Introducing a new secure external sharing experience
Published Oct 02 2017 11:00 AM 322K Views
Microsoft

At Ignite we announced a major improvement to the way secure external sharing of files and folders works in both OneDrive and SharePoint in Office 365 and we wanted to share what this means for users and IT administrators alike. Based on your feedback, we have focused our updates on two key areas: ensuring intended recipients get access 100% of the time, and continual reverification of identity. 

 

These updates will begin rolling out to First Release tenants on October 9, 2017.  

 

Ensuring intended recipients get access 100% of the time: Identity verification 

Office 365 makes it easy to share files and folders by creating a shareable link. Recipients can click the link and immediately access the file without having to go through any additional process. You can already create links that can be used by anyone, and links that are internally shareable within people in your organization.  

Sometimes you need to share with additional security and require that people with the link prove that they are intended recipients. Office 365 also makes it easy to do this by allowing you to send links that work only for specific people 

 

 ExternalSharing2.gif

 

Now, when sending secure links to recipients outside of your organization, those recipients will be sent an email message with a time-limited, single-use verification code when they open the link. By entering the verification code, the user proves ownership of the email account to which the secure link was sent.

 

2.png

 

Secure links allow external recipients to access files and folders securely without requiring them to create or maintain a Microsoft account. Email-based verification codes are a simple and effective way to provide secure access, familiar to users who access secure internet sites that verify identity by sending a code by email or text message.

 

Continual reverification of identity

Now, IT administrators can specify how often external recipients must get a new code and re-verify their email address. This governance control protects your organization’s files and folders from situations where an external recipient’s employment status changes, or any other situation which can cause them to lose access to their email account.

 

3.png

 

To enable this setting, go to the sharing section in the SharePoint admin center.

IT professionals will recognize secure links provide access to external recipients using the same standard adopted by many financial institutions: email-based verification codes and reverification periods. This familiar approach is easier to manage and more secure than competing solutions that require an external recipient to create user accounts that may persist even after the user leaves their current employer and no longer owns that email, creating a very dangerous security hole.

 

Getting started

These features start rolling out on October 9, 2017, to First Release customers and will roll out to all customers by the end of January 2018.

 

For additional information on the new external sharing experience in OneDrive for Business and SharePoint Online, read the New Sharing Features in First Release help article. 

219 Comments
Microsoft

Hi @hwelvaar,

 

Unfortunately I don't have a good answer for you from our side as we don't really own authentication (and much of our recent work in this area has been to take advantage of the Azure B2B platform which handles all that auth for us!). I'd recommend heading over to the Azure community and seeing if they have more guidance here. Thanks!


Stephen Rice

Senior Program Manager, OneDrive

Steel Contributor

Hi, I'm a little bit confused about the OTP preview.

 

I've activated the OTP preview and configured the SharePoint/Onedrive integration with B2B.

 

Now if, from SharePoint, I share a folder with an external user having a Microsoft account that does not exists in my AAD external accounts, it will send a One-Time Passcode to the user and it will not add the user in my AAD as an external user. So basically this user, having a Microsoft account, will always need to use a One-Time passcode to access the folder (Unless IT department first invite the external user from AAD)

 

Is this the expected behavior?

 

Thanks!

Microsoft

Hi @Martin-Coupal,

 

That does not sound expected. In order to enable the preview, there is a switch to flip on both the SharePoint side of things as well as on the AAD side. You can see the exact commands at article aka.ms/spo-b2b-integration. Can you confirm you've got both flipped and are still seeing the old behavior? Thanks!


Stephen Rice

Senior Program Manager, OneDrive

Steel Contributor

Hi Stephen,

I did execute the following commands:

Set-SPOTenant -EnableAzureADB2BIntegration $true
Set-SPOTenant -SyncAadB2BManagementPolicy $true

One question : When I execute the get-SPOTenant. I do not see the SyncAadB2BManagementPolicy property. Is this normal?

Microsoft

Hi Martin,

 

Those are the correct commands but you also need to enable this from AAD. You can read more here: https://docs.microsoft.com/en-us/azure/active-directory/b2b/one-time-passcode The instructions are: 

 

To opt in to the Azure AD passcode authentication preview

  1. Sign in to the Azure portal as an Azure AD global administrator.
  2. In the navigation pane, select Azure Active Directory.
  3. Under Manage, select Organizational Relationships.
  4. Select Settings.
  5. Under Enable Email One-Time Passcode for guests (Preview), select Yes.
  6. Click Save.

Hope that helps!

 

Stephen Rice

Steel Contributor

Hi Stephen, this was also done.

