Understanding the Nuances of External Sharing for OneDrive in Business and Sharepoint

 

Did your eyes just glaze over a little bit at the title? Me too. Although I work in IT and have for many, many years – when it comes down to the nitty-gritty, backend of the everyday software products that we all use in business daily – I tend to lose focus quickly. But that is kind of the problem with all of us – isn’t it? We are so fast-paced, hurried, and trying our best to get done what needs to get done – that we may inadvertently share a file that was NOT intended for THAT person. This is where external sharing policies are critical within an organization. There is always the option of attaching it to an email and sending – but that narrows the opportunity for a ‘mistake’ share of valuable information that you did not want to share.

When it comes to OneDrive and Sharepoint, there are all kinds of rules and policies that we, as your IT administrators, can put into place to ensure that files that are shared internally AND more importantly externally are only being seen by the people that are meant to see them. What you may not know is that there are nuances between the two.

So, why does that matter? Well – if you do not have the right policies in place or they are applied improperly- that ‘oopsie’ may just happen. And that mistake could mean big problems. What if the file that is shared contains sensitive data such as company-specific financial identifiers or even those tied to people within your company? What if the information shared is about a competitor? It can get pretty dicey, pretty fast. This is why it is important to understand sharing options in OneDrive Business and Sharepoint so as to not jeopardize the safety of either side’s information. Also having an understanding of where your information/files/documents are located and what each type is used for is helpful for understanding how they should be treated.

In its simplest forms:

  • Onedrive is akin to a personal online filing cabinet. This is where you store information in a central location.
  • Sharepoint is a collaboration tool where members of your team can work on information together. It is a ‘collective’ of information.

Here are where nuances come into playOneDrive takes an ‘all or nothing’ approach to file sharing when it comes to an organization. So, for example – your marketing team needs to have the ability to share with anonymous users outside of your network –  well than everyone within your organization must have the same settings to start with. Permissions are set at a global level and then an admin will need to go in and adjust each user’s sharing capabilities user by user.

Sharepoint Online allows admins to assign external share settings on a site-by-site basis. This added level of granularity ties those outside your organization to what sites they have access to, what site the content in question is stored in, and what the settings of that individual site are.

For all Office 365 products – there are several sharing options that can be instituted. (See below).

  • No External Sharing – sharing can only be shared within your own organization
  • Sharing Limited to External Users in your Directory– sharing can only happen if the external user is within your directory or has accepted an invitation of sharing. This makes it easy to verify the security and intent of those with whom the content is being shared.
  • Sharing with All Authenticated Users – sharing can happen with any external user who has a Microsoft account or belongs to another Office 365/OneDrive/SharePoint Online subscription through school or work. While these users will not have to log in to that account to see the content being shared, they will be sent a one-time authentication code which they will need to use to view the shared content.
  • Sharing with Anonymous Users – sharing can happen with any external user (verified or not) who receives the sharing link. This is by far the broadest and least secure setting for external sharing, though there are still ways to limit what users who receive the link can do with the content being shared. Still, it’s important to keep in mind that links can be passed around by those with whom they were shared, and that that link–and the actions permitted by it–are active until specifically disabled. Sites cannot be shared with anonymous users via link.

** It is also important to note (and pretty nifty) that you can block sharing with all users from specific domains (competitors) and you can set expiration dates as well as turn on a feature that allows you to see all of the actions the recipient takes with the file shared with them (as long as not anonymous).

You can also further limit to Read/View only or give them the ability to edit (in the edit scenario it’s very important to make sure you can see user activity within the content so that recently made changes are easily identifiable and traceable to a given external user.)

TLDR – It is essential to understand what you are sharing, who is sharing, how you are sharing, and who you are sharing it with. It is dynamic so make sure your IT administrator knows what you need to achieve while also keeping your organization’s information safe. It’s important for your organization to understand what you have shared and who has access and if it is time to end the sharing.

–  written by Jennifer Gilligan

*reference material: