How to Change OneDrive Permissions (w/Examples) + FAQs

You change OneDrive permissions by opening the file or folder in OneDrive, clicking Share or Manage Access, and then adding, editing, or removing the people and link settings that control who can view, edit, or download your content. The process works across OneDrive Personal, OneDrive for Business, the web app, desktop apps on Windows and macOS, and mobile apps on iOS and Android, although administrators of Microsoft 365 tenants also hold override powers through the SharePoint admin center and Microsoft Entra ID.

The problem is that default OneDrive sharing settings often expose sensitive data in ways that violate federal statutes like the Health Insurance Portability and Accountability Act, the Family Educational Rights and Privacy Act, the Gramm-Leach-Bliley Act Safeguards Rule, and the Sarbanes-Oxley Act Section 404. State laws such as the California Consumer Privacy Act and CPRA also apply, and the federal Stored Communications Act at 18 U.S.C. § 2701 can create criminal exposure when access controls are mishandled. A single misconfigured “Anyone with the link” setting can trigger six-figure fines, civil lawsuits, and mandatory breach notifications.

According to the Verizon 2024 Data Breach Investigations Report, 68% of breaches involved a non-malicious human element such as misconfigured permissions or accidental oversharing, which makes understanding OneDrive permissions a direct risk-reduction task.

• 🔐 How to change, restrict, and audit OneDrive permissions at the file, folder, site, and tenant level.
• ⚖️ Which federal and state laws make permission errors a legal and financial liability.
• 🧭 Step-by-step flows for OneDrive Personal, OneDrive for Business, web, desktop, and mobile.
• 📊 Real scenarios, named examples, and the exact consequences of common mistakes.
• 🛠️ Admin-level controls through the SharePoint admin center, Entra ID, and PowerShell.

Understanding the OneDrive Permission Model

OneDrive permissions are built on top of the same engine that powers SharePoint Online, because every OneDrive account is technically a personal SharePoint site collection. The permission you set on a file is a layer on top of the site, the library, and the tenant. That stacking matters, because a tenant-level rule always beats a file-level rule.

Each OneDrive item carries three independent permission surfaces. The first is direct permissions, which list named users and groups. The second is link-based permissions, which create a URL that anyone holding it can use within the scope you set. The third is inherited permissions, which flow from the parent folder unless you break the inheritance chain.

The consequence of not knowing which surface is active is silent oversharing. A user may think a folder is private because no names appear in the sharing panel, yet a live “Anyone” link from two years ago still works. A real example comes from the 2021 Microsoft Power Apps misconfiguration, where 38 million records leaked because default sharing was wider than the owners believed.

A common misconception is that removing a person from the Share dialog revokes their access. In reality, you must also delete the link they used, because the link itself grants access independently of the named list.

Direct Permissions vs. Link Permissions

Direct permissions bind a specific Microsoft Entra ID user or guest identity to the file. That means the person must sign in with the exact account you granted, and their access travels with that identity across devices.

Link permissions work differently. A link is a token. Anyone who holds the token within the scope you picked can use it. Scopes include Anyone, People in your organization, People with existing access, and Specific people.

The consequence of confusing these surfaces is that you can remove a user from the direct list and still leave a working Anyone link. The reverse is also true, where you revoke a link but the user still has direct access through a group membership.

A real example is a Chicago accounting firm that removed an intern from a client folder on her last day, yet the intern kept pulling files for three months because a company-wide People in your organization link was pinned in a Teams channel.

Permission Levels Explained

OneDrive offers several levels, and each one triggers a different consequence if picked wrong. Can view allows reading and downloading unless you also toggle Block download. Can edit allows changing, deleting, and re-sharing. Can review allows commenting and suggesting in Word files without changing the original text.

Block download is a restricted-view mode that forces content to render only inside the browser. It does not work on all file types, and it does not stop screen captures, which is a nuance the Microsoft Learn guidance on restricted view spells out.

The consequence of granting Can edit when you meant Can view is that the recipient can delete your only copy or re-share it to the public. A misconception is that Can view stops downloads, which is false unless Block download is on.

