Hello Community, Cross-posting here from another forum to ensure visibility: https://social.technet.microsoft.com/Forums/Sharepoint/en-US/a6eac395-1fc6-4ab7-be7d-29ade66f78c1/sharing-a-document-to-guest-exposes-team-membership?forum=onlineservicessharepoint Essentially, it appears that giving guest access to a SharePoint document by way of the Share command gives this guest access to my directory data even though they technically do not have sufficient rights/permissions to Share the document in the first place. I am wanting to, of course, protect my organization's data as much as possible from external sources. Is there an obvious setting somewhere that turns off the Share functionality if the user does not have access/permission to do so? Thank you for any assistance you can lend!

Hi Michael, If you invite a guest user to a SharePoint site, they should only be able to see other guest users in that site collection. If your guest users are seeing users from outside the site collection, please let me know. Thanks, Stephen Rice OneDrive Program Manager II

Hi Stephen, thank you for your reply. Unfortunately this does appear to be what's happening. These are the steps as best as I can reproduce them: Sign in as a domain user that has permissions to a SharePoint folder, and share this folder specifically to an external guest user that is not registered on the domain. As the external user, check your email to get the link to the folder. Click on the link and follow the process to authenticate with the code. Upon entering the code from previous step and authenticating as the external guest user, note that the Share button is available in the top left. Click it to open the share dialog. From the Audience drop down ensure Specific People is selected. Start typing email addresses of users in the domain as well as the email addresses of other guest users that this has been shared with. In my case they consistently appear as if the external user is a member of the domain, which should not be allowed as they are gaining unauthorized data (membership) of the domain. In addition to members of the domain, they are able to poll what appears to be service accounts, with SharePoint App being an example. In my estimation, the external guest user should not see the Share functionality to begin with by default. This should only be a feature that is allowed for domain members only (again, by default). At a minimum a guest user should not be able to simply type a few characters within a field and do a poll on my domain membership as that is technically unauthorized activity and they are gaining access to unauthorized data. Additionally, it doesn't take much from there to create an automated bot of some sort to perform the lookups in an automated fashion, essentially pulling my directory contents for whatever uses they like, nefarious or otherwise. Please let me know if I have something misunderstood, if I am overlooking an obvious setting, and/or if you have any further questions around this. Thank you, Michael

Thanks for elaborating Michael. Let me investigate further with the team and I'll get back to you. Thanks! Stephen Rice OneDrive Program Manager II

Awesome, thank you Stephen. FWIW I have been exploring this a little more as I do believe there is some confusion on my part with Site Collections vs. domains. Additionally, there seems to be different behavior with sharing a document vs. sharing a folder. Sharing a document works better from a security perspective than sharing a folder. With a document, a guest user can see the parent folder, but when they visit that parent folder they see the document and no other information. Perfect. Sharing the folder, however, I as an external guest user can see the full membership of that folder in the top right. This again seems like unnecessary (default) information for a guest user. Additionally, the guest user can see all recent activity for a document, but not who did it. That tells me that some effort is made somewhere to conceal identity information (good thing) but now there is at a minimum inconsistent behavior as all members who are in the group are in plain sight anyways (bad thing). Finally, I did manage to create several new users who were not in the site collection. As a domain member I was able to query them in the Share feature. As a guest I was not. I was able to add the non-site domain user's email but their name did not resolve like site domain users. So, this appears to be working as you have stated. However, I was also able to query other guest users of both folder and document, which I feel is a concern. If I am invited to view an external document somewhere, it is not my expectation that other guest users can pull my information without my consent and/or awareness. Additionally, being able to query *any* member -- regardless of whether they are domain or guest -- as an external guest is a security concern. Consider that: There are no terms of use presented to the guest user (that I can see -- feel free to correct me if I am wrong here) so they are essentially free to use the data as they wish. This behavior works on any SharePoint online account that has sharing enabled so if this guest user has access to other SharePoint online accounts, the same behavior applies and they can harvest information from these other accounts and connect the dots as they may. This is, of course, a compounded concern if this user is part of a coordinated set of other users who are performing similar operations.

Hi Michael DeMond, The model for ODB/SPO is that permissions/discovery occurs at the site collection level. We allow users to see other people in the site to enable easy collaboration. There's certainly a balance here though. Also, the list of people you are seeing in the upper right is actually the membership of the site, not the permission of the folder (I believe at least, depending on which list of faces you are seeing :) ). If you have any other concerns, feel free to submit a Design Change Request to the team. Thanks! Stephen Rice OneDrive Program Manager II

Sharing a Document to Guest Exposes Organization Membership/Information

12 Replies

StephenRice
Microsoft
Mar 26, 2018
Hi Michael,

If you invite a guest user to a SharePoint site, they should only be able to see other guest users in that site collection. If your guest users are seeing users from outside the site collection, please let me know. Thanks,

Stephen Rice

OneDrive Program Manager II
- Michael DeMond
  Copper Contributor
  Mar 26, 2018
  Hi Stephen, thank you for your reply. Unfortunately this does appear to be what's happening. These are the steps as best as I can reproduce them:
  
  Sign in as a domain user that has permissions to a SharePoint folder, and share this folder specifically to an external guest user that is not registered on the domain.
  
  As the external user, check your email to get the link to the folder. Click on the link and follow the process to authenticate with the code.
  
  Upon entering the code from previous step and authenticating as the external guest user, note that the Share button is available in the top left. Click it to open the share dialog.
  
  From the Audience drop down ensure Specific People is selected.
  
  Start typing email addresses of users in the domain as well as the email addresses of other guest users that this has been shared with. In my case they consistently appear as if the external user is a member of the domain, which should not be allowed as they are gaining unauthorized data (membership) of the domain. In addition to members of the domain, they are able to poll what appears to be service accounts, with SharePoint App being an example.
  
  In my estimation, the external guest user should not see the Share functionality to begin with by default. This should only be a feature that is allowed for domain members only (again, by default). At a minimum a guest user should not be able to simply type a few characters within a field and do a poll on my domain membership as that is technically unauthorized activity and they are gaining access to unauthorized data. Additionally, it doesn't take much from there to create an automated bot of some sort to perform the lookups in an automated fashion, essentially pulling my directory contents for whatever uses they like, nefarious or otherwise.
  
  Please let me know if I have something misunderstood, if I am overlooking an obvious setting, and/or if you have any further questions around this.
  
  Thank you,
  
  Michael
  - StephenRice
    Microsoft
    Mar 26, 2018
    Thanks for elaborating Michael. Let me investigate further with the team and I'll get back to you. Thanks!
    
    Stephen Rice
    
    OneDrive Program Manager II

Forum Discussion

Sharing a Document to Guest Exposes Organization Membership/Information

12 Replies

Resources