As an IT admin, securing SharePoint is critical to protecting sensitive data, preventing unauthorized access, and ensuring compliance with organizational policies. SharePoint security involves permissions management, external sharing controls, threat detection, encryption, and compliance enforcement.
This guide covers best practices for securing SharePoint Online and SharePoint Server, ensuring a strong security posture for your organization.
1. Implement Role-Based Access Control (RBAC)
Assign permissions based on roles and responsibilities rather than individual users.
Use SharePoint Groups and Microsoft 365 Groups for managing access at scale.
Follow the principle of least privilege (PoLP) – users should only have access to what they need.
How to Implement RBAC in SharePoint:
1️⃣ Navigate to Site Settings ➝ Site Permissions
2️⃣ Create or modify SharePoint Groups
3️⃣ Assign appropriate Permission Levels (Read, Edit, Contribute, Full Control)
4️⃣ Avoid granting direct permissions to individual users—use groups instead
Tip: Regularly review and adjust permissions to remove unnecessary access.
2. Secure External Sharing & Guest Access
Restrict or disable external sharing based on organizational policies.
Allow external access only to trusted domains.
Require sign-in verification for external users.
How to Configure External Sharing in SharePoint:
1️⃣ Go to Microsoft 365 Admin Center ➝ SharePoint Admin Center
2️⃣ Click Policies ➝ Sharing
3️⃣ Adjust settings based on your security policy:
✔ Disable anonymous sharing (Anyone with the link)
✔ Allow external sharing only with specific domains
✔ Require sign-in for external users
4️⃣ Click Save
Tip: Monitor external sharing activity using Microsoft Audit Logs.
3. Enforce Multi-Factor Authentication (MFA)
MFA adds an extra layer of security to prevent unauthorized access.
Require MFA for admins, power users, and external collaborators.
How to Enable MFA:
1️⃣ Open Microsoft Entra Admin Center (Azure AD)
2️⃣ Navigate to Security ➝ Conditional Access
3️⃣ Create a new Conditional Access policy
4️⃣ Select Users or Groups
5️⃣ Under Access Controls, select Require MFA
6️⃣ Click Save and Enable Policy
Tip: Use phishing-resistant MFA methods like Microsoft Authenticator or FIDO2 security keys.
4. Configure Information Rights Management (IRM) and Sensitivity Labels
Protect confidential documents with IRM and Sensitivity Labels.
Prevent unauthorized downloading, printing, and forwarding of sensitive files.
How to Enable IRM in SharePoint:
1️⃣ Go to SharePoint Admin Center ➝ Sites ➝ Active Sites
2️⃣ Select the document library ➝ Library Settings
3️⃣ Click Information Rights Management (IRM)
4️⃣ Enable “Restrict permissions on this library”
5️⃣ Set permissions (e.g., block downloads, prevent editing)
Tip: Apply Sensitivity Labels in Microsoft Purview for data classification and encryption.
5. Enable Audit Logs and Monitor Activity
Track user activity and detect suspicious behavior using Audit Logs.
Identify failed sign-in attempts, permission changes, and external sharing events.
How to Enable Audit Logs:
1️⃣ Go to Microsoft Purview Compliance Center ➝ Audit
2️⃣ Click Turn On Auditing (if not enabled)
3️⃣ Search for activities like:
✔ File access, deletion, sharing
✔ Permission changes
✔ Admin role assignments
4️⃣ Set up alerts for unusual activity
Tip: Use Microsoft Defender for Cloud Apps to detect security anomalies.
6. Apply Conditional Access Policies
🔹 Restrict access to SharePoint based on device, location, or risk level.
🔹 Prevent access from untrusted networks or unmanaged devices.
How to Set Up Conditional Access:
1️⃣ Open Microsoft Entra Admin Center ➝ Conditional Access
2️⃣ Click New Policy
3️⃣ Define:
✔ Users or Groups (e.g., all employees, guests, admins)
✔ Cloud Apps – Select SharePoint Online
✔ Conditions – Block access from unmanaged devices or risky sign-ins
4️⃣ Select Grant Access with MFA or Require Compliance Policy
5️⃣ Click Save & Enable
Tip: Combine Conditional Access with Identity Protection for risk-based authentication.
7. Restrict Access to Sensitive Documents
Prevent unauthorized users from accessing confidential documents.
Use Restricted Access Permissions, Sensitivity Labels, and IRM.
How to Restrict Access:
1️⃣ Select the document
2️⃣ Click Manage Access
3️⃣ Click Advanced ➝ Stop Inheriting Permissions
4️⃣ Remove unwanted users and groups
5️⃣ Assign access only to authorized users
6️⃣ Click Save
Tip: Use SharePoint Policy Alerts to notify admins when sensitive documents are accessed.
8. Enable Versioning and Recycle Bin for Data Recovery
Versioning ensures that document changes are tracked and recoverable.
Recycle Bin allows for restoring deleted files within 93 days.
How to Enable Versioning:
1️⃣ Go to Library Settings ➝ Versioning Settings
2️⃣ Set “Require content approval” if needed
3️⃣ Enable “Create major versions”
4️⃣ Click Save
Tip: Regularly monitor deleted files in the Recycle Bin to prevent data loss.
9. Use Secure Collaboration Tools
Encourage users to collaborate securely within Microsoft 365 ecosystem.
Prevent risky third-party integrations.
✔ Use Microsoft Teams and OneDrive for secure collaboration.
✔ Disable third-party apps that do not meet security standards.
✔ Monitor API permissions and app consent requests.
10. Regularly Perform Security Audits
🔹 Conduct periodic security audits to identify vulnerabilities.
🔹 Review:
✔ Permissions and access logs
✔ External sharing activity
✔ MFA and Conditional Access settings
Tip: Use Microsoft Secure Score to evaluate and improve security posture.