Microsoft

Hi @Martin-Coupal,

 

Thanks for confirming! One last thought before we go deeper, do you know when you last updated the SharePoint Online Management Shell? I wonder if you have a version that worked for the first powershell property but not the second (which is why it didn't resolve for you). Thanks!

 

Stephen Rice

Senior Program Manager, OneDrive

Steel Contributor

Hi @Stephen Rice 

Here are my powershell module versions:

 

AzureADPreview : 2.0.2.85

Microsoft.Online.SharePoint.PowerShell 16.0.19814.12000

 

Martin.

Steel Contributor

Hi @Stephen Rice ,

 

I've tried it in another tenant, but same behavior.

 

Here are the steps I'm following:

1) Enable Email One-Time Passcode for guests (Preview) in Azure AD UI

2) Run Set-SPOTenant -EnableAzureADB2BIntegration $true  and Set-SPOTenant -SyncAadB2BManagementPolicy $true

- Note: As I said, I can get the EnableAzureADB2BIntegration value from Get-Tenant to validate it is true, however, I don't know how to get the SyncAadB2BManagementPolicy to validate (Not available from Get-Tenant)

3) Go into an existant SP site where I can invite new or existing user (Site Collection external sharing option)

4) Share a link to an external user with an outlook.com account that does not already exists in the Azure AD tenant who sent the sharing link

5) The link is sent to the user who is logged in Outlook.com in the browser. When accessing the link, it requires a validation code that is sent to the user mailbox. User enters the code and access the shared folder

6) User is not added in Azure AD as a guest user.

 

Anything I'm missing?

 

Thanks,

 

Martin

Microsoft

Hi @Martin-Coupal,

 

Nope, I think you're hitting all the right buttons & knobs. We've repro'd this on our side now as well and are investigating. I'll share back when we know more. Thanks!


Stephen Rice

Senior Program Manager, OneDrive

Microsoft

Hi @Martin-Coupal,

 

We identified a bug on our side and have rolled out a fix. Can you give this another try and see if it works as expected? Thanks!


Stephen Rice

Senior Program Manager, OneDrive

Steel Contributor

Hi @Stephen Rice ,

 

I've tested with a microsoft account and it did work. The only thing I found out is if the sharing is done with an email alias it will not work. The alias email address is registered in Azure AD when sharing but when the external user is validated, it will look for the primary email address in Azure AD and not the alias.

 

Otherwise, everything seems ok.

 

Note: I think this was already mentionned but user without Microsoft or Google account should have the choice to create an MS account from the validation screen.

 

Thanks for your quick response and fix!

Copper Contributor

Nothing in this article describes how OneDrive actually works.  I cannot share a folder with anyone through an email link. The only way that works is to give someone the password to the entire OneDrive.  That is not what you claim. Is this something that you are going to fix?

Microsoft

Hi @noycorg,

 

Can you explain what type of issue you are having? If you share a file with someone via the share button, you should be able to get a link that allows others to access the content without requiring them to sign-in to your account. You can read more here: https://support.office.com/en-us/article/share-onedrive-files-and-folders-9fcc2f7d-de0c-4cec-93b0-a8...

 

Hope that helps!


Stephen Rice

Senior Program Manager, OneDrive

Copper Contributor

Hello Microsoft

 

I shared a SharePoint folder with an external email address (domains: aol.com and windowslive.com) and selected share with "specific people". 

fabianguenther_1-1600934682461.png

The external address gets the link but with a massive delay with almost 10-15 minutes.

 

When opening need to enter a code. But the email with code wasn't send. See error message: Unable to send a code. Wait a few minutes and try again.

 

fabianguenther_0-1600934547507.png

 

What's the fix for this error?

Brass Contributor

Hello,

the guest sharing documents are not clear (or not reading right ones).

Can some body confirm:
Any file share using token will managed with own life cycle
 rea.jpg

 

If user A does share over several days OD files to one guest account, all files are managed with own dedicated  token ?

 

Copper Contributor

Hi Microsoft experts,

 

I'm trying to share a folder with our customer, but after sending the sharing email , there was a message shown to the customer about the organization permission that made the customer a little bit worried the message is:

(you should only accept if you trust this organization, by accepting you allow the organization to access & process your data to create, control & administer an account according to their policies).

 

so my question , this message is regarding the shared folder only? or all folders?

Copper Contributor

Has there been a change in behavior? When I try sharing a file from OneDrive to anyone with the link, it requires a MS login when using the link. It appears there is no way to share without requiring a login.

Copper Contributor

Are there any Office 365 products that provide two-way secure sharing? Meaning there's a variety of ways for external recipients to receive secure encrypted information but how can I request them to send me secure data with the same application without them being an Office 365 user? Can this be accomplished with One Drive?

Version history
Last update:
‎Jun 25 2020 11:11 AM
Updated by: