File sharing in Microsoft Teams happens across three different storage backends: SharePoint for Channel files, OneDrive for Chat files, and personal OneDrive for direct shares. Specifically, this guide covers the differences, sharing methods, permissions inheritance, and the most common pitfalls. Furthermore, every recommendation comes from what Wintive observed across 60+ Microsoft 365 tenants.
💡 Why file sharing in Teams matters
File sharing inside Teams looks deceptively simple. However, the same drag-and-drop action sends a file to three completely different places depending on context. As a result, files end up scattered across SharePoint, OneDrive, and chat threads with no clear pattern.
Beyond the storage scattering, sharing decisions also drive compliance posture. Notably, who can access a file, whether it can be downloaded, and how long it persists all depend on which Teams feature you used to share. Therefore, understanding the three storage backends and their sharing rules is a prerequisite for any HIPAA, SOC 2, or CCPA audit at an SMB.
🛡️ Free: M365 Audit Checklist
19-page PDF with 50 hands-on checks covering Entra ID, Exchange Online, SharePoint, Teams, Intune, license waste, and audit logging. PowerShell commands included. Built from 60+ real tenant audits at Wintive.
📂 Three places files live in Teams
Every file uploaded to Teams lands in one of three storage backends. Specifically, Channel files go to a dedicated SharePoint document library, Chat files go to the sender OneDrive, and personal shares come from the user OneDrive. The matrix below summarizes the differences.
The most common mistake is using Chat files for documents that the whole team needs. Notably, when the sender leaves the company, those files can become orphans unless ownership is transferred. As a result, knowledge gets lost during turnover — an avoidable loss with the right sharing pattern from day one.
Channel files, in contrast, survive any individual user departure. Indeed, they sit in a SharePoint site that belongs to the Microsoft 365 Group behind the Team. Therefore, default to Channel files for any document that more than one person might need a year from now. Reserve Chat files for transient screenshots and quick drafts.
📤 File sharing methods and journey
Teams file sharing follows a five-step journey for every share, from upload to recipient access. Specifically, choosing the scope at step 2 is the most consequential decision — it sets the access boundary for the file lifetime.
Link sharing types
Teams offers four link types in 2026, each with different access rules. Specifically, People in your organization grants access to anyone in your tenant who has the link. In contrast, People with existing access generates a link without granting new permissions, useful for re-sharing. Furthermore, Specific people requires named recipients and is the most restrictive option. Notably, Anyone with the link creates a public link that bypasses tenant authentication.
For most SMB workloads, default to Specific people. Indeed, this is the only option that creates an audit trail tied to recipient identity. As a result, you can prove who accessed what during compliance reviews. Reserve Anyone exclusively for marketing assets or public documentation.
External sharing controls
External sharing combines three layers of policy. Specifically, the SharePoint admin sets the tenant maximum (Anyone, New and existing guests, Existing guests, Only people in your organization). Furthermore, each SharePoint site (one per Team) can restrict further but not exceed the tenant limit. Importantly, individual files can be locked down even tighter via specific-people links.
For SMB tenants handling regulated data, the right baseline is New and existing guests at tenant level. Indeed, this allows controlled external collaboration without exposing data via anonymous links. Therefore, set this baseline tenant-wide, then loosen at site level for specific public-facing Teams (marketing, HR job postings).
🔐 Permissions inheritance model
File permissions in Teams inherit from a four-level hierarchy. Specifically, tenant policy sets the maximum, then SharePoint site (= Team) inherits, then channel folders inherit from the site, then individual files inherit from their folder. The table below maps each level.
| Level | What it controls | Who configures |
|---|---|---|
| 1. Tenant policy | Maximum external sharing scope, allow / block domain lists | SharePoint admin (M365 admin center) |
| 2. SharePoint site (Team) | Site-level external sharing, default sharing link type | Team owner or SharePoint admin |
| 3. Channel folder | Standard channels inherit; private channels create separate site | Channel owner |
| 4. File / folder | Specific recipient permissions, expiration, password | Any user with edit rights |
| 5. Sensitivity label | Overrides everything above when applied | User or auto-policy |
Sensitivity labels are the override layer that catches mistakes. Notably, a Confidential label can block external sharing even when the tenant policy allows it. Therefore, deploy sensitivity labels as the first line of defense, then rely on the inheritance hierarchy for normal traffic.
🚨 Why file sharing fails — root cause analysis
Across 60+ tenant audits, file sharing incidents trace back to six categories. Specifically, permissions and external sharing alone account for ~60% of cases. The fishbone below maps the full landscape.
