1. Start from least privilege

The rule of thumb: give a role the minimum access it needs, then add more only when there's a reason. It's far easier to grant access later than to find out, after an incident, that a new hire's account could open every contract and payroll file. Two habits make this work in Microsoft 365: grant access through groups, not to individuals, and keep shared files in team SharePoint sites, not personal OneDrives.

2. Organize people with groups

Build a group per team—Sales, Finance, HR, Leadership—and use it everywhere you grant access. You have two flavors:

  • Microsoft 365 Groups back a Team and its SharePoint site; membership in the group is access to that team's files and chat.
  • Security groups are for granting access to other resources and for targeting Conditional Access policies.

Manage them at admin.microsoft.com → Teams & groups → Active teams & groups (or in Entra). The payoff: access management becomes "add or remove someone from the group," so onboarding and offboarding are one step and nobody slips through.

3. Scope files by team in SharePoint & Teams

This is where most small-business access control actually happens. Each Team has a SharePoint site behind it that holds its files, and only the team's group members can reach it. Create one Team per function—Sales, Finance, HR—rather than dumping everything into one "Company" site.

Within a site, SharePoint permission levels run from most to least powerful:

  • Owner / Full Control — manage the site and its members (keep this to one or two people)
  • Member / Edit — add and edit files (most of the team)
  • Visitor / Read — view only

Example: the Finance site has only the finance group as Members and the owner as Owner. Sales staff have no path to it—not because a file was marked "private," but because they aren't in the group. For an extra-sensitive folder or library inside a shared site, you can break inheritance and grant a narrower group, but use that sparingly—broad, group-based site permissions are easier to keep correct than a maze of per-file exceptions.

4. Control external sharing

RBAC inside the company means little if a file can be shared to anyone with a link. Set sensible defaults at admin.microsoft.com → SharePoint admin center → Policies → Sharing:

  • Set the organization-wide level to "Existing guests" or "New and existing guests", not "Anyone," and set the default link type to "Specific people."
  • For sensitive sites (Finance, HR), set per-site sharing to "Only people in your organization."
  • Turn on expiration for guest access so external shares don't live forever.

5. Protect sensitive files with labels

For your most sensitive documents, sensitivity labels (in Microsoft Purview, included with Business Premium) let you tag and even encrypt files—so a "Confidential" document stays protected and access-controlled wherever it travels, even if it leaves the site. Start with two or three labels (e.g., Public, Internal, Confidential) at Microsoft Purview → Information protection → Labels and publish them to your users.

6. Least-privilege admin roles

RBAC applies to your admins too—and this is where small businesses most often over-grant. Not everyone who helps with IT needs to be a Global Administrator (who can do anything). Microsoft has dozens of scoped built-in roles—use them:

  • Helpdesk Administrator — reset passwords for non-admins
  • User Administrator, Exchange Administrator, SharePoint Administrator — manage just their area

Assign roles at admin.microsoft.com → Roles (or in Entra), keep Global Admins to four or fewer, and require phishing-resistant MFA for all of them. On higher tiers (Entra ID P2), Privileged Identity Management (PIM) lets admins activate elevated rights only when needed, for a limited time.

7. Offboard cleanly

The flip side of good access control is removing it fast. When someone leaves: block sign-in immediately (this cuts access while keeping data), remove them from all groups (which revokes the access those groups granted), reset their password, revoke their sessions, and convert their OneDrive to a manager. Because shared files live in team SharePoint sites—owned by the org, not the person—nothing critical walks out the door.

Your Microsoft 365 access checklist

  • Access granted through groups, not named individuals
  • Shared files kept in team SharePoint sites, not personal OneDrive
  • One Team/site per function, with right-sized Owner/Member/Visitor roles
  • Per-file permission exceptions kept to a minimum
  • External sharing defaults tightened (guests only, specific-people links, expiration)
  • Sensitivity labels protecting your most confidential documents
  • Admin access uses least-privilege roles; Global Admins kept to four or fewer
  • Offboarding blocks sign-in and removes group membership

Microsoft moves and renames these settings from time to time—the bold names are stable search terms. Running Google too? See Role-Based Access Control in Google Workspace.