Idecsi Blog

Securing AI Agents in Microsoft 365: Best Practices for 2026

nathan.colombani@idecsi.com (Nathan Colombani) — Wed, 27 May 2026 12:04:38 GMT

In February 2026, 1 organizationsresearchers documented more than 50 real-world prompt injection incidents across 3 in 14 different sectors. In nearly every case, the AI agent had not been compromised through a sophisticated technical exploit. It had simply done what it was designed to do, but on data it should never have accessed, or by following instructions hidden inside a routine document.

Data Exposure in Microsoft 365: Understanding the Risks and Taking Back Control

nathan.colombani@idecsi.com (Nathan Colombani) — Thu, 07 May 2026 08:23:12 GMT

Around 80% of data breaches in organizations do not originate from sophisticated external attacks. They stem from internal errors: a forgotten share, an access right never revoked, a Teams group left in public mode. In Microsoft 365 environments, where Teams, SharePoint, OneDrive and Outlook multiply the channels through which data can be shared, this reality takes on a new scale. With the arrival of Copilot, it becomes urgent.

What this article covers:

Why Microsft 365 multiplies data exposure risks
The 4 situations that create data exposure in M365
Copilot as a risk amplifier : why AI magnifies existing exposure
What native microsoft tools do not cover
How to reduce data exposure by involving users

Copilot Cowork in Microsoft 365: What CIOs Need to Know

nathan.colombani@idecsi.com (Nathan Colombani) — Tue, 28 Apr 2026 08:46:25 GMT

On March 31, 2026, Microsoft made Copilot Cowork available through its Frontier program. The release marks a genuine shift in how Microsoft positions Copilot : no longer a conversational assistant that drafts emails and summarizes documents, but an execution agent that plans, acts, and delivers work across the entire Microsoft 365 environment. For CIOs and IT administrators, that shift raises concrete questions about technical requirements, how to enable it, and what it means for data governance in your tenant.

Microsoft 365 External Sharing: Best Practices Guide (2026)

caroline.bourgoin@idecsi.com (Caroline Bourgoin) — Tue, 21 Apr 2026 14:41:19 GMT

Microsoft 365 External Sharing: Best Practices Guide (2026)

External sharing in Microsoft 365 is the engine of modern collaboration. It allows employees to work seamlessly with partners, clients, and vendors without leaving their work environment.

But that ease of use can quickly become a serious risk if left ungoverned. The accumulation of access links and external guests creates an attack surface that is often invisible to IT teams.

One figure puts this into perspective: at one of our clients (roughly 3,000 users), we identified more than 35,330 active anonymous links on OneDrive for Business alone. Each one of those links is a door potentially left open to your data.

Here is how to secure external sharing without blocking productivity.

2026 update: This guide incorporates the latest changes to SharePoint and OneDrive sharing options, as well as the standardization of shared channels (Teams Connect) for secure B2B collaboration.

What this article covers:

Understanding the Two Types of External Sharing : Guest vs Links
External Sharing by Tool : key differences
Microsoft 365 external sharing best practices for 2026
Getting a unified view : from IT Team to End Users

Understanding the Two Types of External Sharing: Guests vs. Links

Before diving into tools and controls, it is critical to distinguish between the two core mechanisms for external sharing in Microsoft 365.

1. Authenticated Guest Users (B2B)

The external user is invited via their professional email address. A "Guest" account is created in your Microsoft Entra ID directory (formerly Azure AD).

Advantage: Full traceability. You know exactly who accesses what. Access can be centrally revoked and enforced with multi-factor authentication (MFA).
Recommended use: Long-term collaboration, project-based work, access to Teams or SharePoint sites.

2. Sharing Links in Microsoft 365

Microsoft 365 offers four types of sharing links, ranked from most to least secure.

