Introducing a new secure external sharing experience
Published Oct 02 2017 11:00 AM 315K Views
Microsoft

At Ignite we announced a major improvement to the way secure external sharing of files and folders works in both OneDrive and SharePoint in Office 365 and we wanted to share what this means for users and IT administrators alike. Based on your feedback, we have focused our updates on two key areas: ensuring intended recipients get access 100% of the time, and continual reverification of identity. 

 

These updates will begin rolling out to First Release tenants on October 9, 2017.  

 

Ensuring intended recipients get access 100% of the time: Identity verification 

Office 365 makes it easy to share files and folders by creating a shareable link. Recipients can click the link and immediately access the file without having to go through any additional process. You can already create links that can be used by anyone, and links that are internally shareable within people in your organization.  

Sometimes you need to share with additional security and require that people with the link prove that they are intended recipients. Office 365 also makes it easy to do this by allowing you to send links that work only for specific people 

 

 ExternalSharing2.gif

 

Now, when sending secure links to recipients outside of your organization, those recipients will be sent an email message with a time-limited, single-use verification code when they open the link. By entering the verification code, the user proves ownership of the email account to which the secure link was sent.

 

2.png

 

Secure links allow external recipients to access files and folders securely without requiring them to create or maintain a Microsoft account. Email-based verification codes are a simple and effective way to provide secure access, familiar to users who access secure internet sites that verify identity by sending a code by email or text message.

 

Continual reverification of identity

Now, IT administrators can specify how often external recipients must get a new code and re-verify their email address. This governance control protects your organization’s files and folders from situations where an external recipient’s employment status changes, or any other situation which can cause them to lose access to their email account.

 

3.png

 

To enable this setting, go to the sharing section in the SharePoint admin center.

IT professionals will recognize secure links provide access to external recipients using the same standard adopted by many financial institutions: email-based verification codes and reverification periods. This familiar approach is easier to manage and more secure than competing solutions that require an external recipient to create user accounts that may persist even after the user leaves their current employer and no longer owns that email, creating a very dangerous security hole.

 

Getting started

These features start rolling out on October 9, 2017, to First Release customers and will roll out to all customers by the end of January 2018.

 

For additional information on the new external sharing experience in OneDrive for Business and SharePoint Online, read the New Sharing Features in First Release help article. 

219 Comments
Copper Contributor

I am no longer receiving my emailed validation code to access secured files. The first time I accessed the link I received my code but ever since I have not despite me asking for the website to resend the code. The email listed is correct. Any ideas on a fix?

Deleted
Not applicable

I know this is an older post, but we already have this functionality active for OneDrive, but not SharePoint Online. What happens to legacy external shares once this transition takes place? We have thousands of legacy external shares in our tenant. 

Microsoft

Hi @Deleted,

 

This functionality should be available for both OneDrive and SharePoint Online. The new functionality will only occur for new guest users (i.e. e-mail addresses that have not previously been shared with). If the guest user already exists in your directory, they will continue to see non-passcode based sharing. Hope that helps!

 

Stephen Rice

OneDrive Program Manager II

Steel Contributor

External users are reporting that their links are malfunctioning after a short period of time. Weeks in most cases but sometimes Days. Below is a screenshot of the error that happens, and my external sharing. This has been reported by multiple users over the past few weeks. Any suggestions? I am loath to engage support on this matter...

 

error.PNGsharing.PNG

 

 

Microsoft

Hi @Robert Woods,

 

Are the users reporting these problems using the new OTP links or are they legacy guest users (i.e. permissioned directly to the document)? Thanks!

 

Stephen Rice

OneDrive Program Manager II

Copper Contributor

I am having the EXACT same issue as Robert Woods. Please help as we are unable to collaborate using Office 365 and OneDrive! These are all new invites to external users who are not recognized in our system using the newer interface.

Steel Contributor

@Stephen Rice

 

New OTP links. When I look at the individual permissions on the document it states to manage the permissions by controlling the link.

Screenshots below. I have also created an anonymous link to currently get around this.

