Hướng Dẫn SharePoint Online Sharing: Phân Quyền External & Internal Toàn Diện
TL;DR: SharePoint Online sharing kiểm soát qua 4 levels (Tenant → Site → Library → File). Tenant setting "New and existing guests" (Level 3) cân bằng bảo mật + flexibility. Default link type nên đặt "Specific people". Guest lifecycle quản lý qua Microsoft Entra ID B2B — invite, access review, auto-expire. Sensitivity labels từ Microsoft Purview auto-block external sharing cho Confidential content. Conditional Access enforce MFA + managed devices cho guests.
Sharing là tính năng powerful nhất — và rủi ro nhất — của SharePoint Online. Share sai = data leak. Share đúng = collaboration hiệu quả. Admin kiểm soát sharing qua SharePoint admin center, quản lý guest accounts qua Microsoft Entra ID B2B, enforce compliance qua Microsoft Purview sensitivity labels, và monitor sharing activities qua Microsoft Defender for Cloud Apps.
🚀 PUPAM triển khai SharePoint sharing governance cho doanh nghiệp Việt Nam — thiết lập phân quyền, sensitivity labels, Conditional Access, và monitoring dashboard trong 2 tuần. Liên hệ tư vấn miễn phí
Sharing Levels (Tenant → Site → File)
| Level | Nơi Cấu Hình | Người Kiểm Soát |
|---|---|---|
| Tenant | SharePoint admin center → Sharing | Global Admin, SharePoint Admin |
| Site Collection | SharePoint admin center → Active sites → Sharing | SharePoint Admin |
| Library/List | Library settings → Permissions | Site Owner |
| File/Folder | Share button → Manage access | Item Owner |
Nguyên tắc kế thừa (restrictive wins):
- Tenant đặt "New and existing guests" (Level 3)
- Site A đặt "Only people in your org" (Level 1) → Level 1 thắng (restrictive hơn)
- Site B đặt "New and existing guests" (Level 3) → OK (bằng tenant)
- Site C đặt "Anyone" (Level 4) → BỊ CHẶN (vượt tenant)
- Site sharing không thể vượt tenant setting
- Tenant = "Existing guests" → Site không thể set "Anyone"
- Tenant = "Anyone" → Site có thể set bất kỳ level nào
Sharing Levels Chi Tiết
| Level | Tên | Xác Thực | Audit | Use Case |
|---|---|---|---|---|
| 1 | Only people in your org | ✅ M365 login | ✅ Full | Internal documents, HR, Finance |
| 2 | Existing guests only | ✅ Entra B2B account | ✅ Full | Known partners (đã có trong directory) |
| 3 | New and existing guests | ✅ Email verification | ✅ Full | New partners, vendors, clients |
| 4 | Anyone (anonymous) | ❌ Không cần login | ❌ Limited | Public content, marketing materials |
Level 1: Only People in Your Organization
- An toàn nhất — chỉ users có M365 license hoặc synced AD account
- Không external sharing — hoàn toàn internal
- Best for: Finance, HR, Legal, Confidential sites
Level 2: Existing Guests
- Guest phải có sẵn trong Microsoft Entra ID
- Admin hoặc user đã invite guest trước đó
- Không "self-service" guest creation
- Best for: Controlled partnership (vendor đã onboard)
Level 3: New and Existing Guests (RECOMMENDED)
- Users invite new guests via email → guest nhận email → verify → access
- Guest account auto-created trong Entra ID
- Admin control: guest access reviews, expiration
- Best for: Hầu hết tổ chức (balanced security + flexibility)
Level 4: Anyone (Anonymous Links)
- Không cần sign-in — anyone with link can access
- Không audit được ai đã access
- Set expiration: 7 days, 30 days
- ⚠️ NGUY HIỂM: nếu link bị leak → anyone on internet access file
- Best for: Public content ONLY (press releases, marketing)
Link Types
| Link Type | Phạm Vi | Ai Access Được | Forward Được |
|---|---|---|---|
| Anyone | Anonymous | Anyone with link | Yes (không kiểm soát) |
| People in org | Internal | Tất cả employees | Yes (internal only) |
| People with existing access | Current | Chỉ người đã được share | N/A |
| Specific people | Named | Chỉ users/groups được liệt kê | No (phải thêm) |
Link Permissions
| Permission | Quyền | Mô Tả | Use Case |
|---|---|---|---|
| View | Read only | Không edit, download (configurable), print | Reference documents, policies |
| Edit | Full edit | Co-author real-time | Collaboration documents |
| Review | Track Changes | Comments + Track Changes (Word only) | Document review cycles |
