SharePoint protection helps you protect Microsoft 365 files by either automated or manual sharing control.
In this article, you will learn more about:
- Introduction
- How M365 file sharing protection works
- What the admin sees in records
- How to view actions performed by external users
Introduction
To protect file sharing, you must first activate SharePoint protection. Learn more about it here.
Learn how policies and data classification work in Safetica Cloud Protection here.
SharePoint protection supports all policy actions (Log, Notify, Block (with override), and Block).
How M365 file sharing protection works
Safetica enables you to control the sharing of sensitive files within Microsoft 365 by creating policies for M365 file sharing. Here's how they work:
Blocking policies
- File sharing is automatically canceled if it violates a blocking policy.
- If a user shares a file that violates a policy that blocks file sharing, the sharing will be automatically canceled, and the user will receive an email notification about this cancelation.
Processing of the blocking operation may take some time. For this reason, the file sharing will not be canceled immediately but in up to 5 minutes.
Manual cancelation for non-blocking policies
For non-blocking policies (i.e., Block (with override), Notify, and Log), admins can cancel the file sharing manually in Safetica console > Data. The Cancel this sharing button can be found in the respective operation detail. There is also a link to the file so that admins can review it.
Block (with override) policies
- 1. Sharing is canceled: If a user shares a file that violates a Block (with override) policy, the file sharing will at first be canceled. The user will receive an email with the option to override the cancellation.
Processing of the blocking operation may take some time. For this reason, the file sharing will not be canceled immediately but in up to 5 minutes.
- 2. User can override the cancelation: If the user does nothing, the file sharing will remain canceled. If they click Override in the email, they will be forwarded to a form where they can add the reason and description for overriding the policy.
- 3. User must share the file again: If the override is successful, the user will receive another email with a link to the file, so that they can share the file again. This time, the sharing will not be canceled.
Notification policies
- If a user shares a file that violates a notification policy, the sharing will not be canceled. The user will receive an email urging them to consider unsharing the file if it contains sensitive data that should not be shared.
- There is a link to the file in the email so that the user can easily cancel its sharing.
- There is a limit of 30 notification emails per day per user.
Logging policies
- If a user shares a file that violates a logging policy, the sharing will only be logged.
- The sharing will not be canceled, and no email notification will be sent to the user.
Example 1: Sharing violates a blocking policy
The admin decides that @safetica.com is a safe domain and adds it into the Safe destinations column in Data destinations. Then the admin creates a policy that blocks Email and M365 file sharing to All except safe destinations:An end user then shares a company file using an anonymous link (the Anyone option). What will happen with the file?
The anonymous link can be used by anyone – even people outside the safe @safetica.com domain. Therefore, the blocking policy is violated, and the sharing will be canceled. The end user will receive an email notification about this.
Example 2: Sharing to specific addresses violates a logging policy
The admin has a logging policy for M365 file sharing. An end user shares a file to 2 people. One of them has an @safetica.com email address and the other an @seznam.cz address. How can the admin cancel the sharing to the @seznam.cz address?
The admin will see 2 records in Safetica console related to the sharing operation – one for each person. The admin can then manually cancel the sharing to @seznam.cz by opening the operation detail and clicking the Cancel this sharing button. The sharing to @safetica.com will be unaffected by the cancellation and will keep working.
Example 3: Sharing to anonymous link violates a logging policy
The admin has a logging policy for M365 file sharing. An end user shares a file via anonymous link. What will happen when the admin cancels such sharing?
The admin will see a record in Safetica console with the destination type Anyone with the link. When the admin decides to manually cancel the sharing, they open the operation detail and click the Cancel this sharing button. The anonymous link will be canceled for all users.
What the admin sees in records
Admins can view M365 file sharing operations by using the Operation > M365 external sharing and Operation > M365 internal sharing filters in the Data section of Safetica console.
Example: The screenshot below displays an M365 external sharing operation that was blocked based on the Block sensitive data policy. The sharing was done via an anonymous link (Destination is Anyone with the link).
How to View actions performed by external users
In the user tree under Cloud users > External users team, the External user entity represents anonymous and guest users that are not part of your M365 tenant.
All file operations, such as file sharing, downloads, or uploads performed by these users are recorded under it (e.g., downloading a file shared via an anonymous link will be recorded under the External user entity).
You can learn more about users and teams synced from your Microsoft 365 tenant here.
Read next
SharePoint protection: How to unsubscribe from emails about canceled file sharing
SharePoint protection: How to activate and deactivate it
Outlook protection: How to activate and deactivate it
Outlook protection: Block (with override) in Outlook
Exchange protection: How to activate and deactivate it
How to add your Microsoft 365 tenant