Forum Discussion
Allow creation of guest links for specific users only
I would expand on that. The setting does have to be set at the global level yes, but then its also set at the individual site collections (Sharepoint site collections, meaning I can have the global setting on, while having other site collections disabled).
Also I believe each users OneDrive is its own site collection, even though somehow the settings for User's guest links, is one setting for all users's OneDrive??
I hope this feature becomese available soon, to where we can control guest links for only specific users, not all users or no users...
thx
- VasilMichevMar 07, 2017MVP
If we are talking about ODFB here, it should indeed be possible as you can now control the sharing options per SC. However, the "allow guests" setting is "less restrictive", and the per-SC permissions can only be "more restrictive". Thus you take to do it the other way around - configure ExternalUserAndGuestSharing at the Global level and then switch Guest sharing off for everyone apart the user(s) you want to be able to use this.
That's assuming you only want to give them permissions to share files in their own ODFB.
- Robert LienMar 07, 2017Brass Contributor
I don't particularly like this solution, as I am having to then remember to turn off guest-sharing for each new person that is created, which can be easy to forget. But I suppose it is a method it could work, since a regular user would not be able to connect to PowerShell to turn it back on, unless there is another way for that to happen, because as Salvatore points out, a user would be a SCA of his/her own ODFB SC.
- StephenRiceMar 13, 2017Microsoft
Hi all,
As you may know, we have a feature coming out soon that will allow admins to specify which security groups are allowed to share externally. This feature will restrict only those users in the specified SG's from sharing both externally and anonymous (if enabled). Now, that doesn't sound like it would be useful in this case, but we also have some work planned to separate out the "anonymous" and "authenticated external" setting.
This would mean you could set something like:
- Security group A and B can share with authenticated external users
- Only security Group B can share via anonymous links
Would that satisfy your requirement? Also, usual disclaimer: This is all still under design and nothing is committed or planned just yet. So stay tuned :)
Stephen Rice
OneDrive Program Manager II
- Salvatore BiscariMar 07, 2017Silver Contributor
Hi Vasil.
Interesting perspective, as usual!
I have tested it and it appears to work.
A couple of questions:
- As a GA I have indeed been able to set by PS the sharing capability of an user ODFB SC. I was surprised about this... Shouldn't I be an SCA?
- The user, being the SCA of his/her ODFB SC, should in theory be able to change again the sharing capability setting. But how, provided that he/she can't login in PS as a GA?
- VasilMichevMar 07, 2017MVP
Salvatore Biscari I dont think PowerShell respects the SCA settings, the GA/SPO Admin permissions you need to run PowerShell superseed those I guess. jcgonzalezmartin is the authority on SharePoint, he might be able to give more insight :)
As for the owner being able to revert them, in theory this is indeed the case, if he is able to access the relevant settings. Pretty much the same issue we had with the owner of the ODFB site being able to remove IRM protection.