Default link type (admin setting):
- Cấu hình tại SharePoint admin center → Sharing → Default link type
- Recommended: "Specific people" (secure nhất)
- Nhiều org mặc định "People in your org" (tiện lợi)
- KHÔNG BAO GIỜ default "Anyone" cho production tenants
External Sharing (Guest Access)
Guest Lifecycle
- Invite — Share file/site → nhập guest email → guest nhận invitation email → click "Accept" → verify identity (email OTP hoặc Microsoft account) → account auto-created trong Microsoft Entra ID
- Access — Guest chỉ xem content được share, không browse other sites/files, không access Teams (trừ khi separately invited), sessions controlled by Conditional Access
- Review — Microsoft Entra ID → Access reviews → quarterly review: "Should this guest still have access?" → Site owner reviews → Keep hoặc Remove → auto-remove nếu không review response
- Expire/Remove — SharePoint admin center → Sharing → Guest access expiration (30/60/90 days hoặc no expiration) → sau khi expire guest phải re-verify → Remove: Entra ID → Users → Guest users → Delete
Admin settings cho guest invitations:
- Microsoft Entra ID → External identities → External collaboration settings
- Allow/block guest invitations
- Allow specific domains only (whitelist)
- Block specific domains (blacklist)
- Require MFA cho guests (Conditional Access)
Domain Allow/Block Lists
| Phương Thức | Mô Tả | Ví Dụ | Use Case |
|---|---|---|---|
| Allow list (whitelist) | Chỉ domain này được share | partner.com, vendor.vn, client.co | Strict environments (finance, government) |
| Block list (blacklist) | Domain này BỊ CHẶN | competitor.com, gmail.com, yahoo.com | Block consumer email, competitors |
- Cấu hình tại SharePoint admin center → Sharing → Advanced
- Không thể dùng cả hai cùng lúc — chọn một approach
- Microsoft Entra ID level: External identities → Collaboration restrictions — cùng allow/deny domain lists, áp dụng cho tất cả M365 services (không chỉ SharePoint)
💡 Cần thiết lập sharing governance cho tổ chức? PUPAM hỗ trợ triển khai sensitivity labels, Conditional Access policies, và monitoring dashboard — đảm bảo bảo mật data và compliance. Tìm hiểu thêm
Sensitivity Labels & Sharing
| Label | Sharing Restriction | Encryption | Use Case |
|---|---|---|---|
| Public | Anyone can share | None | Marketing materials |
| General | Internal only | None | Day-to-day documents |
| Confidential | Specific people only | ✅ AES-256 | Financial reports, contracts |
| Highly Confidential | Named users only, no download | ✅ AES-256 + DRM | M&A documents, trade secrets |
Setup Sensitivity Labels
- Microsoft Purview compliance portal → Information protection → Labels → Create label
- Đặt tên: "Confidential - Finance"
- Scope: Files, Emails, Sites
- Encryption: Yes → Assign permissions now — Finance team = Co-Author, C-suite = Co-Owner, Everyone else = No access
- Content marking: Header "CONFIDENTIAL", Watermark
- Auto-labeling: nếu document chứa "doanh thu", "lợi nhuận", "balance sheet" → auto-apply "Confidential"
- Publish → Label policy → All users
Site-level labels:
- Apply label cho SharePoint site → controls sharing cho toàn bộ site
- "Confidential" site → external sharing automatically blocked
- Admin config: Microsoft Purview → Label policies → Site scope
Conditional Access cho Sharing
| Policy | Target | Điều Kiện | Hành Động | Kết Quả |
|---|---|---|---|---|
| Block unmanaged devices | Guest users | Device state = Unmanaged | Block access | Guests phải dùng Intune-managed device |
| Require MFA | Guest users | All cloud apps (hoặc SharePoint) | Require MFA | Guests phải verify phone/authenticator |
| Web-only access | Guest users | Client apps = Browser only | App enforced restrictions | Guests view browser only, không sync/download |
| Location-based | All users | Named locations = Outside Vietnam | Block access | Confidential sites chỉ access từ VN |
Cấu hình tại Microsoft Entra ID → Conditional Access → New policy. Mỗi policy gồm: Assignments (who) → Conditions (when) → Grant/Session controls (what happens).