 

permissions.PNG

Microsoft

Thanks @Robert Woods,

 

Can you and @Alexa Von Mohr send me mail at srice@microsoft.com so we can troubleshoot in more depth. Thanks!

 

Stephen Rice

OneDrive Program Manager II

Microsoft

@Jeroen Lammens,

 

If the guest user already exists in your directory, this is the behavior you would expect to see. I suspect that you're right and the issue is that the the user's account just hasn't been synced out at the site collection level. If you give it a little more time, does the sharing end up working as expected? Thanks,

 

Stephen Rice

OneDrive Program Manager II

Deleted
Not applicable

We have a user X who has shared externally with ExtUser1 for 2 years now( Extuser1 exists as a guest user on our directory. 

User X now shares files with ExtUser2(doesnt exist in the directory) and now the experience is the one with a code.

 

We have multiple users like these on the tenant, how do we go about educating the users that some of your external partners will now get a Code and some need to use the Microsoft account?

 

 

 

Steel Contributor

Loving it @Stephen Rose

Microsoft

Hi @Deleted,

 

You can tell your users that the partners they have been working with for the past few years will continue to have the same experience (i.e. no changes). New partners will get the one time passcode flow (and will be guided through the process). Hope that helps!

 

Stephen Rice

OneDrive Program Manager II

Copper Contributor

Hello, 

I received twice such a link from an important Canadian company (once in January 2018 and yesterday). For both occasions, I never received the verification code by email. For both occasions, I asked twice Microsoft to send the code again (that's a total of six requests), but never got an email with a verification code. Of course I also checked the Spam folder.

 

I use Office 365 on Windows 10, and I have a Microsoft login. The email address shown in the email I received is the good one (of course, otherwise I wouldn't have received the email).

 

Recipients get access 100% of the time? Failed

Copper Contributor

I'm probably missing something but, I don't understand how this is supposed to work long term for a user.  If we share out a folder with a new external test user, that user received the link which brings them to the page which prompts them to get an email code.  They enter the email code and at this screen have a "remember me" option.  

 

I did not check the remember me and proceeded to log in as the external test user.  If I bookmarked the page, closed my browser, and reopened and went to the link - it prompted me with a Microsoft login.  That's extremely confusing for an end user as they will probably attempt to create one...which won't even work.  

 

I'm guessing if you do check the remember me option, it cookies their browser and will keep them "signed in" which is also confusing when the user sees themselves logged in in the upper right corner even though they don't have an account.  So, if they clear their browser cache or just never bookmarked the page, they always have to refer back to that original email and get a new verification code?  

 

This solution seems great for a short term / one time sharing solution but not for users we will be collaborating with for a year.  

Microsoft

Jim,

 

You're correct. Secure external sharing is a short-term solution. Usually for one-time share. If you were to work with someone for a year, I would recommend giving them a guest account for your collaboration activities.

Copper Contributor

Stephen,

That's my confusion.  Wasn't this the way it previously functioned?  When you shared with an external account before, it had them create a microsoft account and added them as a guest account?  

 

So now, they have to click Share, then the 3 dots, manage access, Grant Access tab, and then invite the user if they want to give them more permanent access with a guest account? 

 

I think having both these sharing options is fine, but the way it's presented for our users doing the sharing is confusing.  When you highlight a folder and Click the share action / button, it appears as if the only way you can share now is via this new secure external sharing method.  

Microsoft

Hi @Jim Kacerguis,

 

We introduced secure external sharing to make external sharing of files and folders easier to use (by not requiring the creation of Microsoft accounts). For longer term sharing, we recommend doing what you described above (granting access) or adding the user to an O365 Group (or sharing a site) which also causes account creation to occur. These flows are more complicated but do make later access easier.

 

We want to make sure secure external sharing works for longer term cases as well and there is on-going work to make this better. Thanks,

 

Stephen Rice

OneDrive Program Manager II

Steel Contributor

More reports from end users today saying links they have shared with people are bringing them to a page that says the user cant be found in the Tenant-my.sharepoint.com directory. We will try to fix this automatically, please try again later. Are you guys close to fixing this? @Stephen Rose

Copper Contributor

On the new sharing method, If your users are getting: 

That didn't work

We're sorry, but customeremail@customerdomain.com can't be found in the mycompany.sharepoint.com directory. Please try again later, while we try to automatically fix this for you.

