Introducing a new secure external sharing experience
Published Oct 02 2017 11:00 AM 314K Views
Microsoft

At Ignite we announced a major improvement to the way secure external sharing of files and folders works in both OneDrive and SharePoint in Office 365 and we wanted to share what this means for users and IT administrators alike. Based on your feedback, we have focused our updates on two key areas: ensuring intended recipients get access 100% of the time, and continual reverification of identity. 

 

These updates will begin rolling out to First Release tenants on October 9, 2017.  

 

Ensuring intended recipients get access 100% of the time: Identity verification 

Office 365 makes it easy to share files and folders by creating a shareable link. Recipients can click the link and immediately access the file without having to go through any additional process. You can already create links that can be used by anyone, and links that are internally shareable within people in your organization.  

Sometimes you need to share with additional security and require that people with the link prove that they are intended recipients. Office 365 also makes it easy to do this by allowing you to send links that work only for specific people 

 

 ExternalSharing2.gif

 

Now, when sending secure links to recipients outside of your organization, those recipients will be sent an email message with a time-limited, single-use verification code when they open the link. By entering the verification code, the user proves ownership of the email account to which the secure link was sent.

 

2.png

 

Secure links allow external recipients to access files and folders securely without requiring them to create or maintain a Microsoft account. Email-based verification codes are a simple and effective way to provide secure access, familiar to users who access secure internet sites that verify identity by sending a code by email or text message.

 

Continual reverification of identity

Now, IT administrators can specify how often external recipients must get a new code and re-verify their email address. This governance control protects your organization’s files and folders from situations where an external recipient’s employment status changes, or any other situation which can cause them to lose access to their email account.

 

3.png

 

To enable this setting, go to the sharing section in the SharePoint admin center.

IT professionals will recognize secure links provide access to external recipients using the same standard adopted by many financial institutions: email-based verification codes and reverification periods. This familiar approach is easier to manage and more secure than competing solutions that require an external recipient to create user accounts that may persist even after the user leaves their current employer and no longer owns that email, creating a very dangerous security hole.

 

Getting started

These features start rolling out on October 9, 2017, to First Release customers and will roll out to all customers by the end of January 2018.

 

For additional information on the new external sharing experience in OneDrive for Business and SharePoint Online, read the New Sharing Features in First Release help article. 

219 Comments
Brass Contributor

Thanks for reply @Stephen Rice

I tried with a new email address just now. I received the sharing email. When I clicked the link, I was not prompted for one time code. This is a brand new email address. Not sure why we are not prompted for one time code.

Thanks

 

Steel Contributor

Where do I manage the days the verification expires? I cannot see this in the old nor new UI SharePoint Admin?

Microsoft

Hi @kiran bellala,

 

That's very bizarre. Can you send me a PM so we can debug further?

 

@Philine von Guretzky,

 

You can manage the verification with this setting in classic SP Admin:

 

prove ownership.png

Brass Contributor

Hi @Stephen Rice

We turned on the "Require recipients to continually prove account ownership when they access shared items" and Secure sharing is working now. Thank you.

It was turned off earlier. What is interesting is that we did not turn this on for development tenant.

But dev tenant is under First release. May be dev tenant got the features and when prod roll outs started to happen, this was a necessary setting to get the secure sharing. Thank you for your response. 

 

 

Microsoft

@kiran bellala,

 

Glad to hear that it's working now! If you have any other issues, let us know!

 

Stephen Rice

OneDrive Program Manager II

Copper Contributor

How can I copy and paste multiple external email adresses into the send link box? Tab, comma, etc. doesn't help. Error: recipient isn't valid.

Brass Contributor

We are nearing a year since OTP links became a feature. I think it's a great solution for short term/onetime shares. However, our biggest user complaints are as follows:

 

1. Usage/permissions reporting is a problem, especially in scenarios where you have external users with MS accounts (from the previous way of sharing externally) and OTP links.

2. User still want the ability to share library folders by sending a link which requires an invitation to create an account for access, this is particularly helpful for longer term access requests. 

Microsoft

Hi @Jaymz Yates,

 

Thanks for passing along your feedback! On (1), we're continuing to invest in this area with the new link open receipts feature that is rolling out now (letting you know the first time someone clicks on shareable links) and the new sharing report feature that we announced earlier this year and plan to deliver in the coming months!

