I recently conducted a poll on LinkedIn asking people “Who can see my files on OneDrive”. Forty-eight percent people thought that only they can see the files on OneDrive. By default, yes. Read on to find the complete perspective – from the point of view of bosses, users, and IT. Reading time 7 min.
Contents
By default, only YOU can see OneDrive files
That is correct. The default setting is – only YOU. It is like your local drive, my documents or desktop. So, nothing to worry about confidentiality and security.
If you share a OneDrive file with someone, then obviously those people have access. You can always remove the rights at any point of time by going to OneDrive – select file – Sharing.
Who else can see my OneDrive files
Anyone with the required permissions can see your OneDrive files
In a typical Office 365 (Microsoft 365) corporate setup, that means the Global Administrator (who is an IT person). In addition, some other administrator roles like SharePoint administrator can see your files, if they want to.
How can others see my OneDrive files? Not fair!
Wrong. These are NOT your files. You created them. Yes. But these are not your personal files. This is OneDrive for Business. These files were created for the organization. They do not belong to you. And any organization has every right to see what its employees are doing.
If this was OneDrive personal, then you are right. Those are your personal files and there is no IT team or administrator. So, only you can see them.
I am an IT Global Administrator. How do I see other’s files?
Good question. Go to Office 365 Administration page – Users – Click on a user – Click on OneDrive and choose Create a Link. That’s it.
There is an audit trail created for future reference and to prevent misuse.
Did I just reveal some big secret? NO.
Not at all. This is well known fact. Forget OneDrive, any administrator has full rights on everything they administer. Period. That is how any IT system works – Windows, Linux, cloud – everything!
Here are some articles which explain the OneDrive context…
How to access someone else’s OneDrive account …
How do I see what is in my employees OneDrive
Search Results
Storing files on desktops is better? NO.
Absolutely not. The IT administrator (or people with similar privileges) can also see files on your desktop as easily as they can see your OneDrive files. Don’t even think of storing files on local desktop thinking that they are safer! OneDrive for Business is designed for confidentiality and safety of data. In addition, OneDrive files give you so many benefits…
What happens if your laptop is stolen?
Files stored in the OneDrive for Business are always kept in encrypted form. Unfortunately, files you store locally as well as the locally synchronized copies of your OneDrive files are NOT encrypted by default. Assuming you are using Windows on the desktop, you need to enable BitLocker – which is built-in and free. If you have not done so, and someone steals your laptop, they can just remove the hard disk, put it in another PC and see your files. They don’t even need your username or password!
Check with your IT team if it is enabled for your laptops.
I am the boss. What should I do?
I am sure you already do this. But just for the sake of completeness, you should do the following. This list is only in the context of topics discussed in this article. The real list is much more complex and beyond the scope of this article and my area of expertise!
- Find out who is the global administrator for your company’s Office 365. While you are at it, might as well have a list of all administrators for all types of critical IT systems. If you are the CIO, you will already have it. If you are not the IT head, just talk to your IT head. S(he) will help you.
- Find out the governance and audit requirements in your country and industry and check with your compliance officer about the status and completeness of actions being taken.
- Make sure there is an audit of sensitive actions performed by all key persons – not just IT.
- Especially for small businesses, if you are the top boss / owner, make sure you are also the global admin and learn at least few important tasks from your IT person. Managing IT is a complex and full-time job best left to specialists. DO NOT do IT person’s job yourself.
- Trust and freedom coupled with unobtrusive, yet comprehensive governance is the best approach.
Who should be the Global Administrator?
The generic recommendation is – two to three responsible and trusted persons should be Global Admins. I will go one step further and say that CIO and CEO (or some other CXO) should have the Global Admin rights – to balance the responsibility and accountability. This is something your organizational governance policies should decide.
As a business leader, you may not understand the technical aspects of all this. But trust me, it is in your interest to understand the crux of the privilege you get as a technical administrator because you have the vicarious responsibility for the entire organization on your shoulders.
Small business owners want to see employees OneDrive files
In my experience, owners, founders, CEOs, or proprietors of a growing business, which is still small, are worried about what their employees are doing. They come from traditional on-premises, closed-network kind of environments where there is strict control over what staff can do. They most certainly want to see their staffs OneDrive files.
For such scenarios, the IT professionals handling the cloud migration should proactively offer the CEOs access to their staff OneDrives. This will help them have peace of mind and sense of control and will help the IT team move to cloud without resistance.
As the company grows, it is increasingly difficult for anyone (IT or non-IT) to strictly monitor what each employee is doing. That is the time you need to stop wasting time micro-managing things and utilize automated systems which will find patterns of misuse.
How to find and prevent leakage of data automatically?
This is a broad and complex topic. But for this discussion, the concept is called Data Loss Protection. Without any manual intervention, you define what the sensitive data looks like and create rules to block that from leaking outside the organization. It could be credit card numbers, employee salaries, customer ids and so on. For details of how to do this on Microsoft 365 platform, read this.
Why does IT need to see other employees OneDrive files?