Here are a few ideas:

Tell them to clear their web browsers history completely or open an incognito mode browser tab and paste the link in. What is usually happening is that the customer company uses Office 365 also, and is logged in via that browser with a username and password. That wont work on the new sharing method since they don't exist like that (username/password account) in your O365 environment. 

Steel Contributor

thanks @Rudi Schmitz I will tell the end user to have their client give that a try.

Microsoft

@Robert Woods, we will continue looking into this. Please let us know if incognito fixes the issue. Also, are the users who are seeing this also members of the site itself that is being shared? Thanks!

 

Stephen Rice

OneDrive Program Manager II

Steel Contributor

@Stephen Rice They are not members of the site collection. They are using the new OTP links. By the time my help desk rep got ahold of the external user the issue had resolved itself so we could not test the incognito mode.

Microsoft

Thanks for confirming @Robert Woods. If this happens again, please let me know!

 

Stephen Rice

OneDrive Program Manager II

@Stephen Rose few questions if you don't mind. First of all, what is the rollout status of the feature? I tried sharing few files with users that are not represented in any way in my tenant, for what I can see the "secure" link is generated correctly. However, no mail was received by the other party, and it has been hours. I tried copy/pasting the link, which seems to work fine and takes me to the "verify your identity" screen, where it accepts the correct email address. However, when it comes to generating the one-time code, it errors out with "Unable to send a code. Wait a few minutes and try again."

 

In contrast, good old guest links work immediately, email is received and access possible in just few seconds. So is the rollout 100% complete, or is there some current issue with the feature? My tenant is on FR btw.

 

Next, can you please clarify whether files shared in this manner are discoverable via the "ViewableByExternalUsers" content search query, as detailed here. It might be just a matter of me being impatient, but, or related to the above issue, but I'm not seeing any entries that correspond to "securely" shared files. So can you please confirm whether they should be included? And if not, surely this should be addressed? "Secure" or not, organizations out there will want a way to be able to generate some list/report with any and all externally shared content, regardless of method.

Microsoft

Hi @Vasil Michev,

 

Yes, this feature is fully rolled out to Production now. Can you confirm that the mails haven't gone to spam or landed in Clutter? For the second case, can you private message me with a Fiddler trace? These mails use the same mechanism as the old guest mails so it's odd that you'd see issues in one but not the other.

 

As for the "ViewableByExternalUser" property, yes, this property will continue to work. Like the old invitation platform though, the property won't be updated until the link is clicked on (or the invitation is clicked). Thanks,

 

Stephen Rice

OneDrive Program Manager II

Nope, nothing in Clutter/Junk. And I've tried it on few different email addresses.  It seems like it was a temporary issue, as I opened the direct link now, got prompted to verify the email and the one-time code was immediately sent. I still haven't received the original email though...

 

Anyway, thanks for confirming the ViewableByExternalUser behavior, that's good to know :)

Microsoft

@Vasil Michev,

 

Glad to hear you were able to get access. I'll ping the team and see if we saw any issues with e-mails recently.

 

Thanks!

 

Stephen Rice

OneDrive Program Manager II

Copper Contributor

 @Jeroen Lammens

 

Did you get a resolution to your issue? I am seeing the exact same thing. Generated share link to a *gmail.com address and it worked as expected. Added another link to an external user at a business address and it also added them as a separate user....

 

SharePoint.jpg

Microsoft

@Mike Johnson,

 

If the user that you are sharing to already has an account in your organization's directory, we will perform the second flow (permissioning the user directly to the item). If they do not have an account, we go through the new secure external sharing flow. Thanks!

 

Stephen Rice

OneDrive Program Manager II

Copper Contributor

 @Stephen Rice

 

The person is not in our org directory so how would they have gone through the second flow? When the external user clicked on the shared document link in the email, rather than arriving at the page to get a code (as expected), they were taken to our org's O365 login page, which of course they can't authenticate to with not having an email address from our org... If you want to take this offline for more details or specific email addresses and accounts, please let me know.

Microsoft

Hi @Mike Johnson,

 

Please shoot me a private message so we can debug further. Thanks!

 

Stephen Rice

OneDrive Program Manager II

Brass Contributor

@Mike Johnson @Stephen Rice

 

I couldn't tell if the account was added to the Guests in Azure AD before or after the share. So I ran this scenario again on a "clean" tenant without any existing guest users. In my tests, it worked as Stephen described (yay). I tried this with gmail, outlook, company accounts and all got the link for non-guests and direct access for guests (even if they never responded to the invitation to AAD). 

 

What was interesting is that new guest users appear in the people picker very quickly but when I deleted a guest user from AAD and then tried to use the new sharing link method with this deleted user account, I actually get this error. 

abc.png

 

The user account is still visible in the hidden user list but is flagged as deleted in the SharePoint user profile service.

 

Please keep this thread updated if you encounter interesting findings. 

Copper Contributor

Hi

Can anyone expand on the methods by which a user can initiate sharing such that the old "MS account required" sharing method is used?

Assume we just want to share a document but such that the external person can use full word - not word online.

Here are the methods that have been mentioned.

 

1.  Share a site.  Works but a) maybe you did not want to share the entire site and b) the external then has access to see who else is on the site, share it themselves etc.  I made a simple site specifically for the purpose but don't want anyone invited this way to gain access to see others.  Currently with this method all externals would be able to to "send to all".

2. Use the "Grant Access" method.  From my testing this does not work on single documents 0 the new pin verification method is used.

3. Add the external to an O365 group.  Doesn't that have the same issue as method 1?

 

Thanks

 

Copper Contributor

@Julian Orange, my organization hires external consultants to write and review highly secure files. I've not found a method that works 100% of the time but here is my method. 

I create a SP group for each external user and give the SP group Restricted Read access at the site and library level.  I create a folder for each individual user. I stop inheriting at the folder level and remove all groups except the newly created group. I then change the SP group permission to Contribute. I then click on the group name to go inside of the group and change the permissions level to Contribute. From within that group is where I send the invite to the external user. If the external user is new to our organization, prior to sending the invite, I send a personal email with instructions on how to register their email address with Microsoft. The link they receive takes them to the Site level so in the personal message of the invite I tell them which library to click on to navigate to their personal folder. 

This method is not 100% without error and it's not just one error message, I think I've seen five different messages. I've not been able to determine what is going on with the external user that causes these errors and they usually happen after the user has successfully accessed a site and then come back later.

I've used the new link sharing method for individual documents but the link seems to expire without notice -so there's that too.

Microsoft

@Julian Orange,

 

There are three main ways to get the full account-backed guest user today.

 

1) Share a site with the user (they will receive a SharePoint Online invitation)

2) Add the user to a group (they will receive an Azure B2B invitation)

3) Directly add the user to your directory (this only works for admins and the user will receive an Azure B2B invitation)

 

Hope that helps!

 

Stephen Rice

OneDrive Program Manager II

Brass Contributor

Is there a projected date on when the EDIT IN APPLICATION (WORD, EXCEL, PPT) will be turned back on for external users who have Office subscriptions? Only editing in the online version affects the companies that use track changes in WORD with external users. I understand track changes are visibly turned on in the online version, but the user who is editing the document online cannot review the prior changes, etc... This loss of functionality is hurting the adoption of collaboration for those that constantly use track changes for their business process...

 

As a workaround, we share a SharePoint site, which uses the authentication method of a Microsoft account, so they appear in AAD. Once their account has authenticated, the user will no longer experience issues with editing documents in the application on their desktop. I am hoping this issue can get resolved quickly so admins do not have to keep doing these workarounds to allow a user to edit in the application.

Copper Contributor

Hi @Stephen Rice ,

 

Wonder if you can help me.  I've tried sharing a link to a test user outside my org.  They received the sharing link but not the code to make it secure.  Does it need to be enabled in the admin center first?

