Additional privacy measures for Microsoft 365

April 12, 2022

Dear Members of the Harvard Community,

Microsoft 365’s privacy settings allow users of SharePoint, OneDrive, and Teams to specify and manage exactly who can access a file or folder, enabling Harvard staff, faculty, and students to securely collaborate within the University’s Microsoft 365 environment.

Recently, the University learned that some Microsoft 365 site owners have improperly applied privacy settings, enabling others within the Harvard community to access information that was not intended for them. Harvard University Information Technology (HUIT) has taken steps to address the potential for confidential information to be accessed by unauthorized individuals, including:

  • Setting all publicly accessible Microsoft 365 sites to private, with limited exceptions, and continuing to work, including with Microsoft, to identify and remediate potential issues going forward.
  • Restricting the creation of publicly accessible Microsoft 365 sites and requiring administrative approval for new requests.
  • Identifying unauthorized access to confidential information and taking appropriate steps.

We recognize these actions may cause disruption to the work of some community members. We regret the inconvenience and appreciate your understanding as we implement these measures to protect the University’s data.

We all have a role to play in protecting Harvard’s data. Always take steps to send, share, and store data securely:

  • Know if your data is confidential: Review the Administrative and Research data classification tables for examples of confidential information. Your role or department may have specific policies you must comply with depending on the types of confidential information you handle. Talk to your manager to understand requirements or contact for guidance.
  • Use an approved tool: If your data is medium- (level 3) or high-risk (level 4), use a tool that is approved to send, share, or store that level of information.
  • Check your privacy settings: Make sure your SharePoint, Teams, OneDrive, and Google Drive sites, files, and folders can only be accessed by those who are authorized to do so. Learn how to review your privacy settings for SharePoint and Teams, OneDrive, and Google Drive.

If you need help, contact the HUIT Service Desk or your School's local IT support. Any unauthorized access to confidential information should be reported to in accordance with Harvard policy.

Thank you for helping to ensure that the University’s data is safe and secure.


Klara Jelinkova
Vice President and University Chief Information Officer