External Sharing: OneDrive
Today I’m going to dig into sharing in OneDrive for Microsoft 365. This topic comes up often because while on the surface sharing seems straight forward, there are a multitude of layers. OneDrive sharing isn’t just about the settings in OneDrive, it’s driven by options all over your Microsoft 365 tenant. While I’m not going to dive into all of the options, I do want to discuss some settings you might not be aware of.
Microsoft settings go from the top down, in other words, your highest level (Tenant level) has to be as permissive as you need your lowest level (Files and Folders). If you’ve worked with Microsoft permissions before this model should make sense, but if you haven’t it can seem a little backwards. Even if you’ve worked with Microsoft permissions before though, Azure Active Directory can make this confusing how it fits in.
With every company having vastly different needs, there’s not a one size fits all for the best way to set up sharing so we’ll just go over some basics. We are going to cover settings in Azure Active Directory, Microsoft 365 admin center and SharePoint admin center, as well as restricting an individual user’s OneDrive settings.
First let’s go over the basic differences between internal sharing and guest sharing. Internal sharing is the most straight forward. Internal users can share documents with other internal users, as this is how we collaborate. There is no way to turn off all internal sharing at the Tenant/AAD level. Guest sharing is similar to internal sharing for a user perspective, but administrators have a lot more control over the who, what, when, and where. Having the ability to block or allow specific domains, set global guest rights, or block external guests all together.
*Some internal sharing may be barred at individual or group level
Azure Active Directory
Guest invite settings
- Admins and users in the guest inviter role can invite – allows giving a subset group permissions to add guests, even when “Members can invite” is set of “No”
- Members can invite – allows non-administrators to invite new guests
- Guests can invite – allows guests to invite other guests
- Enable Email One-Time Passcode for guests (Preview) – creates a one-time passcode for users who don’t have an existing account and stays logged in for 24 hours
- Enable guest self-service sign up via user flows (Preview) – allows enabling self-service sign up for guests via user flows associated with applications in your directory
- Allow invitations to be sent to any domain – no restrictions on domains, including personal domains like Gmail and Hotmail
- Deny invitations to the specified domains – some restrictions, list any domains you don’t want invited
- Allow invitations only to the specified domains – only allow domain that are listed to be invited
Microsoft 365 Admin
Microsoft recommends using SharePoint’s admin center to manage both SharePoint and OneDrive sharing options. This is important for a number of reasons, we want to follow Microsoft’s recommended practices as much as possible, the SharePoint admin center has more options, but using SharePoint’s admin center means you have the same settings across SharePoint and OneDrive for certain things
More external sharing settings:
- Limit external sharing by domain – if you select this option you will only be able to share with domains you manually add
- Allow only users in specific security groups to share externally – if you select this option only the people in the groups you add will be able to share
- Guests must sign in using the same account to which sharing invitations are sent – guests can’t use a different account to sign in (by default they can)
- Allow guests to share items they don’t own – allows guests to share items that are owned by others
- People who use a verification code must reauthenticate after this many days: xx – sets the number of days guests must reauthenticate
Choose the type of link that’s selected by default when users share files and folder in SharePoint and OneDrive
- Specific people – default link lets user add external email address, requires verifying identity before accessing file or folder
- Only people in your organization – creates link that allows anyone within your organization access
- Anyone with the link – anyone, internal or external can access the link
- Advanced settings
- set number of days link will expire in
- Change default link permissions for files and folders
*If using file requests, you must have “view and edit” on files and “view, edit, upload” for folders set
Choose the permission that’s selected by default for sharing links
- View – sets the default link to view only
- Edit – sets the default link to edit
Specific User’s OneDrive Settings
You can change a specific users OneDrive sharing settings through the Microsoft admin center. I put this in it’s own category because it’s not a global setting, we are only able to change the settings for an individual user.
- Checkbox option: Let people outside your organization access your site – selecting this enables this user’s site to share externally
- Allow sharing to authenticated guest users with invitations – allow external users who accept sharing invitations and sign in as authenticated users
- Allow sharing with anonymous guest links and authenticated users – all sharing with all external users and by using anonymous access links
- Only allow sharing with existing guest users in the directory – allow sharing with external users already in the directory
Microsoft has made sharing your files and folders so easy that we often forget about training! It’s straight forward, you click share and then type in an email, boom, done… but not really. Having procedural differences between internal and external sharing will not not only help standardization but ease of use because there is a process in place. So, while changing the configuration on the back-end is a great start, we can’t replace the value of our people!
Having discussions about what needs shared and how it needs to be shared should be done before external sharing happens. Once a plan is created, stating the who, why, where, and when of how you want to share externally, it’s time to show all of your hard work off by ‘sharing’ your plan. Make sure you cover things like what items should or shouldn’t be shared!
Having a few recorded training’s on the basics of how to share stored in a Teams tab or on your SharePoint intranet, will help everyone be able to quickly reference it! The amount of trouble tickets you will save is well worth the time!