 

Thanks,

 

Microsoft

@Alex Fernandez de Jauregui, this is absolutely something we are working on enabling but we don't have a date to offer just yet.

 

@andy laszlo, did the recipient receive the screen telling them that the code was being sent? There is no admin center switch, it should just work. The recipient should check their "Clutter" or "spam" folders as well.

 

Thanks!

 

Stephen Rice

OneDrive Program Manager II

Copper Contributor

Hi @Stephen Rice

Thanks for getting back so quickly.

 

Apologies, it looks like it is working now!  I received the initial sharing email but I was expecting an email with the access code immediately.  I've went through the full process this morning and can see that a second email is sent when you confirm the recipient email address.

 

Works a treat now - thanks.

A

Microsoft

@andy laszlo, glad to hear it!

 

Stephen Rice

Copper Contributor

@Stephen Rice

Is it possible to see to wich external users the document has been sent? I shared a doc to my own gmail address (without microsoft account). 

But I cannot see it back in my SPO environment. Our customer is interested in this functionality but also wants to see to which external users documents have been send.

 

Is there already a changed planned for setting an expiry date on the link? (just like in anonymous access?)

Copper Contributor

I can report that general users and external users are still very confused by this.  Workload to IT support is very high on this.

My preferred solution would be an option to turn off the new method at the tenant level.

 

I've done some testing today and paste the results here.  They are quite raw but may be helpful to some.  Several of the items I cover have already been mentioned previously.  The results speak for themselves.  Identifying what files are shared with who has been made very inconsistent due to the new method.  

 

Background:  Many of our external collaborators are Office 365 users themselves. 

 

Definitions:

Verification/Pin (unregistered) method is the new share experience.

Classic method is the old sharing experience that requires an MS account and registers user as a guest in our O365/SharePoint directory

 

Facts (as tested today)

 

☹ Verification/Pin shares do not allow the external user to use full Word 

 

 

Verification/PIN shares do show as "Shared" in the OneDrive "Sharing" Column.

I take this to be due to "Verification/Pin sharing honours ViewablebyExternalUser property" (Reported by Microsoft).

 

General Users can see details of all internal and guest users in the Azure Portal.  So there is a method to check if a user is registered.  You can tell the difference between "invited" and "connected" by clicking on the user.

https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/All%20users

All MYORG internal users can use that Azure portal to Invite Externals to register

  • Known as Azure AD B2B invitations
  • Complicated interface for our users
  • Emails that go out differ from SharePoint/OneDrive ones (more differences to document).
  • Good portal for IT Support at least.
  • MYORG can (and should) customize the privacy section of the email.

 

Alternatively we can invite users to register by sharing our purpose built "dummy" site.  (Some issues with privacy here).

 

☹ When performing a standard file share the MYORG user can't tell if the external user is already registered in the directory.  (both registered and non-registered  email address entered gives the same screen view).

 

Info Panel | Manage Access, When sharing a file using this method you can distinguish between registered and non-registered.

How?  Type the email address of the external, if it autocompletes before you type a dot in the domain then it is already registered.  If you type the full address the name completes even if it is not registered.  This becomes another method for a user to know if the external is registered (a bit too subtle to be a great solution).

 

Info Panel | Manage Access… When sharing a file using this method the new Verification/Pin method is sent if the external user was unregistered.  (ie this is not a way to force classic method).

 

Info Panel does display unregistered Verification/PIN external user activity in "Recent Activity"

 

Info Panel | "Has Access" user icon area does show verification/pin (unregistered) shares when you hover over the icons.  If there are more than 6 icons you can't hover over the 7th.

 

☹ Info Panel | "Manage Access" does not show verification/pin shares ever (even after the external edits the file).  

 

☹ Info Panel | Manage Access | Advanced does not show verification/pin shares ever (even after the external edits the file).  

 

“Modified By” column does show edits by unregistered externals.

 

☹ "Shared With" and "Shared with Details" columns never shows a verification/pin (unregistered) share even after edit.  