Here are some common scenarios:
When someone leaves the company…
A routine scenario. New person is going to join. IT can then reassign the old files to the new staff and maintain business continuity.
Manager must have access to files of their team…
This can be a legal or business need in many cases. In many cases, this can mean that files are like a shared drive rather than personal storage. Consider creating a Team for these use cases. Managing a Team based storage is much simpler than managing multiple OneDrive accounts with complicated sharing.
Investigation into some incident
Complaints against a specific employee, legal investigation, compliance breach, data leakage, etc. – there can be many situations where the behavior of one or more staff members is being investigated. Obviously, IT (and the investigation team) needs access to all the data – not just OneDrive files.
Archival, Retention and Compliance
Depending upon the country and industry you are in, there will always be regulatory and compliance related rules you have to follow for managing archival of mails, chats and files. OneDrive is no exception. The archival system is built-in to Microsoft 365 and you can customize it as per local regulations. Here are more details about OneDrive governance. Therefore, the need to see other persons OneDrive files is often statutory.
Learn more about OneDrive
Here is my Online Book for OneDrive. This is a list of all articles I have written and will write about OneDrive.
You can also watch my 15 min webinar on OneDrive Efficiency
***
50 Responses
Excellent article. An article about file encryption and rights management would be a very good follow-up.
Thanks Raj. Working on the Rights Management article. Coming up soon…
Pretty interesting read, we actually experienced an issue at our work where a former employee somehow deleted a pretty impressive amount of data from our OneDrive. We now backup our data in AvePoint’s solution which can recover deleted OneDrive files.
Backup solutions will add to the cost.
Deleted files are available for 93 days. During this time, if there was an abnormal volume of deletion, IT should have received an automatic alert from Office 365 security alert system. Check with IT if such an alert was generated. If not, create relevant policies in CASB for alerting IT team of abnormal file copying / deletion.
How can I quickly tell if I have “OneDrive for Business” or “OneDrive Personal”?
(Why does the article mention so many topics… and then never explain how you can even check what you have???)
For Onedrive to work, you have to login. That is is either personal or corporate.
Nice article. Do you know if Global Administrators can also read password protected OneNote sections? I tried googling for answer but couldn’t find anything relevant.
Admin cannot read any password protected stuff.. For that matter.. Nobody else can. But there are many password breakers available freely.
If you want confidential stuff in onedrive, why not use personal version?
How do CEOs and CFOs keep their confidential data? It will be dangerous if admin can access that.
Good question. They don’t understand the risks fully. Large companies have done kind of role based access control with a approval process. They also have insider risk management systems. But otherwise it is a dismal state. I am not saying at IT Admins are misusing the system. But they know that they can. Secondly, all hackers eventually want to break in as admin…
As a business owner and because of the current set up we have right, it is important to check to our employees doing while away on the office desk and working on their comfort OneDrive can allow us to check or share all of the business files their been working on.
Yes. This is more of a governance issue rather than storage location issue.
The same need exists even when people were working from physical offices using internal networks and local drives.
Can the administrator delete the files in the onedrive?
Not just with Onedrive, but in general in IT, the admin is capable of almost any activity that a user can do. It is not as scary as it sounds. Most organizations have checks and balances in place to prevent misuse and establish accountability.
Great article. A quick question in case you know the answer: if I use Outlook on my pc with my business account of office 365 and I put other email addresses on it (personal ones) will the company be able to see my personal emails? It is useful to have all the email addresses in the same program but the license is from the business’ email. Thank you
No. In this case the company will not see personal emails. Same applies to mobile Outlook as well.
What is the best way to audit what Global Admins have given themselves access to?
This is done using Identity Governance of Azure Active Directory. https://docs.microsoft.com/en-us/azure/active-directory/governance/identity-governance-overview In practice, this requires additional license for Azure AD Plan 2. In my experience, majority of customers do not subscribed to the plan. In the absence of this governance, there is no audit!
I am using a Microsoft surface that is owned by the company and have my OneDrive for business sync’d to the desktop. If I was to sync my personal OneDrive to the same device would my company have access to this?
Thanks
If you sync personal OneDrive to a company provided laptop, by default, the files from your personal OneDrive are a part of your local drive.
Therefore, in theory, your company cannot see it as a part of the corporate OneDrive for Business.
Having said that, technically, it is possible for Admins to remotely control laptops.
we’d love to use it in our family, but there are some concerns whether if I share a Family Subscription (up to six included, I think), then the parent will be able to see everyone’s files.
I have not yet seen a clear statement that this is NOT the case. Does that exist anywhere?
I have a question, one new laptop was registered with one employee’s email as admin or primary user then gave to the other employee to use, the windows user name is not changed, but the password got changed. can the first employee be able to see the second one’s files?
If the login username is same, but password has changed, the first employee cannot see the files of second employee.
If first employee has admin access and created a separate local user for second employee, then first one can see the second user files.
To be clear, IT Admins can potentially access any files on a work computer. If you want files kept private you should consider the following options:
1) Use personal OneDrive and not sync the files to your local computer (ie. just use the OneDrive website).