How to Change OneDrive Permissions on the Web

The web app at onedrive.live.com for personal accounts and at https://<tenant>-my.sharepoint.com for business accounts is the most complete interface. Every permission option exists here, and some options exist only here.

Start by signing in with the account that owns the file. Click the file or folder once to select it, then click Share at the top, or right-click and choose Manage Access for deeper control. The Share panel creates or edits links. The Manage Access panel shows every existing link, every direct user, and every inherited permission.

The consequence of using Share instead of Manage Access is that you cannot see who already has access. A real example is a Dallas HR manager who kept sending new Specific people links to a benefits folder while six stale Anyone links from 2023 were still live in former employees’ inboxes.

Step-by-Step: Share Dialog

Open OneDrive in the browser and select the item. Click Share. In the redesigned 2023-2026 dialog documented on Microsoft Learn share files and folders, you choose the audience, the permission level, and the optional settings.

Pick the audience first. Anyone with the link is public. People in your organization is tenant-wide. People with existing access creates no new access and only generates a link for current users. Specific people is a named list.

Next, pick the permission. Can edit is the default, which is why so many files get overshared. Switch to Can view unless the recipient truly needs to change the file. Toggle Block download for sensitive PDFs or spreadsheets.

Set an expiration date and a password for any Anyone link, because unexpiring public links are the number-one source of stale access. Click Apply, then Copy link or Send.

Step-by-Step: Manage Access

Right-click the file and pick Manage Access. The panel lists three tabs. The first is People, which shows every user and group. The second is Links, which lists every active sharing link with its audience, expiration, and password status. The third is Groups, which shows inherited group access.

To change a user’s level, click the pencil icon next to the name and pick a new option. To revoke, click the X. To kill a link, open the Links tab and click Delete link.

The consequence of skipping the Links tab is the scenario above, where stale tokens keep working. A common mistake is assuming that removing a person from People also kills the link they used. It does not, because the link is a separate object.

Changing Permissions in the OneDrive Desktop App

On Windows 11 and Windows 10, right-click any file inside your OneDrive folder in File Explorer and pick OneDrive → Share. On macOS 14 Sonoma and newer, right-click inside Finder and pick Share → OneDrive. The dialog that opens is a lighter version of the web Share panel.

The desktop client supports audience selection, permission level, expiration, and password. It does not expose the full Manage Access view. To see every link and every inherited permission, you must still open the web app.

The consequence of relying only on the desktop client is partial visibility. A real example is a Portland architect who used the right-click menu for years and never realized that a People in your organization link from his old firm’s tenant still resolved after a merger, because he never opened Manage Access on the web.

A nuance to know is that the desktop client respects tenant policies set in the SharePoint admin center sharing page. If the tenant blocks Anyone links, the option simply does not appear on the desktop.

Changing Permissions on iOS and Android

The OneDrive mobile apps on iOS 17 and Android 14 offer a share sheet with the same audience and permission options as the desktop client. Tap the file, tap the share icon, and pick your audience and permission level. Expiration and password are available on both platforms as of the 2024 rollout noted in the Microsoft 365 roadmap.

The mobile apps do not expose Manage Access. They also do not let you break inheritance or edit site-level permissions. For anything beyond a one-off share, switch to the web interface.

The consequence of using only mobile is that you cannot audit or clean up stale links from the phone. A real example is a traveling sales director who kept sharing quarterly forecasts from the airport, building up 140 active links over three years, none of which he could see or revoke from the app.

A misconception is that the mobile Remove action also removes tenant-wide access. It does not. It only removes the specific link or named user you tapped.

Admin-Level Controls for OneDrive for Business

Tenant administrators hold the final word on every OneDrive permission. The controls live in three places. The first is the SharePoint admin center under Policies → Sharing. The second is the OneDrive admin center. The third is PowerShell through the SharePoint Online Management Shell.

