You can't spell SharePoint without 'Share'. Sharing is a core concept within the modern workplace and it is powered by SharePoint and OneDrive but there are complexities that lie underneath the covers that you need to know about.
Collaboration lives at the core of a workplace and collaboration is built around effective sharing. Getting content securely to the right people at the right time keeps a company moving. But do you really know everything that is out there? Who has access to the content? Is the content still secure?
Learn move about what you can do as a user to share your content, what happens after it has been shared, and how to control content sharing as an administrator.
3. Types of sharing
What really happens
Sharing management
What’s next
Everything you need
to know about sharing
files in SharePoint &
OneDrive
SharePoint Fest Seattle 2019
#SPFestSea
4. Let’s talk security
Permission
Level
Full Control
Edit
Contribute
Read
View Only
Approve
Design
Create your own!
SharePoint Object
3 things make up SharePoint Security
Site
Collection
Site
Library, List
Item,
Document,
Folder
User or Group
5. Security is based on inheritance
Site
Collection
Site
Library, List
Item,
Document,
Folder
Site
Collection
Site
Library, List
Item,
Document,
Folder
Unbroken Inheritance Broken Inheritance
7. Sharing administration vs End User sharing
Admins plan and set
sharing configuration
End users share content
Internal
users
External
users
8. Authenticated or Anonymous
Someone from outside your Office 365 subscription who has been
granted access to a site, file, or folder
Authenticated with
Microsoft account
Anonymous
Spreads across workloads
Added to Azure AD as Guest
Groups, Teams, SharePoint, OneDrive, Yammer, etc
Can’t be shared sites
IP tracked
9. Types of sharing via End User
Specific People
People with existing access
People in the organization
Anyone
10. Specific people
A non-transferrable, revocable secret key, only grants
access to the specific recipient
Won’t work if forwarded to others
Existing users get access via their account
New external users prove email
ownership via simple one-time passcode
Internal users granted access directly with
inheritance broken
11. People with existing access
Send link without sharing
Does not change permissions
Cannot be set as default link type
Users have access and receive a link via email
Gets direct link to file
12. People in my organization
A transferrable, revocable secret key, only grants access
to internal users
Can be forwarded to others
Access can be revoked anytime
Users need link to gain access
Requires sign-in to an account in my
organization
Members (non-guests) in Azure AD
13. Anyone (Anonymous)
A transferrable, revocable secret key
Can be forwarded to others
Access can be revoked anytime
Users need link to gain access
Guarantees users can open, anywhere, without signing in
14. Sharing from everywhere
Modern sharing UI is unified across platforms
OneDrive Mobile App
Office Mac
File Explorer with OneDrive sync
Mac Finder
SharePoint
OneDrive
Office Online
Office Desktop
16. What happens when you share with links?
Share via Link
Inheritance broken on file
New SP Group created and added to
files Access Control List (ACL)
Users put into SP Group when shared
or link clicked
Entry added to Sharing Links SP List
17. Specific people – Share externally securely
Passcode required via secondary email
Must use email link was sent to verify
Auditable through “SecureLink” actions
Get-SPOExternalUser will not return them
• Must used Get-SPOUser
User shares file or
folder to user not
in directory
Guest receives passcode
and not required to login
with MS account
18. Sharing sites vs content
Sharing sites requires Microsoft account login
Utilizes access requests
Adds user as guest to Azure AD after login
Get-SPOExternalUser returns guest accounts
Once in Azure AD -> will appear in people picker
Adds user to site SP group
19. Classic sharing UI
“Invite people” is like sharing
with specific people
“Get a link” gives you organization links and anonymous
20. Sharing in Office 365 Groups
Modern SharePoint team sites are powered
by Office 365 Groups – Including MS Teams!
Feature Guest user allowed?
Create a group No
Add/remove group members No
Delete a group No
Join a group Yes, by invitation
Start a conversation Yes
Reply to a conversation Yes
Search for a conversation Yes
@mention a person in the group No
Pin/Favorite a group No
Delete a conversation Yes
"Like" messages No
Manage meetings No
View group calendar No
Modify calendar events No
Add a group calendar to a personal
calendar
No
View and edit group files Yes, if enabled by tenant admin
Access the group OneNote notebook Yes, via link from group member
Browse groups No
Security model is different
1 Azure AD group powers 2 permission levels – Owner & Member
Permissions cross workloads
Add users (share) to the Group vs content in SharePoint
Unique external sharing administration
Guests cannot be an owner
Modern Communication sites do NOT utilize Office 365 Groups
24. External sharing administration
Sharing configured via SharePoint AND/OR OneDrive admin centers
Configured per tenant
Ability to configure sharing set per site collection
• Every OneDrive is a site collection
Office 365 Group sharing best managed through PowerShell
25. External sharing administration
Sharing for OneDrive can be MORE restrictive but not LESS restrictive than SPO
If sharing turned off globally in SPO any shared links will stop working
Sharing Options
No external sharing
Only existing external users (sign-in required)
New and existing external users (sign-in required)
Anyone, including anonymous users (on by default)
Your SharePoint Online sharing
settings determine which OneDrive
sharing settings are available
Setting Sharing in OneDrive Admin
Center affects SPO
26. Set external sharing settings
Default link type
Direct links
Only users who have specific permission
Internal Links
Only users within your organization
Sharable access links
Anyone with a link (anonymous)
Default link permission
View or Edit
The following settings apply to both SPO and OneDrive
Anonymous access link permission
Separate for Files & Folders
View, Edit & Upload
View Only for
Anonymous access link expiration
Up to 2 years / 730 days
27. Set external sharing settings
Limited external sharing by user
Only certain users in security group can share with
External users
External users + anonymous
Other
External sharing policy URL (new)
Must accept using same account
Let external users share items they don’t own
Require recipients to prove account ownership (days)
Not anonymous
The following settings apply to both SPO and OneDrive
OneDrive email notifications
Other users share again
External users accept
Anonymous link created or changed
28. External sharing administration
Classic admin center includes certain things
• Only users in selected security groups shared
with external users
• Use shorter links when sharing files and folders
• Require recipients to continually prove account
ownership
29. Domain allow/block
Ability to whitelist or blacklist domains for SharePoint & OneDrive
• Tenant or site collection level
• Recommend blacklist
Office 365 Group external sharing does not respect the SharePoint configuration
Configure Azure AD allow/block list
https://go.microsoft.com/fwlink/p/?linkid=857710
31. Site collection advanced sharing
Per site collection sharing via admin centers
Non O365
group backed
sites only in
classic admin
32. Site collection advanced sharing
PowerShell to set site specific sharing with Set-SPOSite
General
• -SharingCapability
• -DefaultSharingLinkType
• -DefaultLinkPermission
Anonymous
• -OverrideTenantAnonymousLinkExpirationPolicy
• -AnonymousLinkExpirationInDays
Domain restrictions
• -SharingDomainRestrictionMode
• -SharingAllowedDomainList
• -SharingBlockedDomainList
Other
• -ShowPeoplePickerSuggestionsForGuestUsers
• -DisableCompanyWidSharingLinks
• DisableSharingForNonOwners
33. Site collection advanced sharing
Access requests still can be set and utilized
Default access requests set to site owners SharePoint group
• Can update email + message
Control ability of members to share
Allow members to add to default members group
• Allows members to share site
35. Sharing tidbits
If external sharing enable -> Office 365 group powered sites will be enabled with the same
Access requests list generated after access request submitted
• Access%20Requests/pendingreq.aspx
Hidden SharePoint List handles link management
Use content search for reporting
External sharing changes for My Site site collection apply to existing and new OneDrive’s
Utilize SharePoint Online as an extranet
Be aware of migration to SharePoint Online with Delve and permission exposure
Work with the business to understand sharing requirements, don’t just lock down
36. • xxxx
Help Contribute &
Stay Informed!
Microsoft Tech Community
https://techcommunity.microsoft.com
Microsoft 365 Roadmap
https://fasttrack.microsoft.com/roadmap
Office Blogs
https://blogs.office.com/
Office 365 Admin Center – Message Center
https://portal.office.com/AdminPortal
Office 365 for IT Pros
http://exchangeserverpro.com/ebooks/office-365-for-it-pros
39. Everything you need
to know about
sharing files in
SharePoint &
OneDrive
SharePoint FestSeattle2018
#SPFestSeattle
Editor's Notes
*NEED TO TEST if external users who were granted access will work
Default sharing logic
Create links
Show manage access
Manage access through sharing
Revoking access
Send via email
Previously, when securely sharing with users who were not in the organization's directory, these users were sent an invitation and had to log in using a Microsoft Account or a Work or School Account. They were then added to the directory as guests and given permissions to the file or folder.
https://docs.microsoft.com/en-us/sharepoint/what-s-new-in-sharing-in-targeted-release?redirectSourcePath=%252farticle%252fcc78357c-6d48-499c-9cc7-dae447d0d391
Previously, when securely sharing with users who were not in the organization's directory, these users were sent an invitation and had to log in using a Microsoft Account or a Work or School Account. They were then added to the directory as guests and given permissions to the file or folder.
Passcode
Share site
Share o365 group
******This whole section needs to be reworked I think – order of content, etc. with Teams, Office 365 Groups, etc.
DG
We talked about the end user experiences, but Now we need to talk about how to configure it
Guest access to Microsoft Teams can be managed through four different levels of authorization:
Azure Active Directory: Guest access in Microsoft Teams relies on the Azure AD business-to-business (B2B) platform. Controls the guest experience at the directory, tenant, and application level.
Microsoft Teams: Controls Microsoft Teams only.
Office 365 Groups: Controls the guest experience in Office 365 Groups and Microsoft Teams.
SharePoint Online and OneDrive for Business: Controls the guest experience in SharePoint Online, OneDrive for Business, Office 365 Groups, and Microsoft Teams.
Examples:
Don’t allow guest users in Teams
Enable guest access in AAD, Teams and Groups but disable on selective Teams containing sensitive/confidential information.
Specify specific settings for individual SPO sites, including those connected to Teams and Groups.
DG
There are services that have anonymous external sharing that isn’t controlled by AAD -
Forms, Sway, Power BI
But the governance you have for sharing should apply to these services as well
SPO sharing is king
If you turn off external sharing for SharePoint Online in your organization, you can't turn it on for OneDrive. If you limit external sharing in SharePoint Online, to only authenticated users, then that will be the only kind of external sharing you can allow in OneDrive. If you allow anonymous access links for SharePoint Online, you can limit external sharing in OneDrive to authenticated users or turn it off entirely.
the external users have already accepted sharing invitations
Invitations to view files can be redeemed only once. After an invitation has been accepted, it can't be shared or used by others to gain access.
Anonymous access links can be forwarded to other people, who can also view or edit the shared items without signing in.
All of these settings show up in both admin centers
The settings you change in the OneDrive admin center sync with your settings in the SharePoint admin center.
Anonymous option is only available if your external sharing setting for SharePoint is set to Anyone, including anonymous users.
All of these settings show up in both admin centers
The settings you change in the OneDrive admin center sync with your settings in the SharePoint admin center.
Anonymous option is only available if your external sharing setting for SharePoint is set to Anyone, including anonymous users.