 

On (2), definitely submit this to onedrive.uservoice.com to help the team priortize this work amongst everything else.

 

Thanks!

 

Stephen Rice

OneDrive Program Manager II

Iron Contributor
Like this new process, but we have a constant problem with the Verifications Codes always getting sent to user's Junk Email folders. This happens even for "external" users that are also Office 365 users (in other tenants) or Outlook.com users. Can there be something done with these verification emails so that they are properly whitelisted across Microsoft's systems? It's very confusing for users that they are able to successfully receive the Sharing Invitation, then request the code and then it appears nothing happens, only to later find it in their Junk Email. Why can the initial email get through, but the code can't? Can these codes get generated and sent impersonating the original user that sent the sharing request instead of the generic no-reply@sharepointonline.com address? This would likely help the problem and also assist user's in making decisions that this was the same workflow underway.
Microsoft

Hi @Ed Sparks,

 

The team is continuing to investigate why mails sent from the service are being marked as spam. Unfortunately, we cannot send the verification codes as the user as we can only use the sender's mailbox when they are the active user. While we strive to send mails in this way as much as possible (for the reasons you describe), service generated notifications must use the generic no-reply address instead. Thanks!

 

Stephen Rice

OneDrive Program Manager II

Iron Contributor

Thanks for the quick reply @Stephen Rice

Really love the new workflow and the reduction in proliferation of Guest Accounts, so definitely hoping the junk email issue is resolved soon.

Do they have a handle on the root cause?  Looks to have been early-on SPF issues, but imagine there's more at play?


 

Microsoft

Hi @Ed Sparks,

 

There a few different factors that are playing into this, some of which we have addressed and some that are on-going. You should continue to see improvement here. I'm glad you're loving the new experience! Thanks!

 

Stephen Rice

OneDrive Program Manager II

Steel Contributor

There seems to be a bug when an external user is invited and his upn is not equal to his default emailaddress?

 

A document is shared with upn@company.com in another (O365 ADFS tenant), he clicks the link in the email.

He logs in using upn@company.com, confirms his email (he is tech savy and enters upn@company.com, not firstname.lastname@company.com).

He receives a code and enters the code.

 

After confirming that the code is correct, a message appears that he (upn@company.com) is on the list but he should login using firstname.lastname@company.com first (which is not possible since alternate login is disabled). 

 

After confirming the troubling message, the document is opened anyway.

 

secure link.png

 

Steel Contributor

It’s been a year and is it just me who find the two different sharing methods (OneDrive/SharePoint sharing vs. Azure B2B sharing) confusing both for us as admins and users?

 

Me personally prefer Azure B2B, especially since this is the method used when inviting guests to Teams.

Microsoft

Thanks for your feedback @Jonas Back! As announced at Ignite, our goal is to bring you the best of both worlds. Coming early next year, end users who see the one time passcode experience will have accounts created in the directory via Azure B2B. Thanks for your feedback!

 

Stephen Rice

OneDrive Program Manager II

Deleted
Not applicable

@Stephen Rice We have an Azure AD conditional access policy that is scoped to "All guest users" to require non-employees/guests to confirm a "terms of use" term (ie. legal documentation) before gaining access to any resource in our tenant.  Ad-hoc external recipients circumvent this access policy and as a result, guests that gain access to SharePoint files and documents using this method are not presented the opportunity to review/agree to the terms of use.

Iron Contributor

The one time code seems like a great solution for many scenarios; however is there not a way to still allow the user to create an #EXT AAD account if they choose to do so?  

Microsoft

Hi @Jeff Harlow,

 

There is no way to do this but we are working on integration with Azure B2B which will give you the best of both worlds. Users will get the same one time passcode experience but they will get the AAD account backing it as well. We announced this at Ignite 2018 and should have more details coming soon. Thanks!

 

Stephen Rice

OneDrive Program Manager II

Bronze Contributor

I tried sharing from OneDrive via the Share With Specific User to an external user. After they entered the access code they get an Access Denied message. It turns out the user's email address is part of another O365 Tenant. Sharing via an anonymous link they can access just fine.

