Home
Microsoft

Introducing a new secure external sharing experience

At Ignite we announced a major improvement to the way secure external sharing of files and folders works in both OneDrive and SharePoint in Office 365 and we wanted to share what this means for users and IT administrators alike. Based on your feedback, we have focused our updates on two key areas: ensuring intended recipients get access 100% of the time, and continual reverification of identity. 

 

These updates will begin rolling out to First Release tenants on October 9, 2017.  

 

Ensuring intended recipients get access 100% of the time: Identity verification 

Office 365 makes it easy to share files and folders by creating a shareable link. Recipients can click the link and immediately access the file without having to go through any additional process. You can already create links that can be used by anyone, and links that are internally shareable within people in your organization.  

Sometimes you need to share with additional security and require that people with the link prove that they are intended recipients. Office 365 also makes it easy to do this by allowing you to send links that work only for specific people 

 

 ExternalSharing2.gif

 

Now, when sending secure links to recipients outside of your organization, those recipients will be sent an email message with a time-limited, single-use verification code when they open the link. By entering the verification code, the user proves ownership of the email account to which the secure link was sent.

 

2.png

 

Secure links allow external recipients to access files and folders securely without requiring them to create or maintain a Microsoft account. Email-based verification codes are a simple and effective way to provide secure access, familiar to users who access secure internet sites that verify identity by sending a code by email or text message.

 

Continual reverification of identity

Now, IT administrators can specify how often external recipients must get a new code and re-verify their email address. This governance control protects your organization’s files and folders from situations where an external recipient’s employment status changes, or any other situation which can cause them to lose access to their email account.

 

3.png

 

To enable this setting, go to the sharing section in the SharePoint admin center.

IT professionals will recognize secure links provide access to external recipients using the same standard adopted by many financial institutions: email-based verification codes and reverification periods. This familiar approach is easier to manage and more secure than competing solutions that require an external recipient to create user accounts that may persist even after the user leaves their current employer and no longer owns that email, creating a very dangerous security hole.

 

Getting started

These features start rolling out on October 9, 2017 to First Release customers and will roll out to all customers by the end of the year. For additional information on the new external sharing experience in OneDrive for Business and SharePoint Online, read the New Sharing Features in First Release help article. 

17 Comments
Senior Member

When one shares a public link in OneDrive, the file is only available, and editable online. 

A guest reader,  or even guest contributor, cannot download a file. In some case, you may need to download a file

Can tell if someday this option will be available in future? 

 

 

Contributor

But if I shared a file (and made it editable) to an external user, if they have no Microsoft Account, they can't edit it online I correct? I thought MS stated last month that you could share with external users and they did not need a login. It would send a "code" to their email and that's all they needed. I suppose they would need Word, etc. online to make use of this though right?

 

From MS below:

If your OneDrive and SharePoint Online external sharing settings are set to allow sharing with new external users, new external users (that have a file or folder securely shared with them) will be able to access the content without needing an Office 365 account or a Microsoft account. Instead, recipients who are outside of your organization will be sent an email message with a time-limited, single-use verification code when they access the file or folder. By entering the verification code, the user proves ownership of the email account to which the secure link was sent. Securely sharing a file or folder is the process of sharing in a way where recipients must prove that they're intended recipients that the original sharer specified. End-users can do this in the same way that they already do. (by changing the link settings to only work for specific people in the Share dialog) We're also introducing a new admin control which will allow you to specify how often external recipients must re-verify their email address and enter a new code. This protects your organization from cases where an external recipient’s employment status changes.

Contributor

I just saw the thread above that this feature has not rolled out yet. But again, the external user would still need an MS account to edit the document no?

Microsoft

@Genevieve Georges when a recipient opens a link that works for anyone, the can use the Download command to download the file.

 

download command.png

Microsoft

@Mark Uvanni when you share a document (with an edit link) with an external user who doesn't have a Microsoft account, they will be able to edit it in Office Online 100% of the time. There is no requirement on the recipient beyond having a working browser and an Internet connection.

 

This is true for both links that work for anyone and links that work for specific people. For the latter, the recipient will receive a one-time code at their email address to verify that they are the intended recipient.

 

So many great announcements made at MS Ignite, and now this terrific blog post, too! Thanks @Stephen Rose...I can't wait to try these out on our tenant! 

Frequent Visitor

What prevents the link to the original shared item being forwarded to multiple users once the code has been used?

Senior Member

Hello again 

I tried once more, but it's still not working on my side. Guest contibutor cannot download file (I tested with ppt and word files

Maybe a license issue? Or bse I'm not using Win10/Office 2016????

Anyway, it''s already good to know it's on the way. 

Rgds

Genevieve

 

 

 

Microsoft

Genevieve

 

These updates will begin rolling out to First Release tenants on October 9, 2017.  Then to standard tenants after that. It can take 30-90 days for features to show up once released so expect between Nov and Jan for non-First Release customers.

Microsoft

@Paul Turner, the link actually knows what email addresses are and aren't valid. So if I share with Eugene@contoso.com and he forwards the link to you, there verification code will go to Eugene still, not your email. Hope that helps!

 

Stephen Rice

OneDrive Program Manager II

Frequent Visitor

Thanks @Stephen Rice

 

So if I have received both the link and the code, validated my email address using the code I have continuous access to that resource until I need to validate my email address again? How is access to others prevented if the link is still forwarded?

Microsoft

@Paul Turner, if the link is forwarded, it will act just like if you attempted to open the link on a new computer: it will send you another verification code and ask you to verify your identity again. The link will not let anyone other than the users with whom the link was originally shared with access the document. 

 

Stephen Rice

Frequent Visitor

I see, so does it rely on a cookie to verify the identity?

Microsoft

@Paul Turner, yes, it drops a cookie in your browser. 

 

Stephen Rice

OneDrive Program Manager II

Senior Member

Can we use this security code to share out entire sites, or just files and folders?

Quick question @Stephen Rose @Eugene Lin

What does this mean for existing external sharing?

Is this a new method or one replacing the "old one"? 

 

Is the experience different if the intended recipient (external) is part of an Office 365 tenant?

 

Thanks!

@Jesse Ontiveros This feature is only for files and folders.

 

@Benjamin Niaulin This replaces the recipient experience when securely sharing files and folders with new users outside of your organization. When you share to an existing user that exists in your organization's directory then they do not go through this experience.