As of 11/20/2023 any Office 365 Group, Team or Sharepoint site that has visibility set to Public will be changed to Private due to the risk of accidental exposure of confidential data and other unintended consequences (e.g., unauthorized data modification)

If you would like assistance with using Office 365 for secure document storage and collaboration, please consult with your departmental IT or help.unc.edu to review the use case and your responsibilities for managing appropriate access controls.

What is the difference between Private and Public Visibility

With Private visibility, an Owner must approve access to the resources within the Team/Group/Sharepoint (e.g., adding an individual to the Members list or sharing link, etc)

With Public visibility, anyone with a UNC Onyen can view or modify any content within the Team/Group/Sharepoint without direct approval of Owners/Members.  Features such as enterprise search and recommended files make it much easier for individuals to unintentionally find data for which they may not have a need-to-known.

University Sensitive Information should never be stored on a Team/Group/Site with Public visibility.

See the following Microsoft documentation for further detail on the Visibility setting:

• Visibility setting in Team
• Visibility setting in Group via Outlook
• Visibility setting in Sharepoint

What if I need an exception?

After considering the below referenced recommended alternatives, if you believe your case requires a Public visibility, contact 919-962-HELP or help.unc.edu.

Include the following:

1. Your site name 
2. How you are certain there is no highly confidential data in your Teams or SharePoint site
3. Why you believe your site will not contain such data in the future 
4. The following attestation is required

The site needs to be Public for the following reason <explanation goes here>. I understand the risk of owning a Public site and attest that the site does not contain confidential data and will not contain such data in the future. I acknowledge my responsibility to ensure no confidential data is stored or processed and promptly report any possible information security incident as described in the UNC Information Security Incident Management Standard (see https://policies.unc.edu/TDClient/2833/Portal/KB/ArticleDet?ID=131242).

All exceptions will be reviewed by the CISO or their delegate.

Guidance for exceptions

It is vital to closely monitor content in a Group/Site/Team with Public Visibility and clearly communicate to all members/visitors that the visibility is Public to UNC.  Consider the following:

• Owners must moderate posted content and report any exposure of sensitive or confidential information (see https://policies.unc.edu/TDClient/2833/Portal/KB/ArticleDet?ID=131242)
• Add visible warnings for users “All content is Public to everyone at UNC – Do not post confidential information”
  • Teams: Pinned Post Announcement
  • Edit the Description to include “PUBLIC to UNC” so it is visible when joining
  • Group periodic email reminder not to post confidential information

What are some safer alternatives?

• Set your team to private and use the share link on specific files or folders that you want everyone to be able to view or edit
• UNC WordPress has an option to set a page to require onyen authentication (note that this does not apply to any file attachments, images or other content that is embedded/linked on the page; those elements are stored in the public directory)
• People can still request to join a private team if you place the team link somewhere they can find it (e.g., a UNC WordPress page protected by onyen authentication).  You can then accept or deny the request once the link is clicked.
• Qualtrics and Microsoft Forms via office.unc.edu are some ways to allow authenticated users to provide information while keeping responses confidential to a private group/team.  Remember you should always check with datagov.unc.edu before implementing a data collection activity that may include Tier 2 or 3.
• ITS can assist with bulk add/remove team member options to make access management easier.  Just put in a request and provide the team name and a csv of onyens or, if external to UNC guests, their preferred email.
• Consider Group Chat if you’d like to have a simple way for people to contact a core group.  You can start a chat with <team>@office.unc.edu and it will populate all of the individual members of the group.  Additional people (or groups) can be added to support many to many discussions without out having one large “public” forum.