Securing a Departing Employee’s OneDrive File Sharing

When an employee leaves, their OneDrive may contain sensitive files—client contracts, project plans, or even salary spreadsheets. The risk of these files being shared inappropriately during offboarding can keep you up at night. If this sounds familiar, you're not alone. In my previous post, I discussed SharePoint site restrictions for legal teams. Now, let’s explore a similar OneDrive feature: restricting file sharing to a specific group. This tool is your safeguard to ensure sensitive data stays secure when an employee exits.

A person checking his personal files at home by Jaime López using Designer

Why read on? This guide goes beyond technical steps—it’s about protecting your organization’s data with confidence. We’ll use a real-world scenario involving an employee, Sarah, to walk through restricting her OneDrive access, share PowerShell scripts for efficiency, and provide practical tips to keep your data safe without stress. Let’s dive in and secure your company’s assets!

Securing Sarah’s OneDrive

Sarah, a project manager, has submitted her two weeks’ notice. Her OneDrive holds critical files—project budgets, vendor contracts, and a folder named “Confidential Q4 Plans” that demands protection. Your goal is to restrict her OneDrive sharing to her project team (e.g., “ProjectXTeam”) before she departs. Microsoft 365’s OneDrive restricted access feature, similar to SharePoint’s site restrictions, limits sharing to members of a designated Microsoft 365 or Entra ID group, ensuring no one else can access her files, even with a shared link.

This feature is essential for secure offboarding. It’s not about mistrust; it’s about minimizing risks. You’ll need a Microsoft SharePoint Premium - Advanced Management license and must enable site access restrictions at the tenant level.

Important: Ensure Sarah is included in the allowed group to maintain her access until her last day.

Why This Matters for Offboarding

An employee’s OneDrive can become a vulnerability during departure. Well-meaning employees may inadvertently overshare files in a rushed exit. Here’s why restricting access is critical:

• Prevents Data Leaks: Limits sharing to internal groups, blocking external access.

• Streamlines Governance: Adds a clear step to your offboarding process.

• Ensures Compliance: Aligns with data protection regulations, keeping auditors satisfied.

The key is to act quickly and configure correctly. Below, we outline the steps to secure Sarah’s OneDrive using the SharePoint Admin Center and PowerShell for flexibility.

Configuration Steps

1. Enable Site Access Restriction

To restrict OneDrive, first enable site-level access restrictions for your tenant. This step is foundational, like setting up a security system before locking specific doors.

• Using SharePoint Admin Center:

  1. Navigate to SharePoint Admin Center > Policies > Access control > Site access restriction.

  2. Select “Allow access restriction” and save.

  3. Allow up to an hour for the setting to propagate. Use this time to coordinate with HR.

• Using PowerShell:

Set-SPOTenant -EnableRestrictedAccessControl $true

Note: For Multi-Geo environments, run this command for each geo-location. This step is mandatory to enable OneDrive restrictions.

Restricted Sites Configuration at Tenant level

2. Restrict Sarah’s OneDrive

Next, limit Sarah’s OneDrive to the “ProjectXTeam” group. You can only do it using PowerShell.

• Using PowerShell:

Set-SPOSite -Identity https://<your-tenant>-my.sharepoint.com/personal/sarah_smith_your_tenant_com -RestrictedAccessControl $true

Set-SPOSite -Identity https://<your-tenant>-my.sharepoint.com/personal/sarah_smith_your_tenant_com -AddRestrictedAccessControlGroups @("ProjectXTeamID")

3. Block External Sharing

To further secure Sarah’s OneDrive, prevent sharing with anyone outside the allowed group:

Set-SPOTenant -AllowSharingOutsideRestrictedAccessControlGroups $false

This ensures that even if Sarah tries to share a file with her personal email (yep, it happens), the recipient will get an “access denied” message.

What Happens Next?

With restrictions applied, Sarah can only share files with “ProjectXTeam” members. Attempts to share externally (e.g., with a consultant or personal account) result in an access denied error, even with a valid link. After Sarah’s departure, transfer or archive her OneDrive, confident that it’s secure during the transition.

Note: Non-group members may see file names in search results or Copilot but cannot access content.

Conclusion

Restricting Sarah’s OneDrive is like securing a vault—it allows her to work while protecting sensitive data. As someone who’s navigated permission mishaps, I can attest this feature simplifies offboarding. Using the SharePoint Admin Center and PowerShell, you’ll ensure data security with minimal effort, complementing the SharePoint restrictions discussed previously. You’re now equipped to handle offboarding like a pro—time for a well-deserved break!

If you found this guide helpful, please give it a like and share it with your colleagues to help them secure their OneDrive offboarding process too!

References

• How to Lock Down SharePoint Sites for Legal Case Management: https://intranetfromthetrenches.substack.com/p/how-to-lock-down-sharepoint-sites-for-legal-case-management

• Restrict access to a user's OneDrive content to people in a group: https://learn.microsoft.com/en-us/sharepoint/onedrive-site-access-restriction

• Set-SPOTenant: https://learn.microsoft.com/en-us/powershell/module/microsoft.online.sharepoint.powershell/set-spotenant?view=sharepoint-ps

• Set-SPOSite: https://learn.microsoft.com/en-us/powershell/module/microsoft.online.sharepoint.powershell/set-sposite?view=sharepoint-ps