not match the audience do not see the content in navigation or search-driven web parts — though they could still access it directly if they have the URL and appropriate permissions.
11 — Enable Retention Policies
Retention policies prevent accidental and intentional data loss by ensuring content cannot be permanently deleted before a defined retention period expires. Policies can be applied:
- Site level — via Microsoft Purview compliance portal, targeting the entire site.
- Library, folder, or file level — via retention labels applied manually or automatically based on content type or metadata.
Once a retention label is applied to an item, it cannot be permanently deleted — attempts to delete it move the content to the Preservation Hold Library, where it remains for the duration of the retention period.
12 — Implement Data Loss Prevention (DLP) Policies
DLP policies go beyond retention by actively blocking specific actions based on content inspection. For example, you can configure a policy that prevents a document containing credit card numbers or personally identifiable information (PII) from being shared externally, printed, or downloaded. DLP policies for SharePoint are configured in the Microsoft Purview compliance portal under Data loss prevention → Policies.
13 — Review Teams Settings for SharePoint-Backed Sites
Many SharePoint sites are now created and managed through Microsoft Teams. By default, Team members can create and delete channels — including private channels, which each provision their own separate SharePoint site. Deleting a private channel deletes its associated SharePoint site and all content within it. Restrict these capabilities in Teams admin:
- Navigate to the Teams admin center → Teams → Teams settings.
- Configure messaging and channel creation policies to prevent members from creating or deleting private and shared channels without owner approval.
14 — Limit the Number of Site Owners
Full Control in SharePoint means exactly that — including the ability to delete the site entirely. There is no technical reason to have five or more site owners. For most sites, one to two owners is sufficient. Audit site ownership regularly and remove the Full Control role from anyone who only needs to edit or read content.
15 — Invest in User Training
All fourteen settings above are technical controls. Training is the one investment that multiplies the effectiveness of all of them. Users who understand what external sharing means, what happens when they sync a library and delete local files, and how long deleted items remain in the Recycle Bin are far less likely to cause the incidents the controls above are designed to prevent.
Prioritize training on:
- The difference between sharing a site, a folder, and a file — and who gets access in each case
- How the two-stage Recycle Bin works and the 93-day recovery window
- The risk of syncing sensitive libraries to personal devices
- When to contact a site owner rather than granting access independently
Summary — Security Settings at a Glance
| # | Setting | Where Configured | Who |
|---|---|---|---|
| 1 | External sharing (tenant) | SharePoint admin center → Sharing | SP Admin |
| 2 | Default link type and permission | SharePoint admin center → Sharing | SP Admin |
| 3 | Domain restrictions | SharePoint admin center → Sharing → Advanced | SP Admin |
| 4 | IP address restrictions | SharePoint admin center → Access control | SP Admin |
| 5 | Site permissions (3-group model) | Site Settings → Site Permissions | Site Owner |
| 6 | Custom permission levels | Site Settings → Permission Levels | Site Owner |
| 7 | Access request / member sharing | Site Settings → Access Request Settings | Site Owner |
| 8 | Prevent page editing | Site Pages library → Advanced settings | Site Owner |
| 9 | Disable library sync | Library Settings → Advanced settings | Site Owner |
| 10 | Audience targeting | Library / nav / web part settings | Site Owner |
| 11 | Retention policies | Microsoft Purview compliance portal | Compliance Admin |
| 12 | Data Loss Prevention | Microsoft Purview compliance portal | Compliance Admin |
| 13 | Teams channel settings | Teams admin center → Teams settings | Teams Admin |
| 14 | Limit site owners | Site Settings → Site Permissions | Site Owner |
| 15 | User training | Your LMS or Microsoft Learn | Everyone |
