Here is the truth. The beloved term “best practices” is almost meaningless in a system as complex and flexible as Microsoft 365. The services of Microsoft 365 can be configured in radically different ways to limit or expand their reach into the world, and you have to determine what best represents your organization's way of working.
The default settings for many things in Microsoft 365 are designed for ease of use but not necessarily the most secure or controlled implementation. Microsoft configures the features of SharePoint and OneDrive to make creation and sharing as easy as possible. Any user can create a site or team, even though most administrators may prefer those options to be limited. By default, Anonymous External links to content anywhere in SharePoint stay active forever, to make it easier for users to share content with external users.
These loose configurations allow people to get their work done with little adjustment, and trying to tighten up settings later can cause a lot of confusion and irritation for users. These may not have been the “best practices” for a lot of organizations and their security needs, but they did give the users the easiest path forward when they started using Microsoft 365.
The moral of the story is… it isn’t always the stuff that doesn’t work that you need to spend your time on. Spend a little time on things that do work that you have never examined in detail.
I am going to point out some very basic settings that many customers neglect to review when their Microsoft tenant is new. These are the features around sharing files, internally and externally, and how they can be configured for different use cases. I have provided links to information for reviewing those settings, and you should become familiar with the options that are available to meet your requirements.
None of these links will necessarily give you the “best” configuration for these features, but they will give you a foundation in the questions you need to be asking. The best configuration is the one that serves your organizational needs. Microsoft has chosen some defaults that reduce the friction for users to get work done, and while that may be great for the individual users, it may not be for the organization as a whole. Being able to share documents easily with other organizations is a great feature, but if you can’t share documents because of privacy or regulations, you have to adjust for that separately.
Users can share files with others, customers can locate and edit the files you shared with them. It’s only after you examine who has access and how the information is shared with them that you may realize the settings grant access to too many people, or too much access to unnamed, non-authenticated users through an anonymous link.
Much of what we do here at Pait Group is help customers tailor their environment to those needs. Microsoft 365 can be used as a platform that meets HIPAA, GDPR, or ISO requirements as well as many others, but none of them are achieved just by using Microsoft 365. The tools are available to conform to the rules of the certification, but your implementation is the key to compliance.
I hope this gives you a place to start with getting the basic configurations under control. Let us know if you need help with your next step!