"Specific People" - Recommended Default

Only explicitly designated email addresses can open the link
Requires Microsoft 365 authentication
The link remains valid even if forwarded, but only authorized recipients can open it
Recommended use : B2B collaboration with identified partners

"People with Existing Access"

This link modifies no permissions whatsoever
It simply helps people who already have rights on the file access it more easily (site members, team members, etc.)
Recommended use: Quick internal sharing without extending permissions

"People in Your Organization"

Accessible to anyone with an account in your Microsoft 365 tenant
Does not work for external users, even guests
Watch out: Can create compliance issues if the link circulates widely internally (e.g., HR, R&D, or Finance files)
Recommended use: General documentation, non-sensitive resources for broad internal distribution

"Anyone with the Link" (Anonymous Links) — Least Secure

No authentication required by default
Admin-configurable protections:

Mandatory expiration (e.g., 7, 15, or 30 days)
Password protection (adds a lightweight authentication layer)
Download blocking (view-only mode)

Zero traceability: No way to know who viewed the file — it does not appear in standard audit logs
Recommended use only for: Public, non-sensitive documents that need very broad distribution with no friction (e.g., cafeteria menu, press release, event registration form)

Security reminder: Any document classified as Confidential or containing personally identifiable information (PII) subject to CCPA, HIPAA, or other US privacy regulations must never be shared via an anonymous link.

External Sharing by Tool: Key Differences

Outlook

Classic email attachments are giving way to cloud links. When a user attaches a file from OneDrive or SharePoint, Outlook generates a sharing link.

Watch out: The default link type in Outlook is not necessarily anonymous. It depends on the tenant-level configuration set by your admin.
Reality on the ground: Users often forget to check permissions via "Manage Access" before hitting send.
Recommendation: Configure your tenant so the default link type is "Specific People" to limit accidental exposure.

OneDrive

OneDrive is each user's personal workspace — and it is often where the largest volume of authorized shadow IT accumulates. The sharing interface offers granular security options that should be actively used:

Link expiration: Enforceable by IT for anonymous links
Password protection: An extra layer for "Anyone" links
Download blocking: Enables review access without exposing the source file

Admins can enforce global restrictions — for example, disabling "Anyone" links on OneDrive while leaving them available on SharePoint.

SharePoint

SharePoint structures team-level collaboration. External sharing works at two levels:

Site level: Guests are added to the "Visitors" (read-only) or "Members" (edit) group. The external user gains access to all content on the site, based on the permission inheritance in place.
File/folder level: Granular sharing via links, identical to OneDrive.

Governance risk: Without dedicated tooling, it is extremely difficult for a site owner to get a consolidated view of who accesses what — with a mix of site members and unique sharing links all in play.

Microsoft Teams

Teams has become the central hub for external access.

Guest Access: The classic method for adding an external member to a team. The guest can access all channels (except private ones), associated SharePoint files, and chat.

Shared Channels (Teams Connect): This advanced B2B collaboration feature lets external users from other Microsoft 365 organizations participate in a specific channel only, without gaining access to the rest of the team.

Technical prerequisites:

Requires a Microsoft 365 Business Standard, Business Premium, E3, E5, or higher license
Requires prior admin configuration (feature must be enabled at the tenant level)
Requires a B2B sharing agreement (Microsoft Entra B2B Direct Connect) between both organizations
Limited to 50 external members per shared channel

Unlike classic Guest Access, Shared Channels create a dedicated SharePoint site for that channel only, independent of the main team site.

Storage architecture by Teams context:

Files in 1:1 or group chats: Stored in the OneDrive of the user who shared the file. If deleted from the source OneDrive, the file becomes inaccessible in the chat.
Standard channel files: Stored in the SharePoint document library associated with the Teams site. All team members with channel access can reach these files via SharePoint.
Shared channel files: Stored in a dedicated SharePoint site automatically created for that shared channel. This site is separate from the main team's SharePoint site, enabling granular permission control and better data isolation for external collaborators.

Governance impact: This multi-silo architecture complicates backup, DLP, and retention strategies. Organizations should inventory dedicated channel sites via PowerShell to ensure full compliance policy coverage — particularly for HIPAA, CMMC, or other regulated data environments.

Microsoft 365 External Sharing Best Practices for 2026

Securing external sharing does not mean blocking it — it means governing it. Here are the priority recommendations to roll out across your organization.

1. Keep Anonymous Links the Exception, Not the Rule

The "Anyone with the link" option must be the exception.

Permitted use: Public, non-sensitive documents or content for very broad audiences (press releases, generic documentation, event forms)
Golden rule: A confidential document should never be shared as an anonymous link
IT action: Technically enforce a short expiration (e.g., 30 days) on all anonymous links and restrict default permissions to read-only

2. Default to "Specific People" Links

For any B2B collaboration:

Use the "Specific People" option. Only the designated email address will be able to open the file, even if the email is forwarded.
Apply the principle of least privilege: grant edit rights only when necessary. View-only mode is often enough.

