In our previous article I provided our recommendations for effective content management for your sites & teams in Microsoft 365. We are now moving towards strategies for protecting your digital assets in your sites & teams.
Features
To successfully protect your digital assets in your sites & teams, you need to have an understanding of the following features:
- Permissions
- Guests & sharing Information Protection & Conditional Access
- Data Loss Prevention
- SharePoint Advanced Management
Permissions
The available permissions for business users are directly connected with the privacy setting of your site & team. There are three options: private, public and org-wide. For this article, I focus on private and public due to the fact that Viva Engage is recommended for company (social) wide communication.
The public status provides all employees, except external users, with edit permissions. This has an incredible impact because all employees can now read the content and in “worst” case scenario start adding lists & libraries.
Whereby private only provides access to business users, approved by the owners. I advise to go with private by default to prevent unauthorized access to sensitive information. You can use the SharePoint Communication Site for general access to your digital assets.
How to enforce private by default? Unfortunately, you can only enforce this with either a provisioning solution or with the use of sensitivity labels. A sensitivity label contains a feature to enforce the privacy setting:
This enforces the required privacy setting and can’t be changed:
Guests & sharing
For most of us, external collaboration is a necessity. There are two options. We can invite a guest to become a member of our site and team. Or we share one or more files.
Unfortunately, the settings for external access are scattered within Microsoft 365. The main setting, that is basically the on and off switch, is located in the M365 Administration Center:
Once enabled, you configure the additional settings in the SharePoint Administration Center:
Depending on your security requirements, you can limit external sharing by domain and allow only specific people to allow sharing externally. I advise to limit the guest access to a site or OneDrive to 30 days.
I recommend setting the verification code to renew after 5 days. These are the top level settings, pushed down to all underlying sites & teams. You can change these per site or team. This can be done in the SharePoint Administration Center:
Be aware: When a sensitivity label is connected you can’t change these settings without removing the label. You can use a sensitivity label to enforce sharing settings. For example, the ability to invite guests:
Or share files with a guest:
I strongly encourage you to setup a review process of your guests and internal colleagues. Especially for sites & teams with highly sensitive content. You can use Microsoft Entra Access Reviews:
Information Protection & Conditional Access
Business users and guests need to have access to a site and team. Once they have access, they can download, synchronize and share sensitive information with unauthorized people. This can be prevented by using sensitivity labels, provided by Information Protection, in combination with Conditional Access settings.
Sensitivity labels provide the option to classify and protect your sensitive files stored in your sites & teams. By enabling the encryption of the label, you can limit the access to a selective audience. You start by selecting Access Control:
The assign permissions menu enables you to select the corresponding audience and permissions for the labelled digital assets:
Followed by the required permissions:
Even after downloading the digital assets outside of Microsoft 365, only selected users or groups can access the files. This is an excellent way in additionally protecting your sensitive files. Be aware: Not all digital assets are currently connected with sensitivity labels.
I recommend enabling a default label the document library for highly sensitive sites & teams: 
I recommend a combination between this label and a label for your sites & teams.
An additional setting is related to Conditional Access. This determines the available access and actions for unmanaged devices (mostly guests) with the digital assets in your sites & teams.
Be aware: This settings look at the default settings within the SharePoint Administration Center:
Be aware: You can’t set the default on block access and use full access with labels. That’s not allowed. By enabling this feature, you can prevent guests with an unmanaged device to sync, download and print files in your sites & teams with sensitive content.
Data Loss Prevention
Another powerful feature within the Microsoft Purview suite is Data Loss Prevention (DLP). Enabling your organization to detect, monitor, and protect your sensitive information. To use DLP to the fullest, you need to have a data security policy in relation to the use of sensitive information in Microsoft 365, Endpoints and Cloud Apps. This policy determines the exact use and configuration of DLP. That said, I recommend creating a DLP policy that monitors the use of a default set of sensitive information within your sites and teams with the most sensitive information. There are out-of-the-box policies available during the creation process:
SharePoint Advanced Management
Although SharePoint Advanced Management deserves its own article, I want to highlight a selection of valuable features for protecting your digital assets:
- Block download policy for SharePoint sites and OneDrive
- Data access governance reports for SharePoint sites
- Initiate site access reviews for Data access governance reports
- Restrict discovery of SharePoint sites and content
- Restrict SharePoint site access with Microsoft 365 groups and Microsoft Entra security groups
Are you using Microsoft 365 Copilot? Before the end of March 2025, you get all the SharePoint Advanced Management features without the need for acquiring additional licenses. Fantastic news and super awesome from Microsoft!
Conclusion
Protecting your digital assets in sites & teams requires an effective security strategy with the help of Microsoft 365 tools such as permissions management, guest access control, information protection, data loss prevention, and SharePoint Advanced Management. These tools give your organization the opportunity to safeguard your digital assets. This is crucial, especially in the AI driven world we live today.
A note from Rencore
Securing your content assets is a crucial initial step as you begin your journey with Copilot. It is important to consider the subsequent stages, such as effectively managing all AI instances and AI agents once they are deployed to end users. To gain a comprehensive understanding of how Rencore can support you in navigating your entire AI governance journey, we encourage you to reach out to us today for further information.
