This article is aimed at supporting Local Administrators (LAs) with controlling user access to both SharePoint and OneDrive.
Microsoft provide a standard grace period for these applications, meaning even when toggled off in a user policy via the NHSmail portal, there will be a period in which users can continue to access and use both applications.
This article provides guidance on how Local Administrators (LAs) can take additional steps to restrict access appropriate.
A OneDrive instance is automatically created when an O365 licence is applied to a user and as such this feature cannot be fully disabled for a user as this is tied directly to Teams access for users.
This is a limitation of the Microsoft product itself rather than something which is specific to the NHSmail shared tenant and cannot currently be resolved.
Disabling application access via user policies:
Step 1: Login to the NHSmail portal, select Admin> User Policy Management and select the policy you wish to disable
Step 2: Click SharePoint (includes OneDrive toggle) to off
Step 3: This action has disabled SharePoint/OneDrive for all the users within that policy
It is expected behaviour that OneDrive/SharePoint access will continue for a period (defined by Microsoft) after the toggles are turned off by an LA.
If you wish to prevent further access during the grace period with Microsoft, please follow the guidance below:
Removing access from SharePoint Site collections:
Step 1: Log in to your Office 365 account and navigate to the SharePoint site that requires management. Select Setting via the cog icon in the top right-hand corner of the window
Step 2: Select Site permissions to continue to the management window
Step 3: Select members or visitors based on the level of permission provided to the user you wish to remove.
Warning: removing an owner may cause access issues and result in being locked out of the SharePoint site.
Step 4: Select the individual users to remove from the SharePoint site, or, select all users by selecting the multi-select button
Step 5: Select Actions and then Remove Users from Group
Step 6: If prompted, click OK
Step 7: The user(s) will be removed
For Teams SharePoint sites, access can easily be revoked by removing the user from the Team. This can be done via the NHSmail Portal or directly in the Teams application. Only Team owners can remove members.
OneDrive Access:
Access to the OneDrive application cannot be further restricted within the Microsoft grace period. Local Administrators (LAs) can delete the contents of a user’s OneDrive if appropriate.
Please see the guidance on how to delete a user’s data on OneDrive for further information. Please read the important considerations when looking to complete this action and ensure it complies with your local organisation data retention policies.
Following the disablement of OneDrive, users will still be able to:
- Share files directly in Teams one to one chats and across Teams Channels
- Access links (URLs) to OneDrive content previously shared with them