 

:smiling_face_with_smiling_eyes: A second file sent with new verification/pin method requires no verification if a verified session is already active (on another document) 

 

A verification/pin shared document is still accessible form the same email link if the external user becomes registered later.  The verification process is not activated instead the user can "Sign in for immediate access" (ie the same link allows the system to recognize the user is registered and therefore to behave differently).

If the user in this case was not already signed in to their own MS or O365 account they would be prompted to do so.

Re-sharing a file after registering the external user works fine as expected….(it activates the same process to authenticate via the externals MS account).

 

If an external user is already signed into their own O365 and receive a verification/pin process (because they are not registered in our O365) they cannot access the file.

Workaround:

  1. Paste link into private /incognito browse tab
  2. Get MYORG to register the external user in our O365 directory (methods described above).

 Description of a specific case for a successful Classic mode share process

  • We register the external user first using Azure AD B2B invitations
  • External user has not acted on the Azure B2B invitation
  • External user already logged into their own O365
  • External user receives email for the file shared from SharePoint (using any share screen)
  • External user clicks the link in the email
  • External user sees screen to review the connect to MYORG (due to the B2B invitation)
  • Once accepted the shared file is instantly viewable browser
  • The details of the external user are instantly visible in all "sharing" views as we would want. :)
Microsoft

@Jeroen Rijt, van, are you talking about seeing pending external users (i.e. users who have been shared to but haven't clicked yet) or something else?

 

@Julian Orange, thanks for passing this along. I'll make sure the rest of our team sees it as well! Overall, we've definitely heard feedback that while the new external sharing feature has improved many areas of the product, there is still plenty of work to do. At a very high level, our goal is marry the ease of management that is present in the legacy experience with the ease of use & collaboration in the new experience. At SharePoint Conference 2018, we announced the first step in that journey: When you share to a user who is also using O365, once they've used the verification code to prove their identity, we'll convert the user into a full AAD guest user (and they will use their full credentials to access in the future). Keep an eye on Message Center for more details :)

 

Stephen Rice

OneDrive Program Manager II

Copper Contributor

Hello All

 

I tried to read through the entire tread, but I am not able to find out why my issue exist. If possible, could you please me understand and what are my options.

For most cases, this functionality works very well and allow the external users to access. However, I have a group of external users is not able to use this.

 

When they click the invitation link I sent them, their web browser takes them to Microsoft "enter account and password" instead of the requesting verification code page.  

 

Thank you,

Copper Contributor

Is there any way to share in this manner using CSOM Microsoft.SharePoint.Client ?  I'm trying to automate a sharing process that will share documents in this manner but I can't seem to find the methods I need that will share it this way.  Also even when I share through the UI I can't seem to find it on the ListItem object through "SharingLinks".

Deleted
Not applicable

@Stephen Rice

 

Hi. I like the New feature With verification codes. Is there any way of combining this with time limitation you can set on an anonymous share? Say I want to share a document With user1@emaildomain.com for 1 week, without them beeing able to share the link to other external users.

Microsoft

Hi @Deleted,

 

There is no way to do this today but it's definitely something the team is thinking about. We don't have anything specific to share at this time though. Thanks!

 

Stephen Rice

Program Manager II

Microsoft

Hi @kevin.m.butcher,

 

There is not a great way to do this via the SharePoint CSOM API's. Instead, we recommend using the REST or VROOM endpoints instead. Thanks!

 

Stephen Rice

OneDrive Program Manager II

Brass Contributor

Hello 

Has the secure external sharing been released all tenants? We still don't see this in our production tenant. Guest users are not challenged with One time secure code. As an admin, do we need to turn on anything? As far as I know there are no settings to enable /disable this. I can see external securing in my dev tenant but not in my corp prod tenant.

 

Thanks

 

 

Microsoft

Hi @kiran bellala,

 

Yes this is now fully rolled out to all production tenants. Please note that only new guests (i.e. users you have not shared with previously) will go through this one time passcode experience. If the user is already listed in your directory, they will continue to use their sign in for authentication. Thanks!

 

Stephen Rice

Version history
Last update:
‎Jun 25 2020 11:11 AM
Updated by: