OneDrive Security Guide

Microsoft OneDrive is a cloud storage service provided to the University community by Pitt Digital and may be used for the storage of Restricted data per the Data Risk Classification and Compliance Operating Standard.

While both Pitt Digital and Microsoft provide advanced protections for data stored in OneDrive, such as virus scanning, suspicious activity monitoring, ransomware detection, and service-level encryption, you have a shared responsibility to ensure that the information you choose to store in OneDrive remains protected, confidential, and compliant with applicable laws, regulations, and contractual agreements.

This guide aims to provide you with tips and guidance to ensure that your data remains safe and secure while taking advantage of the features and benefits OneDrive offers.

Quick Tips

When sharing data stored in OneDrive, Pitt Digital Security highly recommends the following to help ensure that your data remains secure and confidential:

Whenever possible, share with specific individuals and groups with known email addresses
Never generate links with Anyone or People in University of Pittsburgh access permissions, particularly when sharing Restricted data
Select the Can’t download permission whenever possible to avoid unauthorized duplication of your files
Store shared and unshared (private) files in separate folders to avoid accidental sharing and data leaks
Similarly, store sensitive and non-sensitive information in separate folders to avoid unauthorized access and data disclosure
Periodically review access to shared files and folders and remove access or stop sharing when it is no longer needed

Accessing OneDrive

The OneDrive service can be accessed by browsing to my.pitt.edu, signing in with your Pitt Passport account, and clicking on OneDrive. If you don’t see OneDrive available, search for “OneDrive” using the search bar at the top of the page.

Alternatively, browse to https://pitt.onedrive.com and sign in to access your OneDrive account.

Enable Multi-Factor Authentication (MFA)

Pitt Digital provides all University of Pittsburgh Faculty, Staff, and Students with Duo for multi-factor authentication to protect their Pitt Passport accounts. If you have not already set up Duo Mobile for your account, please follow the steps outlined in Setting Up Multi-factor Authentication with Duo.

In addition to Duo, most Pitt Passport accounts have the option to add Microsoft Authenticator as an additional MFA solution. While not an alternative to Duo for Pitt Passport sign ins, Microsoft Authenticator can provide yet another layer of security when accessing Microsoft’s online services, such as OneDrive and SharePoint. Please see Multi-factor Authentication (MFA) with Microsoft Authenticator for more details and instructions for adding Microsoft Authenticator to your account.

Secure Your Devices

While working with your data stored in OneDrive, copies may be downloaded to your local device. OneDrive provides the option to download files and folders on demand, but it may also automatically cache or synchronize copies of your data to improve performance and provide offline access.

Because your data may be stored both on your device as well as in the cloud, Pitt Digital Security highly recommends the following to help ensure that your device remains healthy and secure:

Install all available security updates for the operating system and installed applications as soon as possible
Ensure only properly licensed and fully supported operating systems and applications are installed
For Windows and MacOS devices, ensure that malware protection software is installed and regularly updated
Ensure device encryption is enabled

Please see Pitt Digital’s Workstation Security Standard for more detailed recommendations.

Also be sure to ask the Pitt Digital Help Desk about the Enterprise Device Management service to help keep devices in your department up to date with the latest security patches.

Device Encryption Guidance

For encryption on Windows devices, Pitt Digital recommends enabling BitLocker Drive Encryption on all volumes. For MacOS, enable FileVault on all disks.

For mobile devices, such as iPhones or Android smart phones, ensure that a passcode is required to unlock.

How to Share Files and Folders

When viewing your OneDrive content on the web (office.com/onedrive), you can easily share a file or folder with others by click the ellipsis next to the desired object and clicking Share.

Enter the name or email address of the individuals or groups that you wish to share this content with.

To change the permissions these collaborators will have to the shared content, click the drop down menu to the right of the Add a name, group, or email box.

When ready, clicking the Send button will send an email invitation to the email address provided that will contain a link to access the content.

If you’d like to add a personalized message to the invitation email, enter it in the Add a message box before clicking Send.

