Mastering External Sharing in OneDrive for Business and SharePoint Online for Admins
External sharing is one of the core values of cloud collaboration platforms, and the ability to manage that sharing is one of the best things the cloud has going for it. For businesses that rely on file servers, most external sharing must be done via email, which is very difficult to regulate, especially on an enterprise-wide scale.
While we often discuss the value of permissions–ensuring that, post-migration, your users have access to the files that they need–it’s equally necessary to understand with whom users are sharing that content with. When it comes to external sharing, discretion and organization are key. Failing to uphold these principles can result in–accidentally or not–files and folders containing sensitive information reaching individuals who should not be able to view or make changes to that information.
Cloud collaboration platforms are aware of this and, as such, provide both users and administrators with myriad different ways to manage the sharing of content. Understanding and making proper use of these features can make all the difference when it comes to major issues like compliance.
Of all the major cloud storage solutions, OneDrive and SharePoint Online have perhaps the most robust suite of tools for this, giving users many ways to dictate how they are sharing their files, and offering admins an equally diverse range of ways to limit how users and teams can share individual files, folders, and sites with external users.
Understanding Types of External Users
For organizations that work with a large number of vendors, customers, or clients, external sharing will likely be necessary at one time or another. As such, ensuring that that content is shared properly can be crucial to security for both organization and the external user to whom that content is supposed to go. In many cases these documents might contain sensitive information about the vendor or customer–including personally identifiable information and further information around payment and the like–and about the organization with whom the user is associated. As such, it’s important for users to understand their options for sharing in OneDrive or SharePoint Online, as not to jeopardize the safety of either side’s information.
On the most basic level, there are a number of types of external users with whom content can be shared. Admins can dictate which of these types are allowed and which are forbidden, and can make changes based on specialized situations so that content is kept secure while sharing remains flexible for different circumstances.
The major settings for an Office 365 Admin for this scenario are:
- No External Sharing: Files, folders, and sites can only be shared with individuals who have accounts in your organization’s OneDrive, SharePoint Online, or Office 365 subscription.
- Sharing Limited to External Users in Your Directory: Files, folders, and sites can only be shared with external users who are in your directory, have been imported from a different Office 365 directory, or have accepted sharing invitations, and have thus been added to your directory. Many admins find it incredibly useful to allow sharing only with the external users that already exist in your organization’s directory, as this makes it easy to verify the security and intent of those with whom content is being shared.
- Sharing With All Authenticated Users: Files, folders, and sites can be shared with any external user who has a Microsoft account or belongs to another Office 365/OneDrive/SharePoint Online subscription through school or work. While these users will not have to log in to that account to see the content being shared, they will be sent a one-time authentication code which they will need to use to view the shared content.
- Sharing With Anonymous Users: Files and folders can be shared with any external user–verified or not–who receives the sharing link. This is by far the broadest and least secure setting for external sharing, though there are still ways to limit what users who receive the link can do with the content being shared. Still, it’s important to keep in mind that links can be passed around by those with whom they were shared, and that that link–and the actions permitted by it–are active until specifically disabled. Sites cannot be shared with anonymous users via link.
For most organizations, it is likely that users and admins will encounter a scenario that seems to demand each of these settings at one point or another. It’s still vital, however, that those in charge of external sharing protocols recognize in what cases each is appropriate, and do their best to implement the proper restrictions for each case.
On a case by case basis, users can be given the ability to share a number of different kinds of links. While internal sharing will most often–rightfully–rely on internal links, which are only accessible to users within your domain, it’s also possible to distribute two other times of links:
- Shareable Links: These are the broadest option. Anyone, internal or external, can open the link.
- Direct Links: When these links are created, users must specify the emails to which the link is going. As such, anyone who is not specifically invited to the document being shared will not be able to use the link.
In addition to the aforementioned settings, it’s possible to address extra sharing criteria. For instance, it’s possible to block sharing with all users from specific domains, even if they’re part of your directory, such as a competitor. It’s further possible to restrict external users (as long as they’re not anonymous) from sharing items that have been shared with them, and set expiration dates on the links that are shared with these users, so they don’t have access to your content in perpetuity. Finally–and often most helpfully–it’s possible to, with the check of a box, ensure that you can see which users take action on or view a file that’s been shared with them. If your Office 365 environment includes both SPO and OneDrive, the sharing options for files stored in each can be amended independently, as illustrated in the above image.
While it’s ideal that sharing with anonymous users happens rarely or never at all, should the necessity arise, it’s equally crucial for users and admins to understand how to limit the actions an external user can take on the content they’ve been sent.
Understanding the Actions That External Users Can Take
On top of dictating what types of external users your organization shares with, admins are also able to prescribe how those users can interact with the file, folder, or site to which they’ve received access. Taking precautions here is just as important as when deciding with whom content can be shared because an external user having undo privilege with your content can jeopardize security at worst, and at best cause organizational chaos if certain files are improperly altered.
These actions are fairly flexible, but the main options are:
- Read/View Only: The user who receives the file, folder, or site can simply read it. This comes in handy when sharing things like contracts or providing background information to an external user via a guidelines or basic info folder. External users who receive content at this setting cannot make alterations.
- Edit: Users who receive a given file, folder, or site have the ability to make changes. In these scenarios, it’s very important to make sure you can see user activity within the content, so that recently made changes are easily identifiable and traceable to a given external user. For organizations who are collaborating on content with a vendor or customer, this option can be extremely helpful, as it extends the collaborative capabilities of your OneDrive, or SPO environment to the external user, and lets you have an ongoing real-time dialogue around the content in question.
How Does Sharing Differ in OneDrive vs. SharePoint Online?
While many users are used to using OneDrive and SharePoint Online in concert, it’s important to note that sharing is not the same in both environments (which is one of the key reasons that external sharing settings in each can be dictated independently).
SharePoint Online has the benefit of allowing admins to assign external sharing settings on a site by site basis, so that the ability of users to share with those outside the organization is ultimately tethered to what sites they have access to, what site the content in question is stored in, and what the settings of that individual site are.
OneDrive on the other hand takes more of an “all or nothing approach,” meaning that if one individual needs the settings on OneDrive to allow sharing with anonymous users, all other people who have access to that OneDrive environment will be able to share anonymously. In OneDrive, sharing permissions cannot be dictated on an individual level. Rather, the assigned setting will initially be “global,” and then an admin will have to go through—user by user—to disable their sharing capabilities.
What many organizations will do in these situations is create a new SPO site of which that user who requires such broad external sharing is the only member. That way, those anonymous user sharing permissions can be assigned to that site and that site alone. Albeit an imperfect solution, it maintains security and makes it easier on admins to keep track of sharing behaviors.
It is possible to change these settings after a link has been sent, simply by going in to the sharing settings in your SPO or OneDrive. Likewise, it is possible to remove external users–individually or by type–at any point in the sharing process. These changes will take place immediately upon refresh, and making use of them in the face of suspicious behavior or when it’s simply not necessary for an external user to have access to the content anymore can be extremely important to maintaining security and compliance. The flexibility and manageability of secure external sharing links in OneDrive and SharePoint Online provide one of the simplest and most powerful solutions for external sharing.
It’s essential to keep an eye on what you’ve shared, and what permissions on that content you’ve granted. In short, sharing can’t just be a “set it and forget it” situation. Admins having an ongoing sense of what their users have shared, and when it might be time to end the sharing of that file, folder, or site ensures that sensitive information isn’t improperly accessed or changed, and that collaboration is limited to the scenario and time frame that it’s appropriate.
Proper External Sharing is Vital for Security
It should go without saying that keeping a close watch on the aforementioned settings is an absolute necessity, and can have major ramifications within your organization, especially with regards to content safety and overall compliance. Understanding how different content is being shared by different users can make a major difference when it comes to protecting sensitive information; and the more vigilant and attuned admins are to their options, the more likely they are to notice suspicious sharing behaviors that could potentially jeopardize their organization.
OneDrive and SharePoint Online make it easier than ever for users to share, and for admins to control how sharing is conducted. With the myriad choices at their disposal, all members of a business are empowered to work with important external users without unnecessary or damaging missteps.
Collaboration and sharing are a major facet of cloud storage solutions, and Microsoft understands how these needs go hand in hand with security and compliance. This relationship is clearly and comprehensively reflected in the external sharing options in both the OneDrive and SharePoint Online platforms. The end result? Users and admins can work together to make certain that what needs to be shared is shared properly, and what shouldn’t be shared remains secure.
If you ask us, it’s a pretty winning combination.