IT Hub

SharePoint Security Best Practices for Data Protection

Reco Security Experts
May 13, 2024
May 21, 2024

Role-based access control (RBAC) helps you manage who has access to your organization's resources and what they can do with those resources. By assigning roles to your SharePoint users, you can limit what they can see and change. Each role has a set of permissions that determine what users with that role can access and change within your organization.

  • Determine Who Needs Access: Identify the users or groups that require access to SharePoint resources. Consider their responsibilities and the level of access they need.
  • Select the Appropriate Role: Choose the relevant role based on the user’s responsibilities. Some common roles include:
    • Global Administrator: Has full control over all Office 365 services.
    • Security Administrator: Manages security settings and user access.
    • SharePoint Administrator: Handles SharePoint-specific tasks.
  • Identify the Needed Scope: Determine the scope of access required. For SharePoint, this could be at the site collection, site, or list/library level.

Steps to Assign RBAC Role

  • Login to Compliance.microsoft.com from the admin portal from admin.microsoft.com.
  • Click on roles and scopes as in the screenshot below.
  • Click on permission and assign the appropriate permission.

Microsoft Purview Data Lifecycle Management

Microsoft Purview Data Lifecycle Management (formerly known as Microsoft Information Governance) provides essential features for managing data throughout its lifecycle. Data lifecycle management in SharePoint is a feature that allows you to govern your OneDrive and SharePoint content for compliance or regulatory requirements. It is part of Microsoft Information Governance (MIG), which provides capabilities to manage the lifecycle of your content and govern your data for compliance or regulatory requirements.

Steps to Get Started

Understand Retention and Deletion:

  • Familiarize yourself with how retention and deletion work in Microsoft 365.
  • Identify the workloads (such as Exchange, SharePoint, OneDrive, Teams, and Viva Engage) that need a retention policy.
  • Determine whether you need to create retention labels for exceptions.
  • Create Retention Policies:
    • Define retention settings and actions based on your organization’s policies or industry regulations.
    • Specify how long content should be retained or whether it needs to be kept indefinitely.
    • With this feature, you can retain a document or file for a certain period of time.

Here are the steps to set up a retention policy for files in SharePoint or OneDrive:

  • Go to Compliance.microsoft.com.
  • Click on data lifecycle management.
  • Click on exchange. 
  • Click on create retention policy.

Multi Factor Authentication

Enforcing MFA for user authentication to add an extra layer of security beyond passwords. This can prevent unauthorized access even if login credentials are compromised.

Set Up Multi Factor Authentication

Multi Factor authentication (MFA) is a crucial security measure to protect your Office 365 accounts. By requiring users to provide more than one method of authentication during sign-in, you significantly enhance security. Here’s how you can set up MFA in Office 365:

In the Microsoft 365 admin center:

  • Navigate to Users > Active users.
  • Choose multi factor authentication.

Regular Auditing and Monitoring

Set up auditing and monitoring tools to track user activity and detect any suspicious behavior. This helps in identifying security breaches or unauthorized access attempts.

Steps to Navigate to Audit logs:

  • Go to Compliance.microsoft.com.
  • Click on audit by the left hand side.

Data Loss Prevention (DLP)

Implement DLP policies to prevent the unauthorized sharing or leakage of sensitive information in SharePoint websites. DLP rules can be configured to detect and block the transmission of sensitive data based on predefined criteria in a SharePoint website.

Steps to set up DLP Policy

  • Navigate to Compliance.microsoft.com.
  • Click on DLP Policy on the left hand side.

Here you can use a template policy or create a custom sensitive policy.

Setting Up DLP Policy with a Custom Policy

Strong Password Policies

Enforce strong password policies, including regular password changes and complexity requirements, to prevent unauthorized access through compromised credentials. When it comes to enforcing a strong password policy in Office 365, here are some recommendations to enhance security:

  • Password Length:
    • Maintain a minimum password length of eight characters. Longer passwords are generally more secure.
  • Character Composition:
    • Avoid requiring specific character compositions (such as uppercase, lowercase, numbers, and special characters). Instead, let users choose passwords that are meaningful to them.
    • For example, avoid enforcing rules like “must contain at least one uppercase letter, one number, and one special character.”
  • Periodic Password Resets:
    • Do not mandate frequent password changes for user accounts. Research shows that forced password changes often lead to weaker passwords.
    • Instead, allow users to keep their passwords for longer periods unless there’s a specific security reason to change them.
  • Ban Common Passwords:
    • Implement a list of banned passwords to prevent users from using easily guessable or commonly used passwords.
    • For instance, block passwords like “password123,” “admin,” or “123456.”


Effective security practices are essential for protecting your organization’s sensitive data within SharePoint. By implementing the right measures, you can minimize risks and ensure data integrity. Always remember the following:

Role-Based Access Control (RBAC)
: Assign roles based on responsibilities to limit access. Roles like Global Administrator, Security Administrator, and SharePoint Administrator play critical roles in maintaining security.

Data Lifecycle Management
: Understand retention and deletion processes. Create retention policies for SharePoint and OneDrive items to comply with regulations.

Multi-Factor Authentication (MFA)
: Enhance security by requiring multiple forms of authentication during sign-in.

Regular Auditing and Monitoring
: Track user activity to detect and respond to security incidents promptly.

Explore More
See more articles from our Hub