Back to Blog

Technical Spotlight: Managing Permissions Sprawl in Teams Chat and Associated OneDrive Folders

by | Jan 26, 2022

This blog kicks off the very first in our new Technical Spotlight Series put together by the archTIS Technical Solutions team to provide IT and information security practitioners with insights on security best practices for your collaboration and file sharing applications and tips for using archTIS products to solve your data security challenges.

We had an interesting use case come in from a financial institution a few months back. The client had general security and compliance requirements within Teams and SharePoint, however they also had a very specific requirement that they could not seem to find a solution for. They needed to clear files out of the Teams chat after a year to control permissions sprawl which was proving hard to do. Before we get to the solution here’s a little background on why this request is so complex.

The Complexities of Teams Data Storage

Most people know that SharePoint serves a large portion of the file storage on the backend of Teams.  However, what not everyone knows is that if you place a file in a chat, it copies it into your personal OneDrive folder.  It will then create a sharing permission for all the members of that specific chat.  So, when you click on a file in the chat to open it or download it, you are actually linked to the OneDrive folder of whoever placed the file in the chat, rather than to the chat itself.

We have all had challenges with users that call IT and ask for additional access, either temporarily for a project or because they are moving departments.  In the latter case, they usually need access to the new department to start onboarding but need to retain access to the old department to perform some transition work for some undetermined period of time.  I have never had any of these users contact me after say 3-6 months and say, “Yes, I’m all set now, you can remove this level of access, I don’t need it any longer.”  So, we wind up with ever growing permissions sprawl if we don’t continually verify current permissions.

Permissions Sprawl is Inevitable Byproduct of Teams Collaboration

One of the good things about most compliance requirements is that now we are forced to verify that the people that should have access to files are the only ones that have access to those files. We can easily audit current permissions to Site collections, Teams and Folders. However, the reality is that the One Drive permissions on personal folders tend to get so complicated over time that trying to keep track of what users have access to which shared files over time can be extremely daunting. It’s one thing to have a department Manager verify which users have access to their folders and Site collections, it’s another to have every user verify who has access to every file they have ever shared.

Coming back to the specific issue this client was trying to solve. Over time, people move around different groups and Teams within the organization and there is no permission cleanup function. Teams is a great tool for collaboration, but it’s not necessarily as good at locking things down or in this case ‘un-sharing’ files.

Clearing File Permissions in a Teams Chat with NC Protect

To address this issue, our architects came up with a relatively simple sharing rule in NC Protect to time-limit access to files in Teams chat and connected OneDrive accounts.

  1. First, we created a custom scope that included all personal OneDrive folders.
  2. Next, we created a sharing rule that checks for the creation date of the files in everyone’s personal one drive folder and if there are any folders with a creation date greater than 365 days, it removes the additional sharing permissions, leaving only the owners with access to those files. If the owner wants to access the file in the chat, no problem. If the person or persons that it was shared with want to click on it, they will receive a “Sorry, you don’t have access.” (see figure 1) Creating the rule is fairly simple. You can create a custom scope by going into the NC Protect Console, General -> Rule Scopes and selecting the Custom tab. Name the new scope and create a new Conditional Expression of OneDrive Site, contains, personal.  This will include the everyone’s personal OneDrive folders without grabbing any other OneDrive folders.

    NC Protect Permissions Rule Figure 1

    NC Protect Permissions Rule Figure 1

  3. Next, build a new sharing rule using that scope with the following parameters of created <=[Today]-5 as seen in the screenshot below:
NC Protect Permissions Rule Figure 2

NC Protect Permissions Rule Figure 2


That’s it!

Now you have a quick and easy way to clean up the ever-growing patchwork of permissions related to Teams chat information that’s stored in your users OneDrive folders.  This is an easy function to leverage on top of your existing security measures for Teams, SharePoint, etc.

We truly enjoy working with clients to solve their Data Security issues.  If you have any additional questions on how this is particular rule can be implemented in your environment or if you want to discuss some customization to this rule to fit your specific use case, don’t hesitate to contact us. Learn more about NC Protect’s advanced capabilities to enhance M365 security.



Share This