 

Trying to get non-technical users to use In Private Browsing (appears to be only work around) is not an ideal solution between my non-technical users and external non-technical users. Is there a fix for this? Or is this something that will be fixed soon?

Microsoft

Hi @Cary Siemers ,

 

When they access denied, does the message tell the user what account they are signed in with? Chances are they are signed in with an account that is different than the one that was shared with. Incognito or signing out are the only options at the moment unfortunately. Thanks!

 

Stephen Rice

OneDrive Program Manager II

Iron Contributor

We are experiencing the same behaviour as @Cary Siemers  now across all our tenants now too!

It appears this new behaviour described by @Stephen Rice  has been possibly rolled out in a broken state. We can consitently recreate this failure with any new user on their first invite.

 

We've opened a ticket on this with no response yet.


If any of our users share with the Specific User to another user with a work or school account in another tenant and that user is already logged into their browser, they are doomed to have a broken link forever.

 

They receive the invite email, click the link, get the email verification code and then after entering get another screen telling them to "login to get access immediately" but with only a Next button.  As soon as they click Next they receive access denied, and no order of logging in our out of SharePoint or clearing cookies will solve the issue.

 

We do notice the #EXT# account is added into their sending tenant.

 

If the original user then sends a new invite on the exact same document or folder with the Specific User and now picks the user that was auto-added as an #EXT# user, then the complete process works normally.

 

This is a terrible experience for users and we're getting widespread complaints on what used to work well.

 

It seems that whatever is happening in the back end between this verification code (and whatever method that uses to access the sharing) and the #EXT# user getting added completely breaks the permissions on the original file/library/site.

Microsoft

@Ed Sparks, that's definitely not expected. Let me flag this with the team and we'll see if something is going on. Thanks!

 

Stephen Rice

OneDrive Program Manager II

Iron Contributor

To confirm, in every case the receiving user is NOT logged into the wrong account.


We have recereated this behaviour on users that are just logged into their browser session directly, and with users who are hybrid or Azure AD joined using the integrated authentication in Edge.

 

Hoping this can get tracked down quickly on the back-end, and thanks for always responding @Stephen Rice 

Bronze Contributor

@Stephen Rice 

The message says:

Access Denied

externalperson_domain.com#ext#@mytenant.onmicrosoft.com does not have permissions to access this resource.

The "externalperson_domain" is the email address I shared to and it is part of an O365 tenant.

Iron Contributor

@Stephen Rice 

We're getting two differnet variations of the resulting problem.

 

The first time the user is going through the workflow they get the error the same as @Cary Siemers posted above.

If they logout of their account, and then click through the link in their email again, they are presented with a single screen with the following text:


Sharing Link Validation
You've received a secure link to:

<filename>
Sign in to <tenant shared to email address> and we'll give you access immediately.

Next

 

As soon as they click Next, and follow their normal account logon process they receive the regular SharePoint denied UI:

 

You need permission to access this site.

I'd like access, please.

 

Microsoft

Hi @Ed Sparks ,

 

Can you get a Fiddler trace of the flow you describe above? This will help us narrow down exactly where the error is occuring. Feel free to reach out via Direct Message so we can work through this as well. Thanks!

 

Stephen Rice

OneDrive Program Manager II

Iron Contributor

Sure @Stephen Rice 
Have sent you a DM

Copper Contributor

Is there, or will there be a feature where links that are shared with specific people can be set to expire? 

 

I'd like to invite customers to certain files for just a short period of time and don't want the hassle to remove the rights previously given to them.

 

As far as I see, only sharable links to anyone can be setup with an expiration date.

Microsoft

Hi @veryferrygood69 ,

 

This is absolutely something we want to build as well. Right now we are working on another feature: Expiring external access which expires a single external user's acces (by policy) on a site by site level (so you lose access to everything on the site at once). More to share on this soon!

 

Stephen Rice

OneDrive Program Manager II

Deleted
Not applicable
Copper Contributor

I don't see this new experience described. Has it been replaced? We are having issues where external user does not have a Microsoft account already but there is no link for them to direct an account. This used to exist before but it's now gone. What does Microsoft expect the person to do??

 

When we share a file with an external user with no existing Microsoft account, they see:
1. Microsoft Sign in window where user can enter an email, click 'Can't access your account?' or 'Sign-in options' and a Next button.

