Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
You can restrict access to an individual user's OneDrive content to users in a security group or Microsoft 365 group by using a site access restriction policy. Users not in the specified group can't access the content, even if they had prior permissions or shared link.
The policy is applied using Microsoft Entra security groups or Microsoft 365 groups that contain the people who should be able to access files in that OneDrive.
When the policy is applied, the people in the specified groups aren't granted permissions to any files directly. The OneDrive owner must share the content as they normally would. The site access restriction policy prevents anyone who isn't in the security group or the Microsoft 365 group from accessing the OneDrive content even if it's shared with them.
Access restriction policies are applied when a user attempts to access a file. Users can still see files in search results if they have direct permissions to the file, but they won't be able to access the file if they're not part of the specified group.
You can also restrict access to the OneDrive service itself to people in a security group. For more information, see Restrict OneDrive access by security group.
Before you begin
Make sure your organization meets the Prerequisites for SharePoint Advanced Management, including requirements for SharePoint Online PowerShell module.
Enable site access restriction for your organization
You must enable site access restriction for your organization before you can configure it for a user's OneDrive.
To enable site access restriction for your organization in SharePoint admin center:
Expand Policies and select Access control.
Select Site access restriction.
Select Allow access restriction and then select Save.
To enable site access restriction for your organization using PowerShell, run the following command:
Set-SPOTenant -EnableRestrictedAccessControl $true
It might take up to one hour for command to take effect.
Note
For Microsoft 365 Multi-Geo users, run this command separately for each desired geo-location.
Restrict access to a user's OneDrive content
Each OneDrive can be assigned up to 10 Microsoft Entra security or Microsoft 365 groups. Once a group is added, only users in the groups have access to content in that OneDrive that has been shared with them. You can use dynamic security groups if you want to base group membership on user properties.
Important
The owner of the OneDrive must be included in one of the security or Microsoft 365 groups that you specify or they'll lose access to their OneDrive and its contents.
To manage access restriction for OneDrive, use the following commands:
To enable access restriction for a given OneDrive library:
Run the following command before adding security or Microsoft 365 groups.
Set-SPOSite -Identity <siteurl> -RestrictedAccessControl $true
To add a security group or a Microsoft 365 group:
Run the following command:
Set-SPOSite -Identity <siteurl> -AddRestrictedAccessControlGroups <comma separated group GUIDS>
To edit a security group or a Microsoft 365 group:
Run the following command:
Set-SPOSite -Identity <siteurl> -RestrictedAccessControlGroups <comma separated group GUIDS>
To view a security group or a Microsoft 365 group:
Run the following command:
Get-SPOSite -Identity <siteurl> Select RestrictedAccessControl, RestrictedAccessControlGroups
To remove a security group or a Microsoft 365 group:
Run the following command:
Set-SPOSite -Identity <siteurl> -RemoveRestrictedAccessControlGroups <comma separated group GUIDS>
To reset site access restriction:
Run the following command:
Set-SPOSite -Identity <siteurl> -ClearRestrictedAccessControl
Site sharing and restricted site access policies
OneDrive site sharing can be blocked for users and groups who aren't allowed as per the restricted access control policy.
The sharing control functionality is disabled by default. To enable it, run the following command:
Set-SPOTenant -AllowSharingOutsideRestrictedAccessControlGroups $false
Sharing with users
Sharing is only allowed with users who are part of restricted access control groups. Sharing will be blocked with anyone outside of the restricted access control groups as shown below:
Sharing with groups
Sharing is allowed with Microsoft Entra Security or Microsoft 365 groups which are part of the restricted access control groups list. Thus, sharing with all other groups including Everyone except external users or SharePoint groups won't be allowed.
Note
Currently, sharing of a site and its content isn't allowed for nested security groups that are part of the restricted access control groups.
Configure learn more link for access denial error page
Configure your "learn more" link to inform users who were denied access to a OneDrive site because of a restricted site access control policy. With this customizable error link, you can provide more information and guidance to your users.
Note
The "learn more" link is a tenant-level setting that applies to all OneDrive sites that have restricted access control policy enabled.
To configure the "learn more" link:
Run the following command:
Set-SPOTenant -RestrictedAccessControlForSitesErrorHelpLink "<Learn more URL>"
To fetch the value of the link:
Run the following command:
Get-SPOTenant | select RestrictedAccessControlForSitesErrorHelpLink
The configured learn more link is launched when the user selects the Know more about your organization's policies here link.
Restricted site access policy insights
As an IT administrator, you can view the following reports to gain more insight about OneDrive sites protected with restricted site access policy:
- Sites protected by restricted site access policy (RACProtectedSites)
- Details of access denials due to restricted site access (ActionsBlockedByPolicy)
Note
It can take a few hours to generate each report.
Sites protected by restricted site access policy report
You can use the following commands to generate, view, and download reports.
To generate a report:
Run the following command:
Start-SPORestrictedAccessForSitesInsights -RACProtectedSites
This command generates a list of sites protected by restricted site access policy.
To view a report:
Run the following command:
Get-SPORestrictedAccessForSitesInsights -RACProtectedSites -ReportId <Report GUID>
This command creates a report that shows the top 100 sites with the highest page views that are protected by the policy.
To download a report:
Run the following command:
Get-SPORestrictedAccessForSitesInsights -RACProtectedSites -ReportId <Report GUID> -Action Download
This command must be run as an administrator. The downloaded report is located in the path where the command was run.
To view the percentage of sites protected with restricted site access:
Run the following command:
Get-SPORestrictedAccessForSitesInsights -RACProtectedSites -ReportId <Report GUID> -InsightsSummary
This report shows the percentage of sites that are protected by the policy out of the total number of sites.
Access denials due to restricted site access policy
You can use the commands in this section to create, fetch, and view reports for access denials due to restricted site access reports.
To create an access denials report
Run the following command:
Start-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy
This command creates a new report for fetching access denial details.
To get the status of an access denials report
Run the following command:
Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy
This command fetches the status of the generated access denials report.
To see the latest access denials in the past 28 days
Run the following command:
Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -ReportId <Report ID> -Content AllDenials
This command creates a list of the most recent 100 access denials that occurred in the past 28 days.
To view a list of top users who were denied access
Run the following command:
Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -ReportId <Report ID> -Content TopUsers
This command creates a list of the top 100 users who received the most access denials.
To view a list of top sites that received the most access denials
Run the following command:
Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -ReportId <Report ID> -Content TopSites
This command creates a list of the top 100 sites that had the most access denials.
To see the distribution of access denials across different types of sites
Run the following command:
Get-SPORestrictedAccessForSitesInsights -ActionsBlockedByPolicy -ReportId <Report ID> -Content SiteDistribution
This command shows the distribution of access denials across different types of sites.
Note
To view up to 10,000 denials, download the reports. Run the download command as an administrator, and the downloaded reports are located in the path from where the command was run.
Auditing
Audit events are available in the Microsoft Purview portal to help you monitor site access restriction activities. Audit events are logged for the following activities:
- Applying site access restriction for site
- Removing site access restriction for site
- Changing site access restriction groups for site