The top branch (Permissions) catches issues like inherited-not-custom permissions, missing guest grants, and stale ACLs after team membership changes. Specifically, when a guest is removed from a Team, their existing file shares can persist via direct link. Therefore, periodic guest access reviews are a must-have control.
The bottom branches (User training, Naming) come from human factors. Indeed, training users to choose Channel files over Chat for team docs prevents 80% of orphan files. Furthermore, applying a tenant-wide naming convention via SharePoint metadata makes search reliable. As a result, user education plus structural defaults beat reactive cleanup every time.
💻 Configure file sharing policy with PowerShell
Tenant-wide file sharing policy is set via the SharePoint Online module. Specifically, the script below configures a hardened baseline appropriate for a typical SMB tenant: external sharing for guests only, default link type set to specific people, and link expiration enforced.
# PowerShell: harden Teams file sharing baseline
# Prerequisites: Microsoft.Online.SharePoint.PowerShell module
Connect-SPOService -Url 'https://yourtenant-admin.sharepoint.com'
# 1. Tenant-wide external sharing baseline
Set-SPOTenant `
-SharingCapability ExternalUserSharingOnly `
-DefaultSharingLinkType Direct `
-PreventExternalUsersFromResharing $true `
-RequireAcceptingAccountMatchInvitedAccount $true
# 2. Default link permission and expiration
Set-SPOTenant `
-DefaultLinkPermission View `
-RequireAnonymousLinksExpireInDays 30 `
-ExternalUserExpirationRequired $true `
-ExternalUserExpireInDays 90
# 3. Block download for sensitive sites (per-site config)
$sensitiveSite = 'https://yourtenant.sharepoint.com/sites/finance'
Set-SPOSite -Identity $sensitiveSite `
-BlockDownloadOfAllFilesOnUnmanagedDevices $true
# 4. Enable Conditional Access for unmanaged devices (tenant)
Set-SPOTenant `
-ConditionalAccessPolicy AllowLimitedAccess
# 5. Verify
Get-SPOTenant | Format-List SharingCapability, DefaultSharingLinkType, `
DefaultLinkPermission, RequireAnonymousLinksExpireInDays, `
ExternalUserExpireInDaysThree settings matter most for SMB compliance. Specifically, SharingCapability=ExternalUserSharingOnly blocks anonymous public links, RequireAnonymousLinksExpireInDays=30 caps remaining anonymous shares to 30 days, and ExternalUserExpireInDays=90 auto-revokes guest access after 90 days. As a result, these three settings prevent the most common audit findings.
✅ Best practices for SMBs
Six practices cover most file sharing wins. Notably, each row below has prevented a real incident at a Wintive client.
| Practice | What to do | Why it matters |
|---|---|---|
| Default to Channel files | Train users to upload team docs in Channel Files tab. | Survives sender departure, indexed by Search. |
| Specific-people links by default | Set DefaultSharingLinkType=Direct at tenant level. | Forces named-recipient audit trail. |
| Block anonymous links | SharingCapability=ExternalUserSharingOnly. | Blocks the most common data exfiltration path. |
| Enable sensitivity labels | Auto-apply Confidential to docs containing PII / financial data. | Overrides accidental public sharing. |
| Quarterly guest access review | Use Entra ID Access Reviews for all M365 Group guests. | Catches stale guest permissions automatically. |
| Enforce 90-day external expiration | ExternalUserExpireInDays=90 at tenant level. | Auto-revokes inactive guests, no manual cleanup. |
Of these six practices, blocking anonymous links is the highest-impact win. Indeed, in 80% of file leak incidents Wintive investigates, an anonymous “Anyone with the link” share was the root cause. Therefore, fix this first during any tenant audit.
🔧 Troubleshoot common issues
When a user reports a sharing problem, four quick checks resolve most cases. Specifically, verify tenant policy, check the file location, inspect existing permissions, and review recent audit log entries. The script below covers the Wintive triage workflow.
# PowerShell: file sharing triage in Teams / SharePoint / OneDrive
# Prerequisites: SharePoint Online + Microsoft.Graph modules
$reportingUser = 'alice@example.com'
$fileUrl = 'https://tenant.sharepoint.com/sites/marketing/Shared Documents/Q4-plan.docx'
# 1. Tenant sharing policy
Get-SPOTenant | Format-List SharingCapability, DefaultSharingLinkType, `
PreventExternalUsersFromResharing, ExternalUserExpireInDays
# 2. Site-level sharing policy
Get-SPOSite -Identity (Split-Path $fileUrl -Parent | Split-Path -Parent) | `
Format-List SharingCapability, DefaultSharingLinkType
# 3. Permissions on the specific file (via Graph)
Connect-MgGraph -Scopes 'Files.Read.All','Sites.Read.All'
$driveItem = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/users/$reportingUser/drive/root:/Q4-plan.docx"
$permissions = Invoke-MgGraphRequest -Method GET `
-Uri "https://graph.microsoft.com/v1.0/drives/$($driveItem.parentReference.driveId)/items/$($driveItem.id)/permissions"
$permissions.value | Format-Table id, @{Name='Type';Expression={$_.link.scope}}, `
@{Name='GrantedTo';Expression={$_.grantedTo.user.email}}
# 4. Recent audit log entries for the file
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) `
-ObjectIds $fileUrl | Format-Table CreationDate, UserIds, Operations, RecordTypeIf the user cannot share externally despite the policy allowing it, check the Sensitivity label first. Specifically, a Confidential or Highly Confidential label blocks external sharing regardless of tenant or site policy. Therefore, always look at the file metadata before chasing tenant configuration bugs.
❓ Frequently asked questions
Where are files in Microsoft Teams actually stored?
Files in Microsoft Teams live in three different storage backends. Channel files go to the SharePoint document library of the Microsoft 365 Group behind the Team. Chat files are uploaded to the sender personal OneDrive in a folder called Microsoft Teams Chat Files. OneDrive personal shares stay in the user OneDrive root. Therefore, the Teams interface is just a unified view over SharePoint and OneDrive.
Can I share Teams files with external guests?
Yes, when tenant policy allows it. Specifically, the SharePoint admin sets SharingCapability at tenant level (Anyone, ExternalUserSharingOnly, ExistingExternalUserSharingOnly, or Disabled). For SMB compliance, the recommended baseline is ExternalUserSharingOnly, which permits sharing with named guests but blocks anonymous links. Furthermore, individual sites and files can restrict further but cannot exceed the tenant ceiling.
What happens to Chat files when the sender leaves the company?
Chat files become orphaned unless ownership is transferred. Specifically, the files sit in the sender OneDrive, so when the user account is deleted, OneDrive enters a 30-day retention period before permanent deletion. Therefore, set the OneDrive retention policy to 90 to 365 days for departing users, then have IT transfer ownership of important files to the manager. As a result, no data is lost during turnover.
How do I prevent accidental anonymous file sharing?
Three settings cover most accidents. First, set SharingCapability=ExternalUserSharingOnly at tenant level to block all anonymous links. Second, set DefaultSharingLinkType=Direct so the share dialog defaults to specific people instead of company-wide. Third, deploy sensitivity labels with auto-apply rules for PII and financial data. As a result, even if a user picks the wrong scope, the label overrides and blocks external sharing.
How do retention policies affect Teams files?
Microsoft Purview retention policies apply to Teams files based on where they live. Specifically, Channel files inherit the SharePoint site retention label, while Chat files follow the OneDrive retention policy. Notably, deletion via the Teams interface is soft for 93 days unless a retention policy locks the file. Therefore, configure retention policies at the Microsoft 365 Group level for predictable behavior across the tenant.
What is the difference between Channel files and the SharePoint document library?
They are the same storage. Specifically, Teams Channel files are a curated view of a folder inside the Team SharePoint document library. Furthermore, every Team gets a dedicated SharePoint site with one library called Documents, and each channel is a folder inside it. As a result, you can edit files via Teams, SharePoint, OneDrive sync, or even via Graph API and the changes propagate everywhere in real time.
Can I bulk-update file sharing permissions across all Teams sites?
Yes, via PowerShell or Microsoft Graph. Specifically, the SharePoint Online module exposes Set-SPOTenant for tenant-wide settings and Set-SPOSite for per-site overrides. In production, we typically run a weekly script that audits all sites against a baseline and reports drift. Therefore, bulk updates are safe to schedule but should always be tested on a pilot site before tenant-wide rollout.
How do sensitivity labels override file sharing settings?
Sensitivity labels enforce settings at file level that override site and tenant policy. Specifically, a Confidential label can block external sharing even when SharingCapability is set to Anyone. Furthermore, labels can encrypt files and apply Rights Management restrictions that follow the file even outside the tenant. As a result, deploy sensitivity labels with auto-apply rules as the first line of defense for sensitive content.
🔗 Related Microsoft Teams guides
This tutorial covered one focused Microsoft Teams workflow. For a complete picture of how your full Microsoft 365 environment — collaboration, identity, and security — performs against best practices:
🔍 Want a complete audit of your Microsoft 365 tenant?
The M365 Instant Audit scans your M365 environment in under 10 minutes: license waste, security posture, MFA coverage, compliance gaps, license rightsizing opportunities. Full PDF report with prioritized recommendations delivered instantly.
