When sharing files or folders in the MS365 suite of services (OneDrive, SharePoint Online, and Microsoft Teams), it is recommended that you do so in the most restrictive manner possible while maintaining the workflow you need to achieve success.
Yale University ITS recommends storing files commonly used by your department, project, or other working group in an appropriate Microsoft Teams or SharePoint site rather than your OneDrive account. This prevents you from having to maintain a complicated web of sharing permissions and ensures important data is not lost when data owners leave the University and their accounts are retired.
Public Teams and SharePoint sites allow you to share links to specific files or folders with internal or external users who are not site members. Still, we recommend doing so only where necessary. Private Teams and SharePoint sites only allow you to share links to specific files and folders with internal users. Under regular circumstances, files stored in Teams or SharePoint should be available only to owners and site members. Sharing data outside the membership of the Team or SharePoint site should only be done with a site owner’s awareness, and access should be revoked when no longer necessary.
As an owner of Moderate or High-Risk data in MS365 services, be careful when granting others access to your files or folders that allow them to share your data. Moderate and high-risk data access should be limited to only authorized parties who can see the data. In OneDrive, if the data you own is shared by someone else, you will receive an email with the details of who shared the data, with whom, and what access level they granted. If you see that Moderate or High-Risk data has been shared in an Anyone with the link can access fashion, you should use the link in the email to immediately revoke that share and follow up with the user who shared the data.
When you need to make content available on a website or in an email for the Yale community and the people accessing the content are unknown, we recommend using this option. This will keep people outside the University from accessing the content if they obtain the link. We also recommend unchecking the Allow editing box; doing this further allows you to block the local download of the file if desired by toggling on the Block download option.
This option generates a link to the file or folder for people who have already been granted access to the data.
This is the riskiest manner of sharing but is sometimes necessary if you need to make content available to people outside the University and you do not know who your audience is specifically. When sharing this way, we recommend setting an expiration date for the link so it does not remain shared indefinitely. We also recommend unchecking the Allow editing box; doing this further allows you to block the local download of the file if desired by toggling on the Block download option.
When sharing Moderate or High-Risk data stored in MS365 services, it is important not to do so with an anonymous access link. This leaves that data open to exposure and access by individuals who should not view it. Anyone in possession of the link can access the data without having to authenticate to get it, and access is uncontrolled.
Note: This option is unavailable when creating shared links for files and folders stored in Teams or most SharePoint sites.