2. If they click 'Can't access your account?', you can enter your User ID but it says 'The user ID you entered does not exist....". 

 

There is NO option to create a Microsoft account anywhere in this sign in page. Are we missing something?

Thanks

SZhang

Microsoft

Hi @szhang_,

 

This feature is rolled out so it sounds like there is something else going on here. How are you sharing with the external user? If you click Share -> Specific People, the user should go through a one-time-passcode flow that lets them verify their identity without creating a Microsoft account. If you are not seeing that, can you post screenshots or details of what you are seeing today? Thanks!

 

Stephen Rice

OneDrive Program Manager II

Microsoft

Hi @szhang_,

 

Is your organization perchance enrolled in the SharePoint and OneDrive integration with Azure AD B2B Preview

 

-Euge

 

Eugene Lin

OneDrive Principal Program Manager

Copper Contributor

Hello guys,

We have an issue with verification codes. When someone is sharing a file with distribution list, it sends a link to the shared file but when someone is opening the link, everyone from the DL is receiving a verification code. How can we prevent this? It should only send that code to the person who clicked on the shared link

 

Thank you

Microsoft

Hi @Fadel1835,

 

The secure sharing flow works by ensuring that only the e-mail address that was shared with can access the item. In your scenario above, the product is actually working as intended: the link is only allowed to work for the DL and so we require you to prove you have access to that e-mail address during verification time. Unfortunately the DL itself is transparent to us (i.e. we can't pick out individual users from the DL). I'll pass this feedback along to the rest of the team though. Thanks!

 

Stephen Rice

OneDrive Program Manager II

Copper Contributor

I am having issues similar to some previously described, but not able to get a workable solution yet. I'm sharing documents with external specific people, and the sharing process works fine with a link sent, and verification code process done, access gained.

There is no time limit set for the links, and initial access is fine, however if the email is clicking on again later (about a week) it asks for verification again, and if the URL is visited, then an error message is received: 'That didn't work. We're sorry but user@email can't be found in the blah blah directory.' 

When clicking on 'Manage Access' for the files in question, they are still shared with the users. Surely users don't need to go through the verification process repeatedly? Isn't this the whole point of being able to de-select 'Require recipients to continually prove account ownership when they access shared items'?

 

 

 

Brass Contributor

Hi @Stephen Rice 

I understand that SharePoint is "Evergreen" so I'm trying to understand if functionality has changed or I'm just wrong.

 

When someone shares a document/folder with an external user, the external user receives a one time code. As expected. Do these external users ever get added to the guest section in our AD? 

 

In the old classic SharePoint sites (STS#0), it used to sometimes add the people to Azure AD guests. We thought it was related to if the external account was a 365 license account in another tenant.

 

In the modern SharePoint Sites (STS#3)/Groups, when we share with these users they never get added to Azure AD guests. Is this expected? Is there a different procedure to go through to ensure the users are added to AD as guest users? 

Microsoft

Hi @Paul Matthews ,

 

When someone shares a document/folder with an external user, the external user receives a one time code. As expected. Do these external users ever get added to the guest section in our AD? 

They do in some cases, primarily when they have an O365 account already. It also happens every time when the new Azure B2B preview is enabled.

 

In the old classic SharePoint sites (STS#0), it used to sometimes add the people to Azure AD guests. We thought it was related to if the external account was a 365 license account in another tenant.

In these cases, I believe it always created an account. 

 

In the modern SharePoint Sites (STS#3)/Groups, when we share with these users they never get added to Azure AD guests. Is this expected? Is there a different procedure to go through to ensure the users are added to AD as guest users? 

If you share a file/folder, there are some cases where they get added to Azure AD (based on if they have an account) but otherwise they do not. If you enable the new Azure B2B preview, guest users will always be created. 

 

Hope that helps!

 

Stephen Rice

OneDrive Program Manager II

Brass Contributor

maybe I missed it somewhere, but when using Outlook (send attachement as link), the verfication code process is not used?

Microsoft

Hi @Stefaan De Vreese,

 

What version of Outlook are you using? 

 

Stephen Rice

Senior OneDrive Program Manager

Brass Contributor

@Stephen Rice I'm using the latest O365 version of Outlook. When I share a document via OneDrive online, i get the verficiation code mails. But when I send a OneDrive document via Outlook, as a link, the end user immediatly is redirected to the document in Word Online, without any verification code needed.