3. Make Access Reviews a Recurring Process

A legitimate share at the start of a project becomes a security liability once the project ends. Data security depends on lifecycle management.

Quarterly cleanup: Encourage data owners to review their active shares on a regular basis
Visual cues: Watch for the "This site has external guests" indicator in Teams, and use the "Shared by you" view in OneDrive
Compliance: These reviews are essential to meet the access control and third-party management requirements of HIPAA, CCPA, NIST CSF, and CMMC frameworks

Getting a Unified View : From IT Team to End Users

For IT and Security Teams

The IDECSI platform delivers a clear, consolidated view of all external access and sharing across Microsoft 365:

Full visibility through detailed reports on access rights, permissions, and shares
Identification of data exposure risks — including anonymous links on classified files (Confidential, Restricted, etc.)
Mapping of all external access across SharePoint, Teams, Microsoft 365 Groups, and OneDrive — whether managed at the site level or the tenant level
Automated access reviews for external users, without requiring Microsoft Entra ID P2 or SAM licenses

For End Users

Despite Microsoft's ongoing improvements, the native Microsoft 365 interface remains fragmented. Users still lack a single console to see all their active shares across OneDrive, SharePoint, and Teams. That visibility gap makes it nearly impossible to hold employees accountable for their own sharing behavior.

The solution: equip employees with a tool like MyDataSecurity.

MyDataSecurity acts as a personal security dashboard for every user:

Centralized view: All access in one place — guests, anonymous links, and internal shares
Risk detection: Instant identification of stale shares, anonymous links on sensitive files, or inactive guests
One-click remediation: Users can fix, extend, or revoke access on their own, without opening a support ticket

By giving data owners direct visibility into their own sharing activity, every employee becomes an active participant in the organization's security posture. That is the shift from reactive IT control to shared governance.

Conclusion: From Restriction to Shared Responsibility

Securing external sharing no longer happens exclusively in the Microsoft 365 admin center. Technical policies — forced link expiration, domain restrictions, MFA — are the foundation of your defense, but they are not enough to keep pace with the volume and velocity of today's collaboration.

In 2026, the challenge for CIOs and CISOs is moving from a model of enforced control to one of shared governance. Data protection does not have to slow productivity — if it is made understandable for the people who create and share the data. By equipping users to see and clean up their own access, you dramatically reduce the security debt in your tenant without adding load to the IT team.

The goal is clear: keep business collaboration fluid while ensuring that every active external link is legitimate, secured, and necessary.

Ready to assess your organization's current Microsoft 365 exposure?

See how MyDataSecurity enables you to audit and remediate your collaborative environment — directly involving data owners in the process.

OneDrive for Business Security: 3 Key Areas to Watch

Cynthia Baux — Mon, 20 Apr 2026 15:07:15 GMT

OneDrive for Business Security: 3 Key Areas to Watch

As collaboration tools have become central to daily work, OneDrive for Business stands out for its real-time sync, automatic versioning, and multi-device accessibility. It drives productivity and seamless teamwork across the Microsoft 365 ecosystem.

But managing data stored and shared in OneDrive is a real governance challenge for organizations. Confidentiality, regulatory compliance, and information security all depend on it. Understanding how OneDrive works is essential to controlling access over time, preventing misconfiguration, and keeping storage costs in check.

This article covers three critical areas for stronger OneDrive for Business security: sharing and access management, sensitive file exposure, and storage quotas.

Microsoft 365 Version History: Storage Management Guide

nathan.colombani@idecsi.com (Nathan Colombani) — Mon, 20 Apr 2026 13:17:41 GMT

Managing Version History in Microsoft 365: What It Costs and How to Fix It

Microsoft 365 version history lets you track changes to SharePoint, OneDrive, and Teams files, keeping a full record of document edits for recovery and audit purposes. But this feature has a direct and often underestimated impact on your storage footprint. For organizations running large collaborative environments, unchecked versioning is one of the leading drivers of storage cost overruns.

This guide covers how file versioning works, what it means for your M365 storage quota, how to configure it correctly in SharePoint, and how to give users the tools to clean up version bloat themselves.

What's in this article:

How does file versioning work in Microsoft 365?
How version history affects M365 storage costs
Configuring versioning in SharePoint to control storage
MyDataManagement: identify and clean up large versioned files at scale

How Does File Versioning Work in Microsoft 365?

File versioning maintains a detailed history of every change made to a document. Each time a file is saved, a new version is created. This can happen manually when a user saves the document, or automatically via AutoSave (triggered roughly every ten minutes for Office files).

There are two critical behaviors to understand:

Each version counts against your SharePoint site storage quota. Even a minor edit, such as fixing a typo, generates a new version that occupies storage space. If a single version is deleted, it is gone permanently. Deleting the entire file, however, sends all its versions to the Recycle Bin first.

When a retention policy is active, every version is preserved in the preservation hold library, regardless of manual deletion. Two definitions matter here:

A retention policy is a rule configured by a SharePoint admin to keep documents and their versions for a defined period, typically for compliance, audit, or eDiscovery purposes.

The preservation hold library is a dedicated storage space where versions are retained even after users delete them. All versions, including minor edits, are kept there for the full retention period. This is essential for eDiscovery, HIPAA compliance workflows, and data recovery, but it can consume significant storage quietly.

How Version History Drives Up Your Microsoft 365 Storage Costs

Microsoft 365 version history storage management is a real cost issue, not a theoretical one. Every modification adds to your used storage quota. The impact is most visible on large collaborative files: PowerPoint decks, Excel workbooks, and Word documents edited by multiple users daily.

Example : a 100 MB PowerPoint with 100 saved versions can reach 10 GB of total storage consumption.

By default, Microsoft 365 stores up to 500 versions per file. In a co-authoring environment with AutoSave enabled, that limit is reached faster than most admins expect.

Each user typically gets 1 TB of OneDrive storage included in their M365 subscription. Once that quota is exceeded, additional storage must be purchased. Pricing currently runs approximately $0.20 to $0.30 per GB per month. [VERIFY current Microsoft pricing at learn.microsoft.com]

Example : 1 TB of additional storage runs roughly $200 per month. Multiply that across dozens of sites and hundreds of heavy users, and storage costs become a significant line item.

The real issue is visibility : most users have no idea how many versions their files are generating. Without the right tooling, this remains invisible to both the user and the IT team until the storage bill arrives.

Configuring Version History in SharePoint to Reduce Storage

SharePoint offers advanced versioning controls that give admins meaningful levers to manage storage at scale.

The default setting is 500 major versions per file. Admins can adjust this between 100 and 10,000 versions, or set it to a minimum of 1 version via API (not recommended for production use).

Microsoft now offers Intelligent Versioning as the recommended setting. This feature uses a time-based algorithm to automatically thin out older, less critical versions while preserving versions at key timestamps. The logic : the recovery value of a version decreases as it ages, so frequent recent saves are worth keeping, while old minor edits are not.

Admins can configure version limits at three levels : organization-wide (applies to all new libraries and OneDrive accounts), site-level (overrides the org default for a specific site), and library-level (granular control per document library). This inheritance model gives compliance teams the ability to apply stricter retention on legal or HR sites while using lighter limits elsewhere.

Best practices for storage control :

Set a quota cap per site or OneDrive account (100 GB is a reasonable starting point for most teams) to prevent runaway storage before it compounds. Enable automatic version expiration based on age and activity, not just version count. Schedule periodic cleanup campaigns targeting redundant and inactive versions. Configure Intelligent Versioning on new libraries now, and plan a trim job for existing libraries.

For organizations subject to HIPAA, CMMC, or SEC recordkeeping rules, retention policies must be factored into any versioning cleanup strategy. Intelligent Versioning does not override active retention holds : preservation hold libraries continue storing versions for the full policy period. Coordinate with your compliance or legal team before trimming existing versions on regulated content.

MyDataManagement: Clean Up Version Bloat Without Burdening IT

MyDataManagement is IDECSI's solution for optimizing Microsoft 365 storage. It gives each user a personal dashboard that highlights the data they own that is consuming the most space, including files with redundant and oversized version histories.

Rather than relying solely on admin-side configuration, MyDataManagement puts the cleanup action directly in the hands of data owners. Users see their own flagged items, such as files unused for a defined period, large versioned files, and inactive storage spaces, and can act on them in a few clicks.

This approach matters because the people who created the files are best positioned to judge whether old versions are still needed. Giving them a simple, intuitive interface to act removes the bottleneck from IT and drives real storage reduction at scale.

For organizations preparing a Microsoft 365 Copilot deployment, this is directly relevant. Copilot surfaces content based on what users have access to. Bloated, stale version histories inflate the volume of data Copilot indexes, which affects both performance and data governance. Cleaning up versions before rollout is a concrete step toward a tighter, better-governed tenant.

Key capabilities:

Attention flags that surface the most impactful files first. One-click version cleanup for data owners, without requiring IT involvement. Scheduled cleanup campaigns with measurable storage gains tracked in real time. Ongoing digital sobriety: 85% of employees are willing to adopt responsible data habits when given the right tools.

The conclusion for CIOs and IT admins is straightforward: Microsoft 365 version history storage management cannot rely on admin configuration alone. Configuration controls what accumulates going forward. User-level cleanup tools address what already exists and build sustainable habits over time.

MyDataManagement by IDECSI gives you both levers in a single, plug-and-play platform.

FAQ

Q1: What is Microsoft 365 version history and why does it affect storage?

A1: Microsoft 365 version history is a feature that saves a copy of a file each time it is modified, allowing users to restore previous versions. Each saved version counts as a full copy against your SharePoint or OneDrive storage quota. In active collaborative environments, a single file can accumulate hundreds of versions, driving up storage consumption significantly without any visible warning to users or admins.

Q2: How do I reduce storage used by version history in SharePoint?

A2: To reduce storage used by Microsoft 365 version history, start by enabling Intelligent Versioning in the SharePoint Admin Center, which automatically trims older, lower-value versions. Then set organization-level version limits (the default of 500 is often too high for large files). For existing libraries, run a trim job via PowerShell. For sustained results, give data owners a cleanup tool so they can remove redundant versions from their own files without IT involvement.

Q3: What's the difference between Automatic and Manual versioning settings in SharePoint?

A3: Automatic versioning uses a Microsoft algorithm to thin out versions as they age, keeping recent saves more densely while gradually removing older ones. Manual versioning lets admins set a fixed count limit, a time-based expiration, or both. Microsoft recommends Automatic for most organizations as the better balance between recoverability and storage efficiency. Manual settings are better suited for compliance-heavy environments where specific retention windows are required by policy.

Q4: Does Microsoft 365 version history need to comply with HIPAA or NIST data governance requirements?

A4: Microsoft 365 version history settings interact directly with retention policies, which are often required under HIPAA, CMMC, and NIST SP 800-53 data governance frameworks. When a retention policy or eDiscovery hold is active, versions are preserved in a preservation hold library regardless of versioning cleanup settings. Organizations in regulated industries should align their versioning configuration with their data retention schedule and verify settings with their compliance team before trimming existing versions.

Q5: What's the best way to manage version history storage in Microsoft 365 at scale?

A5: The most effective approach to Microsoft 365 version history storage management combines admin-side controls (Intelligent Versioning, site and library limits) with user-level cleanup tools. Admin settings govern what accumulates going forward; user dashboards address existing bloat and build long-term habits. Platforms like IDECSI MyDataManagement surface large versioned files directly to data owners, enabling cleanup without IT bottlenecks and generating measurable storage savings across the tenant.

Microsoft Copilot Licensing Guide for CIOs (2026)

nathan.colombani@idecsi.com (Nathan Colombani) — Mon, 20 Apr 2026 12:29:33 GMT

For a CIO or IT procurement lead,deploying Microsoft Copilot represents a meaningful budget decision.

Microsoft 365 Copilot: Enterprise Guide (2026)

alexandra.gortinski@idecsi.com (Alexandra) — Tue, 03 Feb 2026 07:08:27 GMT

Copilot represents the biggest change in enterprise productivity since Microsoft invented Office. But it poses a real challenge for IT security and governance.

Security CheckUp: Simplifying risk review in M365

Cynthia Baux — Tue, 14 Oct 2025 09:32:26 GMT

How to prepare your tenant to M365 Copilot

nathan.colombani@idecsi.com (Nathan Colombani) — Wed, 28 May 2025 14:18:48 GMT