Set up secure file sharing and collaboration with Microsoft Teams

Being able to easily share files and documents with the right people while preventing oversharing is key to an organization's success. This includes being able to share confidential or other sensitive data safely with only those who should have access to it. Depending on the project, this might include sharing sensitive data with people outside your organization.

This guidance includes components to help you:

  • Deploy Teams with the right level of protection for each project
  • Configure external sharing with appropriate security settings for each project

If versatile and easy-to-use file collaboration tools aren't available, users will often collaborate by emailing documents. This is a tedious and error-prone method of collaboration, and can increase the risk of inappropriate sharing of information. If people find sharing files too difficult, they could revert to using consumer products that aren't governed by IT. This can pose an even greater risk.

With Microsoft 365, you can deploy Teams with various configurations that help:

  • Protect your intellectual property
  • Enable easy collaboration with documents and other files
  • Create a balance between security and usability that increases user satisfaction and reduces the risk of shadow IT

Most organizations have a variety of information, with varying degrees of sensitivity and varying degrees of business impact if the information is inappropriately shared. Depending on the sensitivity of a given piece of information, you may want to allow sharing with:

  • Anyone (unauthenticated)
  • People inside the organization
  • Specific people inside the organization
  • Specific people inside and outside the organization

Information such as marketing brochures are meant for sharing broadly outside the organization. Information such as cafeteria menus aren't meant for external sharing, but would have no business impact if they were shared externally. These types of information need little or no protection.

Those same marketing brochures, while under development, might only be shared inside the organization. In this case, the default sharing settings in Teams may be sufficient.

Information about a new product that is under development might be considered sensitive, even within the organization. A greater degree of protection might be appropriate in this case. You could restrict access to this information to members of a specific team, for example. Depending on the project, you may need to collaborate with people outside your organization, such as a vendor or partner organization.

Information that is critical to your organization's success, or has stringent security or compliance requirements might require even greater levels of protection.

Risk scale from low (released brochure) to high (sensitive business data).

For all the scenarios noted above, you can use Teams to store, share, and collaborate on the information.

To configure secure collaboration, use these Microsoft 365 capabilities and features:

Product or component Capability or feature Licensing
Microsoft Defender for Office 365 Safe Attachments for SharePoint, OneDrive and Microsoft Teams; Safe Documents; Safe Links for Teams Microsoft 365 E1, E3 and E5
SharePoint Site and file sharing policies, Site sharing permissions, Sharing links, Access requests, Site guest sharing settings Microsoft 365 E1, E3 and E5
Microsoft Teams Guest access, private teams, private channels, shared channels Microsoft 365 E3 and E5 with a Microsoft Teams Enterprise license
Microsoft Purview Sensitivity labels Microsoft 365 E3 and E5
Microsoft Syntex - SharePoint Advanced Management Site access restrictions, conditional access policies for sites, default sensitivity labels for libraries Microsoft Syntex - SharePoint Advanced Management

Collaboration governance framework for Teams and Microsoft 365

Microsoft 365 provides many options for governing your collaboration solution. We recommend you use this deployment content alongside the collaboration governance content to create the best collaboration solution for your organization.

Securing Teams for sensitive and highly sensitive data

To manage access to information with different sensitivities, we've developed three different tiers of protection for Teams. You can customize any of these tiers to better address the needs or your business.

Graphic of three levels of protection for Teams.

These tiers - baseline, sensitive, and highly sensitive - gradually increase the protections that help prevent oversharing and potential information leakage, as shown in the following table.

- Baseline tier Sensitive tier Highly sensitive tier
Public or private team Either Private Private
Unauthenticated sharing Allowed Blocked Blocked
File sharing Allowed Allowed Limited to people in the team.
Team membership Anyone can join public teams.
Team owner approval required to join private teams.
Team owner approval required to join. Team owner approval required to join.
Document encryption Available with sensitivity label
Guest sharing Allowed Can be allowed or blocked Can be allowed or blocked
Unmanaged devices No restriction Web-only access Blocked

Configuring these tiers involves:

  • Configuring settings in Teams for guest access and private and shared channels
  • Configuring settings in a team's associated SharePoint site for internal and guest sharing, site access, and sharing links
  • For the sensitive and highly sensitive tiers, configuring sensitivity labels to classify the teams, and control guest sharing and access from unmanaged devices
  • For the highly sensitive tier, configuring a sensitivity label to encrypt the documents to which it's applied

Start with the baseline tier, and then add teams that use the sensitive and highly sensitive tiers as needed to help protect the information in your organization. See these resources to get started:

Sharing with people outside your organization

You may need to share information of any sensitivity with people outside your organization. This could range from sharing a single document with a single person to collaborating on a major project with a large partner organization or freelancers from around the world. In Microsoft 365, this range of external sharing can be done easily and with the appropriate safeguards to help protect your sensitive information.

Read these articles to help you get started with setting up your environment for collaborating with people outside your organization:

Depending on the sensitivity of the information being shared, you can add safeguards to help prevent oversharing. Read these articles to help you set up the protections that you need for your organization:

If you have a major project with a partner organization, you can use either shared channels or Azure Entitlement Management to manage the people outside your organization who you need to collaborate with.

Training for administrators

These training modules from Microsoft Learn can help you learn the collaboration, governance, and identity features in Teams and SharePoint.

Teams

Identity and access

Training for end users

These training modules can help your users use Teams, groups, and SharePoint for collaboration in Microsoft 365.

Illustrations

These illustrations show how groups and teams interact with other services in Microsoft 365 and what governance and compliance features are available to help you manage these services in your organization.

Groups in Microsoft 365 for IT Architects

What IT architects need to know about groups in Microsoft 365

Item Description
Thumb image for groups infographic.
PDF |Visio
Updated August 2023
These illustrations detail the different types of groups, how these are created and managed, and a few governance recommendations.

The logical architecture of productivity services in Microsoft 365, leading with Microsoft Teams.

Item Description
Thumb image for Teams logical architecture poster.
PDF |Visio
Updated September 2023
Microsoft provides a suite of productivity services that work together to provide collaboration experiences with data governance, security, and compliance capabilities.

This series of illustrations provides a view into the logical architecture of productivity services for enterprise architects, leading with Microsoft Teams.

Next steps

When you're ready to set up a secure collaboration environment, follow these steps:

  1. Configure the three different tiers of protection for Teams.
  2. Configure settings for sharing information of any sensitivity with people outside your organization.

See also

Microsoft 365 security documentation

Microsoft Purview documentation

Welcome to Microsoft Teams