Admins set the maximum sharing scope for the whole tenant. If the admin picks Only people in your organization, no user can ever create an Anyone link, even if the Share dialog appears to offer it. Admins also set default link type, default expiration, default permission, and external-user re-authentication intervals.

The consequence of leaving tenant defaults at factory settings is that new employees inherit permissive behavior. A real example is a 200-person Ohio manufacturer that left defaults on for four years and then discovered 11,000 live Anyone links during a cyber-insurance audit, which caused the carrier to raise the premium by 38%.

A misconception is that disabling external sharing retroactively kills existing links. It does not by default. Admins must run Unlock-SPOSharingLink or manually purge links to remove historical access.

Using the SharePoint Admin Center

Sign in at https://<tenant>-admin.sharepoint.com with a Global Admin or SharePoint Admin role. Open Policies → Sharing. Pick the external sharing level for SharePoint and OneDrive separately. OneDrive can be more restrictive than SharePoint but never more permissive.

Set File and folder links to Specific people as the default, and set These links must expire within to 30 days. Enable People who use a verification code must reauthenticate after at 15 days. Save.

The consequence of setting OneDrive to a wider scope than SharePoint is that the wider scope is ignored, because the narrower rule wins. A named example is Priya Shah, a compliance lead at a Boston biotech, who cut external link lifespan from unlimited to 14 days and reduced her quarterly access-review queue by 70%.

Using PowerShell for Bulk Changes

Install the module with Install-Module -Name Microsoft.Online.SharePoint.PowerShell. Connect with Connect-SPOService -Url https://<tenant>-admin.sharepoint.com. Use Set-SPOTenant -DefaultSharingLinkType Direct to force Specific people as the default, and Set-SPOTenant -RequireAnonymousLinksExpireInDays 30 to cap public-link life.

For a single user’s OneDrive, use Set-SPOSite -Identity https://<tenant>-my.sharepoint.com/personal/user_domain_com -SharingCapability Disabled to shut sharing off entirely.

The consequence of PowerShell changes is that they are immediate and tenant-wide. A misconception is that they require Azure AD Premium. They do not, because the SharePoint module runs on the base Microsoft 365 license.

Federal and State Laws That Govern OneDrive Permissions

Federal law does not regulate OneDrive by name. Federal law does regulate the data inside OneDrive, and the permission settings are the technical control that proves compliance. Start with federal statutes, then layer state laws on top.

The HIPAA Security Rule at 45 CFR § 164.312 requires access controls, audit controls, and integrity controls for electronic protected health information. OneDrive’s Specific people links, Block download, and audit logs satisfy these requirements when configured correctly. A wide-open Anyone link on a file with patient data is a reportable breach under the HIPAA Breach Notification Rule, and the consequence can reach $2.13 million per violation category per year.

The FERPA regulations at 34 CFR Part 99 protect student education records. A school that stores transcripts in OneDrive and sets them to Anyone with the link risks loss of federal funding. The FTC Safeguards Rule at 16 CFR Part 314 requires financial institutions, including tax preparers and auto dealers, to keep written access-control programs.

State laws expand on the federal floor. The CCPA and CPRA require reasonable security, and the New York SHIELD Act adds a similar duty for any business that holds data on New York residents. The Texas Identity Theft Enforcement and Protection Act and the Illinois Personal Information Protection Act both carry private rights of action for some breaches.

The Stored Communications Act

The Stored Communications Act at 18 U.S.C. § 2701 makes unauthorized access to a stored electronic communication a federal crime. A terminated employee who keeps using a sharing link to pull files from a former employer’s OneDrive can face up to 10 years in prison for a repeat offense.

The consequence for the former employer is also steep, because negligent access control can undercut the company’s own civil claims. A real example is the 2020 hiQ Labs v. LinkedIn line of cases, which turned on whether access was authorized, and the lesson carried into cloud-storage disputes.

A misconception is that public links waive the protection. Courts have ruled that a link created for a narrow purpose does not authorize use for a different purpose, so access can still be unauthorized even with a valid URL.