Monitoring & Audit
SharePoint Admin Center
- Reports → Sharing → external shares, guest activity, link types used
- Xác định: most shared sites, most active guests
Microsoft Purview Audit Log
- Compliance portal → Audit → Search
- Activities: "Shared file/folder", "Created sharing link"
- Filter by: user, date, site, activity type → Export CSV cho analysis
Microsoft Defender for Cloud Apps
- Policies → Create policy → File policy
- Condition: "Shared externally" AND "Contains sensitive data"
- Action: Alert admin, Remove external sharing, Quarantine
- Real-time monitoring sharing activities
Access Reviews (Microsoft Entra ID)
- Identity Governance → Access reviews → Create review → Guest users
- Reviewers: Site owners → Frequency: Quarterly
- Auto-remove nếu không response trong 14 ngày
Power BI Dashboard
- Connect audit log data → Power BI → Visualize sharing trends, guest activity, risk scores
- Alert: unusual sharing patterns (sudden spike trong external sharing)
Checklist Sharing Governance
- Set tenant sharing level (recommend: Level 3 — New and existing guests)
- Configure default link type "Specific people" + set link expiration 30 days
- Configure domain allow/block lists cho external sharing
- Create sensitivity labels (Public, General, Confidential, Highly Confidential)
- Setup Conditional Access cho guest users (require MFA, block unmanaged devices)
- Enable guest access expiration 90 days + quarterly access reviews
- Configure Microsoft Defender for Cloud Apps policies + enable audit logging
- Train users hiểu link types + document sharing policy cho organization
FAQ
Guest users tốn license không?
Không — guest access free. Microsoft Entra ID B2B cho phép invite unlimited guests không tốn license. Guests access SharePoint, Teams, OneDrive shared content miễn phí. Giới hạn: mỗi paid M365 license cho phép invite 5 guests (ratio 1:5, relaxed cho most tenants). Guests không access toàn bộ M365 — chỉ content được share. Admin manage guest accounts qua Microsoft Entra ID → Users → Guest users. Monitor: nếu org có >1,000 guests → review quarterly để cleanup stale accounts. Microsoft Entra ID P1/P2 license cần cho Conditional Access policies applied to guests.
Làm sao revoke sharing link đã gửi?
Manage access → Remove link. Trên file/folder: click ⋯ → Manage access → xem tất cả links + people → Remove link hoặc Remove person. Site Owner: có thể quản lý permissions toàn site. Bulk revoke: PowerShell PnP Remove-PnPFileSharingLink. External links: set expiration khi tạo (7/30/90 days) → auto-expire. Admin level: SharePoint admin center → Sharing → "Allow only sharing with specific security groups" — chỉ authorized users mới tạo được external links. Microsoft Defender for Cloud Apps: auto-revoke sharing nếu detect sensitive content shared externally.
"Anyone" links có an toàn không?
Không — tránh dùng cho production data. Anyone links = anonymous, không cần login, không audit được ai access. Nếu link bị leak (email forward, public paste) → anyone on internet access file. Best practice: disable "Anyone" links ở tenant level (SharePoint admin center → Sharing → uncheck "Anyone"). Nếu bắt buộc dùng: set expiration (max 7 days), set password, block download, monitor qua Microsoft Defender for Cloud Apps. Alternative: dùng "Specific people" link — bảo mật, audit trail đầy đủ. Admin report: Microsoft Purview audit log filter "AnonymousLinkCreated" → identify users tạo anonymous links.
External sharing disable cho specific sites được không?
Được — per-site sharing settings. SharePoint admin center → Active sites → select site → Sharing → chọn level cho site đó. Ví dụ: "HR Internal" site → "Only people in your organization" (block all external). "Partner Portal" site → "New and existing guests" (allow). Tenant setting phải >= site setting (tenant "Existing guests" → site không thể set "Anyone"). Ngoài ra: Microsoft Purview sensitivity labels applied to sites → auto-enforce sharing restrictions. Label "Confidential" on site → automatically block external sharing, no manual config needed per site. Admin monitor via SharePoint admin center → Active sites → Sharing column.
Sharing report cho management — lấy từ đâu?
3 nguồn data: SharePoint admin center, Purview audit logs, Defender for Cloud Apps. (1) SharePoint admin center → Reports → Sharing: high-level overview — external links created, guest activity, most shared files. (2) Microsoft Purview audit log → Search → export CSV → Power BI dashboard: chi tiết từng sharing event (who, what, when, to whom). (3) Microsoft Defender for Cloud Apps → Investigate → Files → filter "Shared externally": real-time view files shared outside org, risk scores, sensitive content detection. Best practice: build Power BI dashboard kết nối audit logs → automated monthly report cho management. Include: total external shares, top shared sites, guest accounts count, policy violations.
OneDrive sharing khác gì SharePoint sharing?
Cùng engine, khác scope. OneDrive = personal storage, mỗi user có 1TB–5TB. SharePoint = team/org storage, shared by default. Sharing settings OneDrive cũng kế thừa tenant policy — admin config tại SharePoint admin center → Sharing → OneDrive tab riêng. Khác biệt chính: OneDrive files thuộc sở hữu cá nhân (user rời org → admin tiếp quản), SharePoint files thuộc site (luôn thuộc org). Best practice: dùng OneDrive cho draft/personal docs, move to SharePoint khi cần team collaboration. External sharing policy nên đồng nhất giữa OneDrive và SharePoint để tránh inconsistency.
Nguồn Tham Khảo
- External sharing overview — Microsoft Learn
- Manage sharing settings — SharePoint admin center
- Guest access in Microsoft Entra B2B
- Sensitivity labels — Microsoft Purview
- Conditional Access policies — Microsoft Entra
- Microsoft Defender for Cloud Apps — file policies
- Access reviews — Microsoft Entra ID Governance
Hành Động
- Kiểm tra ngay tenant sharing level tại SharePoint admin center → Sharing — đảm bảo đặt Level 3 (New and existing guests) + default link type "Specific people"
- Tạo sensitivity labels trong Microsoft Purview (Public, General, Confidential, Highly Confidential) — apply cho sites chứa data nhạy cảm
- Setup Conditional Access trong Entra ID: require MFA cho guest users + block unmanaged devices — enable quarterly access reviews
Bài Liên Quan Nên Đọc
- SharePoint Online Document Libraries Metadata
- SharePoint Online Communication Sites Design
- OneDrive vs SharePoint When To Use Each
- Microsoft 365 Security Best Practices
- SharePoint Online Complete Guide
- Power Automate SharePoint Document Automation
Kết Luận
| Thành Phần | Cấu Hình Khuyến Nghị | Công Cụ |
|---|---|---|
| Sharing Level | Level 3 — New and existing guests, default link "Specific people" | SharePoint admin center |
| Guest Governance | Access expiration 90 days, quarterly access reviews, domain allow list | Microsoft Entra ID B2B |
| Data Protection | Sensitivity labels auto-enforce sharing + Conditional Access MFA guests | Microsoft Purview + Entra ID |
Sharing governance = bảo mật data + enable collaboration. Set tenant sharing Level 3 cho flexibility, default link type "Specific people" cho security. Microsoft Entra ID B2B quản lý guest lifecycle — invite, access, review, expire. Sensitivity labels từ Microsoft Purview auto-enforce sharing restrictions (Confidential → no external). Conditional Access enforce MFA + managed devices cho guests. Monitor continuous qua Microsoft Defender for Cloud Apps — auto-detect sensitive data shared externally. Quarterly access reviews clean up stale guest accounts.
📧 Cần hỗ trợ SharePoint sharing governance? PUPAM tư vấn và triển khai phân quyền, sensitivity labels, Conditional Access, monitoring dashboard cho doanh nghiệp. Liên hệ hello@pupam.com