2) Use personal OneDrive syncing folders as desired, but putting your private files in the OneDrive Personal Vault (only available in normal OneDrive (not business version))
3) Password protect your personal files (Personal OneDrive or Business OneDrive) from within the application (eg. excel password protection) or by zipping with password protection.
Make sure the files you consider personal are actually yours and not belonging to the business (ie. work files). Work policies will probably dictate that work files must be stored within your workplace’s OneDrive for Business.
Hi, I think in my co several might have access to either one or corporate OneDrive.
If any of the staff has been using it to store their personal files photos, videos, etc without realizing that it is in fact a pool drive.
And I or any other admin deleted them without wasting time explaining to everyone. Will they know who deleted their files?
TIA
If it is personal OneDrive and the device is controlled by your company IT team and you have synched data locally, then they potentially can see / delete.
Recovery from OneDrive recycle bin is possible till 90 days.
I received an email from Microsoft OneDrive with all my pictures on the OneDive. Since I’m not subscribed to OneDrive what gives Microsoft the right to show my photos and videos on the web. I will notify the FCC for invasion of privacy.
I cannot respond to your issue. You should take this up with Microsoft.
If i created by accident a file with private content and then deleted it, also from recycle will administrator have acess to this file or to restore this file?
Yes. For 90 days.
Hi if someone can download files from one drive office account to a personal laptop, by logging one drive into personal laptop can it team find this out in which system or mac address files being downloaded ?
If you own the laptop, and use it to login to corporate systems, personal data cannot be seen by the IT team.
However, each company has its own IT policies which may override.
It is best to ask the IT team which policies are currently in place.
Hi if someone can download files from one drive office account to a personal laptop, by logging one drive into personal laptop can it team find this out in which system or mac address files being downloaded ?
If you own the laptop, and use it to login to corporate systems, personal data cannot be seen by the IT team.
However, each company has its own IT policies which may override.
It is best to ask the IT team which policies are currently in place.
Hi if someone can download files from one drive office account to a personal laptop, by logging one drive into personal laptop can it team find this out in which system or mac address files being downloaded ?
If you own the laptop, and use it to login to corporate systems, personal data cannot be seen by the IT team.
However, each company has its own IT policies which may override.
It is best to ask the IT team which policies are currently in place.
Hi if someone can download files from one drive office account to a personal laptop, by logging one drive into personal laptop can it team find this out in which system or mac address files being downloaded ?
If you own the laptop, and use it to login to corporate systems, personal data cannot be seen by the IT team.
However, each company has its own IT policies which may override.
It is best to ask the IT team which policies are currently in place.
I have received 365 access login and password from my organization and I am using that access on my private laptop for personal use. Can the organization see/retrieve word, excel and other files if these are stored locally or in private google drive?
If the answer is no, what about automatic backups that could be setup by the organization IT and then all the word, excel files would be ‘backed up’ somwhere in the company cloud without me even knowing it? thanks..
When you own the device (laptop) and use it for official purpose, IT has visibility to only the corporate data – which you generate using Office 365.
Your local and personal data in other accounts will not be visible to them. When you login to corporate accounts, some policies get applied.
You can find out from your IT team exactly what policies are applied. Usually, these policies will not cover local and personal data.
Hi
At my job we work with share drive and we have One Drive. Is it normal to see my colleagues uploads into the share drive in my One Drive icon on the laptop desktop? I mean the small cloud just next to the clock. When we click, we see upload of the files into One Drive. Mine I assume is normal to see, but from my colleagues? Thats my question.
Thank you
Is everyone using the same email id to login to OneDrive? In that case, you are using it like a shared drive.
So it is normal for you to see files uploaded by your colleagues.
Hi, if I password protect an Excel file in my local drive and I upload it to SharePoint, can the Global Admin open and view the file bypassing the password, or can they unencrypt the password?
Also, if I download a file that was created in SharePoint and I then add a password and upload that file to SharePoint and replace the original, does SharePoint store the original file as a pervious version without the password? If so, how long is that file stored and can the Global Admin see/access that file?
Thank you!
If you put a password, others cannot see the file.
But breaking passwords is very easy nowadays. Use with care.
Second scenario – yes. Previous version will be there in recycle bin for 90 days.
Admins have their own Recycle Bin – for additional 90 days.
If you have shared a file or folder with someone, they will be able to view and potentially edit the file or folder. Make sure to only share files with people you trust.
Yes you are right. But there is nothing to worry. Even if some deletes, there is a recycle bin for 90 days.
If someone edits, there are upto 500 versions per file.
If you have given someone permission to view or edit a file, they will be able to access it. Make sure to review the permissions you have granted to others and adjust them as necessary.
LefeWare Solutions
Thanks. Will check it out.
I am curious about the same thing. This implies that OneDrive personal does not have a method by which the account manager can see your files, but it doesnt specifically come out and say that.
For example, if a family of three is sharing an Office 365 Family version, can the parents opt to see their child’s one drive?
To my knowledge, no.