NIST SP 800-171 and Federal Contractors

Federal contractors and subcontractors that handle Controlled Unclassified Information must meet NIST Special Publication 800-171. The standard lists 110 controls across 14 families, and OneDrive permissions map directly to the Access Control and Audit and Accountability families.

The consequence of failure is loss of the contract and potential False Claims Act liability. A real example is Aerojet Rocketdyne’s $9 million settlement in 2022 for misrepresenting cybersecurity compliance.

A misconception is that Microsoft’s GCC High environment makes the tenant automatically compliant. It does not. The contractor still owns the configuration.

Three Real Scenarios

Seeing how permission choices play out in real situations helps more than reading the rules alone. Each scenario below shows the permission setting and the direct consequence. Every table uses exactly two columns so that the cause and effect stay clear.

Scenario 1: Sharing a Client Contract Externally

Scenario 2: HR Folder with Employee SSNs

Scenario 3: Student Transcripts in a University OneDrive

Three Named Examples

Example 1: Maria Gonzalez, Solo Tax Preparer in Miami

Maria keeps client W-2s and 1099s in a OneDrive for Business folder. She used to email Anyone with the link URLs to clients. After reading the FTC Safeguards Rule guidance, she switched to Specific people links with a 7-day expiration and a password.

The consequence of her change is that her professional liability carrier lowered her premium by 12%, because the carrier treats expiring Specific people links as a recognized safeguard. Maria now also runs a quarterly Manage Access review on every client folder.

A nuance in her workflow is that she sends the password through a separate channel, which is a practice the IRS Publication 4557 directly recommends for tax professionals.

Example 2: David Chen, IT Director at a Seattle Hospital

David manages a Microsoft 365 tenant with 4,000 clinicians. He set tenant-level sharing to Only people in your organization, forced a 30-day link expiration, and deployed sensitivity labels through Microsoft Purview to auto-apply Highly Confidential to any file containing PHI.

The consequence is that his hospital passed a HIPAA Security Rule audit with zero access-control findings. His previous audit, before the changes, had 14 findings and a corrective action plan.

A misconception David used to hold was that auditing was enough without restriction. The auditor told him that detection without prevention fails the “reasonable and appropriate” standard in 45 CFR § 164.306.

Example 3: Sarah Patel, School District Data Officer in New Jersey

Sarah oversees student records for 22 schools. She used PowerShell to disable Anyone links district-wide, forced all external collaboration to go through guest accounts in Entra ID, and set up access reviews in Entra ID Governance every 90 days.

The consequence is that the district moved from annual FERPA complaints to zero complaints over two school years. Parents also report faster turnaround on transcript requests, because the registrar now has a single, clean access list.

A nuance is that Sarah still allowed Anyone links for the athletics department’s public schedules, because those files contain no student records. The rule is that the permission must match the data class.

Mistakes to Avoid

Permission errors rarely come from malice. They come from defaults, habit, and rushing. The list below captures the seven most damaging mistakes and the outcome of each.

• Leaving Can edit as the default permission, which lets recipients delete or re-share your only copy.
• Skipping expiration on Anyone links, which creates permanent public access that survives for years.
• Forgetting to break inheritance on a subfolder, which exposes the whole subfolder to everyone who can see the parent.
• Removing a user from the People list without deleting the link they used, which leaves the link working.
• Using the mobile app for everything, which hides stale links and inherited permissions from your view.
• Ignoring the tenant-level defaults in the SharePoint admin center, which lets new users create wide-open links.
• Confusing Block download with full encryption, which gives a false sense of security against screen capture and copy-paste.
• Storing regulated data in personal OneDrive accounts, which lacks the audit logs required by HIPAA, FERPA, and the FTC Safeguards Rule.
• Sharing to distribution lists instead of security groups, which often expands access beyond what the owner expects.

Do’s and Don’ts

Balancing enablement with control is the core of good permission management. Each rule below includes the reason behind it, because permission choices that are not understood tend to get reversed.