 

and one of my customers only uses exchange onprem, and is getting an error in this situation. So that made me think that the verification process is different when starting from outlook instead of the OneDrive online environment.

Microsoft

Hi @Stefaan De Vreese

 

I just double checked with the team and yes, this is expected for the moment. If you share externally starting in Outlook desktop, you will see the old external sharing experience which does not use One Time Passcode. This is something the team is working on though and we're looking to improve in the future. Thanks!

 

Stephen Rice

Senior Program Manager, OneDrive

Copper Contributor

Everyone in our organization who sends the shareable link to gets the code in their spam folder. We have to tell everyone to look there for their code there. A bit frustrating!!!

 

 

Microsoft

Hi @Sparkspnt,

 

Sorry to hear you're having that experience! The team is actively working on improving this now. In the meantime though, if you enable the new Azure B2B Integration (learn more here!), the mails should come through a different system mailbox and not be spammed. Thanks!

 

Stephen Rice

Senior Program Manager, OneDrive

Copper Contributor

If we enable the "SharePoint and OneDrive integration with Azure AD B2B (Preview)  will we need to re-share any existing shared files?  The documentation for this feature indicates that if we opt out of this preview we will need to re-share the files but does not mention anything about re-sharing existing shared files when we opt in?  Thank you.

Microsoft

Hi @Ed Kelly,

 

No need to re-share when you opt-in, all existing shares will continue to work as they have before. Thanks!

 

Stephen Rice

Senior Program Manager, OneDrive

Copper Contributor

If we have a conditional access policy in place that requires MFA for browser access to SharePoint, OneDrive, Teams on an "unmanaged" computer (Exclude - Device State - Device marked as compliant) do we need to Exclude "All guests and external users (Preview)" from the conditional access policy? How will this conditional access ploicy impact this secure external sharing option?  What about the new Azure AD B2B (preview)? I need to understand the user impact for existing and new external sharing when a conditional access policy as described in this post, is implemented.  Thank you.

Microsoft

Hi @Ed Kelly ,

 

This isn't quite in my area of expertise but I've asked the experts and their response is below:

 

"

Without the B2B integration then by default external users don’t have that policy applied to them but this can be controlled via Set-SPOTenant -ApplyAppEnforcedRestrictionsToAdHocRecipients

 

More info here https://docs.microsoft.com/en-us/sharepoint/control-access-from-unmanaged-devices

 

With the B2B integration enabled then I do believe you’d need to select the option to Exclude guests, otherwise they would be included in the policy and be blocked as they’d almost certainly not be on a managed device"

 

Hope that helps!


Stephen Rice

Senior Program Manager, OneDrive

Copper Contributor

Hello Stephen,

Can you help with the following, or point us in the right direction?

 

We have an O365 tenant since a few months.

Since having this tenant, when an external party (they themselves have a different O365 tenant) shares a document with us (shared with specific people via mail address), our user that receives the email about a document being shared with him, is asked to verify his identity by providing credentials for his O365 tenant account.

 

However, we want to receive a one time password via mail, as before we had a tenant, and not validate with O365 credentials.  (For specific security reasons, we don’t allow the majority of our users to login to O365)

 

Is this something either we or the 3rd party can configure in our tenant?

Workaround?

 

Thanks for your feedback!

Iron Contributor

@hwelvaar this change must have happened because the your users became part of their tenant (Azure AD B2B). I would suggest looking into the foreign Azure AD and check for guests. The people affected will be registered as a guest. SharePoint will switch from SharePoint PIN sharing to Azure AD B2B if the account is registered as a guest. This will happen if the users are part of an Office 365 Group (or MS Team). Groups rely on AAD B2B and will register guests in your tenant. You can prevent (end-)user from registering guests through AAD configuration, but this will limit Groups guest membership and also other services could be impacted (AIP, ...). To get back to PIN sharing they could delete the guest accounts in their directory, but this should be tested if and where they will lose access based on for example group membership.

 

What is the reason you don't want them to use their AAD account? Conditional access rules?

 

Ciao Marco

Version history
Last update:
‎Jun 25 2020 11:11 AM
Updated by: