"It seems that the materials I uploaded to the channel were visible to people outside the team..." In November 2025, it was announced that Meiji Gakuin University's Teams settings made student performance information visible to members outside the team. Mistakes in setting file sharing permissions like this are troubles that can happen to anyone, regardless of whether they work at a company or school.
In this article, we will explain step-by-step how file sharing works in Microsoft Teams as of March 2026 and how to correctly set access permissions to prevent unintentional information leaks.
Where are Teams files saved?
The first thing you should know is that the files you upload to Teams are not actually saved in Teams.
Behind the scenes, files posted to a channel are automatically saved to a document library in SharePoint Online, a file management service provided by Microsoft. On the other hand, files sent in one-on-one or group chats are saved to OneDrive for Business.
In other words, what determines the "visible range" of files in Teams is SharePoint and OneDrive access privileges. Here are some pitfalls that you might not notice if you only look at Teams.
Microsoft official documentation also provides a detailed explanation of how Teams and SharePoint work together.
5 common permission setting mistakes
Are you making these mistakes when sharing files with Teams? The following five are common patterns that have actually led to information leaks.
Mistake 1: Team is set to "public"
There are two types of teams in Teams: "Private" and "Public". Setting it to public allows anyone in your organization to join the team and see all files in the channel.
When creating a team, in many organizations the default setting is "private," but depending on the administrator's settings, the default setting may be public. If your team handles "confidential" level material, make sure it's set to private.
Mistake 2: The scope of the shared link is "everyone in the organization"
When you share a file with someone, Teams issues a sharing link. This link has four stages:
- Specific users: Only people with specified email addresses can access (most secure)
- People in your organization with the link: Anyone in your organization with the link can access it
- People with link: People outside your organization can access if they have the link
- Users with existing permissions: Only those who already have permissions
If the default is "users within the organization who know the link", the file will be unintentionally visible to people outside the department. Be sure to select "Specific User" for sensitive files.
Mistake 3: Access rights remain for the person who retired or transferred
Even after a team member leaves or is transferred, there are cases where access rights on the SharePoint side remain. Even if you remove a member from Teams, the permissions granted to individual files and folders will not be automatically removed.
Mistake 4: The file sent via chat is set to "editable"
Files sent via chat may have "editable" permissions granted to the recipient. If you just want to show it, change it to "Displayable". If you make it visible, you can also restrict downloads.
Mistake 5: Guests (external users) have access to the entire team's files
When you invite an account to your team as a guest, they may have access to files from all channels in that team. It's safe to create a dedicated team or private channel for sharing with external members.
You can do it now! Steps to check and correct permissions
If you think that your team might be in danger, please follow the steps below.
Step 1: Check your team's privacy settings
- Open Teams and click “…” (three-dot menu) to the right of the target team name
- Select "Manage Team"
- Open the Settings tab
- Check if "Privacy" is set to "Private"
- If it is set to "Public", change it to "Private"
However, this setting cannot be changed unless you are the owner of the team. If you are not the owner, ask the owner or IT administrator.
Step 2: Check file access permissions in SharePoint
- Open the channel's Files tab
- Click "Open in SharePoint" in the top right corner
- Right-click the file you want to check and select "Manage Permissions"
- See who has what level of permissions in the Direct Access and Link sections
- If there are unnecessary permissions, click "×" to delete them
Step 3: Change default settings for shared links
If you are an IT administrator for your organization, you can change the default for shared links to "Specific users" from the Microsoft 365 admin center.
- Access SharePoint Admin Center
- Select "Policy" → "Sharing"
- Select "Specific users (users in your organization only)" in "Link files and folders"
- Click Save
If you are a regular user, get into the habit of manually checking the scope of the link every time you share a file.
5 rules to remember to prevent information leaks
After checking the settings, we have summarized 5 points to keep in mind during future operations.
Rule 1: Before sharing a file, think about who you want to show it to
Before you press the share button, please think for 5 seconds, "Who should see this file?" When in doubt, the golden rule is to share with "specific users".
Rule 2: Store sensitive files in private channels
Files in a regular channel (standard channel) are visible to everyone on the team, but files in a private channel are only accessible to members of that channel. Use private channels for personnel information, accounting data, contracts, etc.
Rule 3: Regularly inventory members and access rights
Check the list of team members and SharePoint access privileges once a quarter. The purpose is to check whether the authority of the retired person or transferee remains.
Rule 4: Guests (external users) must be placed in a dedicated team
When inviting business partners or freelancers as guests, it is best to create a separate "project team" for them, rather than including them in a team containing internal information.
Rule 5: Take advantage of download limits
For files that you only want to show but do not want to give a copy of, give them "Viewable" permission. Downloads of files that are set to be viewable are automatically restricted (LANSCOPE Explanation).
For IT administrators: 3 policies to set across your organization
There are limits to individual attention alone. We will introduce policies that IT administrators should set to reduce the risk of information leakage in Teams as an organization.
1. Limit external sharing defaults
In the SharePoint admin center, you can restrict external sharing to existing guests only or users in your organization only. It is safe to implement mitigations individually for each site (team) as necessary.
2. Utilize sensitivity labels (sensitivity labels)
By using Sensitivity Labels, a compliance feature of Microsoft 365, you can assign labels such as "confidential" and "top secret" to files, and automatically restrict access and downloads according to the label.
3. Set up audit log alerts
By setting alerts for external file sharing and downloads in Microsoft Purview (formerly Microsoft 365 Compliance Center), you can detect abnormal access early.
FAQ
Can files uploaded to a channel be seen by people other than team members?
If the team is set to "public", anyone in the organization can join the team and have access to the files. Additionally, if a shared link for a file is issued by a user within the organization who has the link, it can be accessed by anyone other than team members. You can prevent sharing links by making your team "private" and selecting "specific users".
What happens to the files when I change a public team to private?
Even if you change a team's settings from "public" to "private," existing files and chat content will remain intact. However, after making the change, it will beaccessible only to members of your team. Changes can only be made by the team owner.
Can I change the permissions of a file sent via Teams chat later?
Yes, you can change it. You can change the permissions by hovering over the file you've already sent in chat, selecting "Open in SharePoint" from the "..." menu, and then selecting "Manage Permissions". It is also possible to change from "editable" to "viewable".
What range of files can guests (external users) access?
Guests can access all standard channel files in the teams they are invited to. However, you cannot access files in private channels. We recommend keeping information shared with external members separate from dedicated teams or private channels.
What should I do first if I notice a mistake in the permission settings?
First, open "Manage Permissions" for the file in SharePoint and delete unnecessary permissions. Next, make sure your team's privacy settings are set to private. If the impact is large, report it to your IT administrator and ask them to check the access logs.
References
- Manage settings and permissions when SharePoint and Teams are integrated — Microsoft Learn
- Set up secure file and document sharing and collaboration with Teams in Microsoft 365 — Microsoft Learn
- Inappropriate handling of personal information due to incorrect settings of Microsoft Teams (apology) — Meiji Gakuin University, 2025
- How to share and collaborate on Teams files! What to do when you can't do it — LANSCOPE
- What are the security risks of Teams? Explanation of expected risks and countermeasures — AvePoint Japan