Do’s

• Do default to Specific people links, because they are the only option that produces a real audit trail tied to identity.
• Do set expiration dates on every external link, because stale tokens are the leading cause of cloud data leaks.
• Do use Entra ID security groups instead of naming individuals, because groups update when people join or leave.
• Do run Manage Access reviews every quarter, because permissions drift as projects change and people move on.
• Do train users on the difference between Can view and Can edit, because the wrong choice can destroy data.
• Do enable Microsoft Purview audit logs, because compliance rules require proof that access is monitored.

Don’ts

• Don’t use Anyone with the link for anything regulated, because a single screenshot of the URL becomes a breach.
• Don’t rely on email recall to fix a bad share, because the link lives on the cloud and recall does not reach it.
• Don’t grant Full Control to collaborators, because that role lets them delete the site and revoke the owner.
• Don’t mix personal and business files in one account, because the legal duties differ and the audit surface differs too.
• Don’t assume deletion equals revocation, because OneDrive keeps items in the Recycle Bin for 93 days with their permissions intact.
• Don’t disable external sharing without a plan, because the sudden cutoff breaks active projects and creates shadow IT.

Pros and Cons of Tight Permission Controls

Every control has tradeoffs. Tight permissions protect data, but they also create friction. The list below shows both sides, because the balance varies by industry and data class.

Pros

• Tight permissions shrink the breach surface, which lowers HIPAA, FERPA, and Safeguards Rule exposure.
• Expiring links enforce a natural review cycle, which keeps access lists current without extra labor.
• Named access produces an audit trail, which speeds up investigations and regulatory responses.
• Block download preserves intellectual property, which matters for legal, engineering, and media firms.
• Admin-enforced defaults cover user error, which is the cause of 68% of breaches per the Verizon DBIR.

Cons

• Tight permissions slow down casual collaboration, which can push users toward unsanctioned tools like personal Gmail.
• Frequent re-authentication frustrates external partners, which can cost deals if not paired with clear communication.
• Block download fails on some file types, which creates inconsistency that confuses users.
• Admin overrides can hide user intent, which makes troubleshooting harder when a share unexpectedly fails.
• Overly restrictive tenant policies can block legitimate business, which forces one-off exceptions that themselves create risk.

Processes and Forms Inside the Share Dialog

The redesigned Share dialog, rolled out starting in 2023 and refined through 2026, has five decision points. Each point carries its own nuance and its own consequence.

The first decision is Who. Pick from Anyone, People in your organization, People with existing access, or Specific people. The consequence of picking Anyone is public access, and the consequence of People with existing access is that no new access is created, which is useful for reminding current users of a URL.

The second decision is Permission. Pick Can edit, Can view, or Can review. The consequence of Can review is that it only applies to Word documents, because review mode is a Word feature, not a OneDrive feature.

The third decision is Block download. Toggling this on forces the file to render in the browser. The consequence is that the recipient cannot save a local copy, although screen capture still works.

The fourth decision is Set expiration date. Pick a date up to the tenant maximum, which defaults to 180 days and can be shortened by the admin. The consequence of skipping this is a permanent link.

The fifth decision is Set password. Type a password and deliver it out of band. The consequence of skipping this is that a forwarded URL is the only authentication, which is weak for regulated data.

Court Rulings That Shape OneDrive Permission Risk

Several cases frame how courts treat cloud permission errors. The Van Buren v. United States, 141 S. Ct. 1648 (2021) ruling narrowed the Computer Fraud and Abuse Act, which means some misuse of authorized access is no longer a federal crime, although it can still be a civil wrong.

The hiQ Labs v. LinkedIn, 31 F.4th 1180 (9th Cir. 2022) line confirmed that public data is not protected by the CFAA, which matters because it pushed companies to rely on permission settings rather than litigation after the fact.

In Anthem Data Breach Settlement and the resulting OCR resolution, Anthem paid $16 million under HIPAA because access controls failed. The consequence is that HHS treats misconfigured cloud permissions as an access-control failure under 45 CFR § 164.312.

