Forum Discussion

GI472's avatar
GI472
Brass Contributor
Sep 28, 2023

Where are these externally shared files?

Hi all,

 

Apologies in advance for the specifics of the question!

 

We currently set our OneDrive sharing policy to make links for files and folders accessible for 30 days, view-only by default,  and the recipient must re-authenticate every 24 hours. 

 

I have noticed that I have around 120,000 file shares showing in Defender (in one of the helpful cards that I now can't find).

 

The top 10 on this card and the overwhelming majority of file shares listed are from now left users, who shared data prior to us setting up the above policy.

 

I have found Microsoft guidance on how to find and govern stale externally shared files:

 

  1. In the Microsoft 365 Defender portal, under Cloud Apps, go to Policies -> Policy management. Create a new File policy.

  2. Select and apply the policy template Stale externally shared files.

  3. Customize the filter Last modified to match your organization's policy.

  4. Optional: Set Governance actions to be taken on files when a violation is detected. The governance actions available vary between services. For example:

    • Google Workspace: Make the file private and notify the last file editor

    • Box: Notify the last file editor

    • SharePoint online: Make the file private and send a policy-match digest to the file owner

  5. Create the file policy.

Source: Information protection policies - Microsoft Defender for Cloud Apps | Microsoft Learn

 

I ran a search and found a user who left 2 years ago and who had around 1,000 files as shared External, Public, or Public (Internet) for which he was the file owner. 

 

However, when I exported the list of these discovered files for the long-since left user, I found that under Collaborators there were staff who joined well after he left. 

 

I also cannot find those files in OneDrive or our file management system.

My questions are:

1. Does the MCAS file search find actual files that are current in our environment or does this show a historic series of snapshots?

2. Why are recent joiners shown as collaborators on documents and folders for someone who left so long ago?

3. How can I actually find the files the search tells me it found?

4. If I set up a governance action to remove external users from the file share, will this actually work?

5. If I want to test, can I create an admin quarantine site/location on SharePoint and use the option to 'Put in admin quarantine'? If so, what will happen and what are the possible implications/ramifications?

 

Any help, guidance, or advice is greatly appreciated!

  • Hi GI472,

    1. Does the MCAS file search find actual files that are current in our environment or does this show a historic series of snapshots?

    The MCAS file search finds actual files that are current in your environment. It also shows a historic series of snapshots, but these snapshots are only shown for files that have been shared externally.

    2. Why are recent joiners shown as collaborators on documents and folders for someone who left so long ago?

    There are a few possible reasons why recent joiners are shown as collaborators on documents and folders for someone who left so long ago:

    • The recent joiners may have been added as collaborators to the files by the previous owner.
    • The recent joiners may have gained access to the files through a group or team that the previous owner was a member of.
    • The recent joiners may have gained access to the files through a sharing link that was created by the previous owner.

    3. How can I actually find the files the search tells me it found?

    There are a few ways to find the files that the MCAS file search tells you it found:

    • You can use the MCAS portal to filter the search results by file owner, collaborator, or other criteria.
    • You can use the MCAS portal to export the search results to a CSV file.
    • You can use the MCAS PowerShell module to search for files and export the results to a CSV file.

    4. If I set up a governance action to remove external users from the file share, will this actually work?

    Yes, setting up a governance action to remove external users from the file share will actually work. However, it is important to note that this action will only remove external users who have been added to the file share directly. It will not remove external users who have gained access to the file share through a group or team.

    5. If I want to test, can I create an admin quarantine site/location on SharePoint and use the option to 'Put in admin quarantine'? If so, what will happen and what are the possible implications/ramifications?

    Yes, you can create an admin quarantine site/location on SharePoint and use the option to 'Put in admin quarantine'. This will move the file to the quarantine site, where it will be held for a period of time before it is deleted.

    The possible implications/ramifications of putting a file in admin quarantine are:

    • Users will not be able to access the file while it is in quarantine.
    • The file may be deleted after a period of time.
    • The file may be restored to its original location if it is needed.