Alternatively, clicking the Copy link button will generate a unique URL and copy it to your clipboard so that it can be shared directly with your collaborators.

Before clicking Copy link, you can change the permissions that those with the link will have by clicking the gear icon.

In the Link settings page, the The link works for section allows you to select who will be able to use the link to access the shared content.

The drop down under More settings allows you to select the permissions those individuals in the first section will have when using the link.

Understand Sharing Permissions

When sharing content from OneDrive, you control what can and can’t be done with your data. There are generally three permissions options when sharing files and folders:

Can view – The default permissions when sharing. Allows collaborators to view contents but they cannot make any changes.
Can edit – Allows collaborators to both view and make changes to contents of the shared file or folder. This includes editing file contents and uploading, downloading, or deleting files and folders from within a shared folder.
Can’t download – The same as Can view, but collaborators cannot download copies of the data from OneDrive to another location.

When creating links to share content from OneDrive, you also can specify who can use that link to access your data. In order of least restrictive to most restrictive, the available options for links are:

Anyone – Anyone with the link can access the contents of the shared file or folder. Users do not need to sign in or prove their identity before gaining access.
People in University of Pittsburgh – Anyone with a University of Pittsburgh user account can access the shared content using the link. Users must sign in using their Pitt Passport username and password before gaining access.
Only people with existing access – Only those individuals who have already been given access to the content may use the link. These can be other Pitt users or external collaborators. A Pitt Passport account is not required.
People you choose – Only the individuals who’s email address is included in the Share dialog may use the link. These can be other Pitt users or external collaborators. A Pitt Passport account is not required.

IMPORTANT: When generating a link and choosing who can use it, you can also specify one of the permissions described earlier; Can view, Can edit, Can’t download. The chosen permissions will apply to everyone who can use the link.

For example, choosing to share a link with Anyone and selecting Can edit will allow anyone with the link to anonymously read, modify, delete, or download your data.

Understanding Permissions for Shared Folders

When sharing a folder from OneDrive it’s important to be aware that the chosen permissions are automatically inherited by all included files and sub folders. This will include any files and folders that may be created or uploaded in the future. Consider the following example:

My OneDrive
- Folder 1
  - File 1
  - Folder 2
    - File 2

Sharing Folder 1 and granting the Can edit permission means that those I’m sharing with will have Can edit permissions to Folder 1, File 1, Folder 2, and File 2.

Later, if I upload another file to Folder 2 named File 3, and because I have previously shared Folder 1, those same individuals will automatically be given Can edit permissions to File 3.

It is possible to break inheritance and give unique permissions to a folder or file within a folder. To determine this setting, go to the the folder's Permissions page (Manage Access > Advanced Settings).

To stop inheriting permissions, click Stop Inheriting Permissions in the toolbar.
To remove unique permissions and reset the folder to inherit permissions, click Delete unique permissions in the toolbar.

Reviewing and Managing Access

See what’s being shared

When viewing your OneDrive data on the web (office.com/onedrive), you can quickly see what files and folders are being shared with others by browsing to My files and looking at the Sharing column.

Content marked as Private is not shared and is only accessible to you. Content marked as Shared has been shared with other individuals or groups.

Inversely, if someone has shared content with you, the owner of that file or folder will be listed in the Sharing column.

You can also browse to Shared and click the By you tab to quickly see all of the files and folders that you are sharing with others.

To see who specifically has been given access to a file or folder, click the ellipses and then select Manage Access.

There are three tabs in the Manage Access window that lists who has access and what permissions they have been given.

People – this tab lists all individual users and email addresses that can access this content
Groups – this tab lists all Office 365 groups that have been granted access
Links – this tab lists all sharing links that have been generated for this content

Change Sharing Permissions

To change the permissions granted to a collaborator, click on them in the Manage Access window under the appropriate tab. The Access summary page will give you an overview of the permissions that were previously granted.

Click the drop down to see the available options for changing the assigned permissions. Select the desired option and then click the Apply button. Alternatively, you can choose the option to Remove direct access to stop sharing with that individual or group.