A misconception after these cases is that courts will excuse permission mistakes as “honest errors.” They will not, because regulators measure the control, not the intent.

State Nuances Worth Knowing

State law adds texture on top of the federal floor, and it varies sharply. California’s CPRA regulations treat misconfigured shares as a failure of reasonable security, which can support a private lawsuit for $100 to $750 per resident per incident. New York’s SHIELD Act requires administrative, technical, and physical safeguards, and the New York Attorney General has used it against cloud oversharing.

Illinois adds the Biometric Information Privacy Act for any biometric data stored in OneDrive, which can mean $1,000 to $5,000 per violation. Texas, Virginia, Colorado, Connecticut, and Utah all have comprehensive privacy laws that layer access-control duties on top.

The consequence of a multistate footprint is that you must match the strictest applicable rule. A named example is Carlos Rivera, a startup founder in Austin, who had to rebuild his sharing policy after his company expanded into California because CPRA added duties that Texas law did not require.

A misconception is that storing data in a U.S. region satisfies all state laws. It does not, because most state laws follow the resident, not the server location.

Auditing and Monitoring OneDrive Permissions

Auditing turns a point-in-time permission into an ongoing control. Turn on the unified audit log in Microsoft Purview, which captures every share, every permission change, and every file access for up to one year on E3 and up to 10 years on E5 with the add-on.

Set alerts for high-risk events such as Anyone link creation, bulk downloads, and guest invitations. Review the alerts weekly. Run an access review every 90 days through Entra ID Governance for every privileged group.

The consequence of skipping monitoring is that breaches are discovered by outsiders. The IBM Cost of a Data Breach 2024 report found the average breach takes 204 days to identify, and that delay doubles the cost.

A real example is Emma Lee, a compliance officer at a Denver insurance agency, who found 47 Anyone links in her first access review and closed each within a week, before the state regulator’s next cycle.

FAQs

Can I change OneDrive permissions after sharing a file?

Yes. Open the file in OneDrive, click Manage Access, and edit the user’s permission level, revoke the share, or delete the active link from the Links tab.

Does removing someone from a shared file delete the link they used?

No. The link is a separate object, so you must delete the link itself from the Links tab of Manage Access to fully cut off access.

Can I set an expiration date on every OneDrive link?

Yes. Expiration is available on Anyone and Specific people links for both personal and business accounts, and admins can enforce a maximum lifespan tenant-wide.

Does OneDrive Personal support Block download?

Yes. Microsoft added Block download to personal accounts for Office files, although some non-Office file types still allow downloads by design.

Is Anyone with the link ever safe for business use?

No. Public links leave no audit trail tied to identity, so they fail HIPAA, FERPA, and FTC Safeguards Rule access-control requirements for regulated data.

Can tenant admins see every OneDrive share in the organization?

Yes. Admins can pull a full sharing report from the SharePoint admin center or through PowerShell with Get-SPOSite and Get-SPOExternalUser commands.

Does changing permissions in OneDrive affect the Teams or SharePoint copy?

Yes. Files shared to Teams live in the underlying SharePoint site, so permission changes propagate, and a change in one surface shows in the others.

Will disabling external sharing kill existing Anyone links?

No. Disabling external sharing stops new links but leaves existing ones active, so admins must run a purge or let the links expire to close the gap.

Can I recover a file after someone with Can edit deletes it?

Yes. OneDrive keeps deleted files in the Recycle Bin for 93 days for business accounts and 30 days for personal accounts, with full version history intact.

Does OneDrive for Business meet HIPAA requirements out of the box?

No. HIPAA requires a signed Business Associate Agreement with Microsoft, proper configuration of access controls, audit logs, and encryption before the service becomes compliant.

Are OneDrive permission logs admissible in court?

Yes. Microsoft 365 audit logs are treated as business records under Federal Rule of Evidence 803(6) when authenticated by the administrator who pulled them.

Can I use PowerShell to revoke every external share at once?

Yes. The command Set-SPOTenant -SharingCapability Disabled followed by a site-level purge revokes all external access across the tenant immediately.