    Recommendations

    I recommend that you do the following:

    1. Use the MCAS portal to filter the search results by file owner and collaborator. This will help you to identify the files that were shared by the now-left user.
    2. Export the search results to a CSV file. This will give you a record of the files that were shared.
    3. Use the MCAS PowerShell module to search for the files and export the results to a CSV file. This will give you a more detailed list of the files, including their location and permissions.
    4. Review the list of files to identify any that are sensitive or that should not be shared externally.
    5. Remove external users from the files that should not be shared externally.
    6. Consider creating an admin quarantine site/location on SharePoint and using the option to 'Put in admin quarantine' on the files that you are unsure about.

    You should also review your sharing policies to ensure that they are adequate and that they are being enforced.

    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor

    Hi GI472,

    1. Does the MCAS file search find actual files that are current in our environment or does this show a historic series of snapshots?

    The MCAS file search finds actual files that are current in your environment. It also shows a historic series of snapshots, but these snapshots are only shown for files that have been shared externally.

    2. Why are recent joiners shown as collaborators on documents and folders for someone who left so long ago?

    There are a few possible reasons why recent joiners are shown as collaborators on documents and folders for someone who left so long ago:

    • The recent joiners may have been added as collaborators to the files by the previous owner.
    • The recent joiners may have gained access to the files through a group or team that the previous owner was a member of.
    • The recent joiners may have gained access to the files through a sharing link that was created by the previous owner.

    3. How can I actually find the files the search tells me it found?

    There are a few ways to find the files that the MCAS file search tells you it found:

    • You can use the MCAS portal to filter the search results by file owner, collaborator, or other criteria.
    • You can use the MCAS portal to export the search results to a CSV file.
    • You can use the MCAS PowerShell module to search for files and export the results to a CSV file.

    4. If I set up a governance action to remove external users from the file share, will this actually work?

    Yes, setting up a governance action to remove external users from the file share will actually work. However, it is important to note that this action will only remove external users who have been added to the file share directly. It will not remove external users who have gained access to the file share through a group or team.

    5. If I want to test, can I create an admin quarantine site/location on SharePoint and use the option to 'Put in admin quarantine'? If so, what will happen and what are the possible implications/ramifications?

    Yes, you can create an admin quarantine site/location on SharePoint and use the option to 'Put in admin quarantine'. This will move the file to the quarantine site, where it will be held for a period of time before it is deleted.

    The possible implications/ramifications of putting a file in admin quarantine are:

    • Users will not be able to access the file while it is in quarantine.
    • The file may be deleted after a period of time.
    • The file may be restored to its original location if it is needed.

    Recommendations

    I recommend that you do the following:

    1. Use the MCAS portal to filter the search results by file owner and collaborator. This will help you to identify the files that were shared by the now-left user.
    2. Export the search results to a CSV file. This will give you a record of the files that were shared.
    3. Use the MCAS PowerShell module to search for the files and export the results to a CSV file. This will give you a more detailed list of the files, including their location and permissions.
    4. Review the list of files to identify any that are sensitive or that should not be shared externally.
    5. Remove external users from the files that should not be shared externally.
    6. Consider creating an admin quarantine site/location on SharePoint and using the option to 'Put in admin quarantine' on the files that you are unsure about.

    You should also review your sharing policies to ensure that they are adequate and that they are being enforced.

    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

    • GI472's avatar
      GI472
      Brass Contributor
      Hi Leon,

      Thank you so much for your help.

      I've already done steps 1 and 2.

      Do you know where I can find the guidance as to how to use the MCAS PowerShell module? This was done previously by our engineer, so I haven't used it before.

      Also, if I put the file in admin quarantine, will the user be notified? And do you know what the 'periof of time' is before the flles may be deleted?

      Is there a way to audit how the external user gained access, e.g., through joining a group or team?

Resources