Disable all sharing

Brass Contributor

Hi all,

 Has anyone been successful in disabling all sharing for OD4B? The goal is to drive users into other collaborative tools such as SPO or Groups for shared content. I'm wondering if there is a rights configuration that allows a user to manage their content but not share it internally or externally.

 

TIA.

20 Replies

You can now control sharing on per-site (collection) level so you can disable it completely for ODFB or for some users only. There's a global switch for this under https://admin.onedrive.com/?v=SharingSettings

 

Lots of other controls are available as well.

But be also aware that you cannot configure who can share on per site collection basis

@Vasil Michev

Is it actually possible to disable sharing at site collection level also internally, as asked by @Guy Yardeni?

I was under the impression that only sharing with external users could be disabled...

Internal should also be possible via the corresponding Site settings (access requests and invitations). @Juan Carlos González Martín is the expert on SPO, he should be able to correct me if that's not the case :)

For other members yes, but not for ODfB where the user is the SCA, correct?

I am afraid the there is no solution to @Guy Yardeni's interesting problem...

@Juan Carlos González Martín, do you have a solution?

AFAIK, there is not a setting in SharePoint that allows to "disable" the Share button for both SharePoint and OneDrive so the Sharing options is going to be visible there ...the only thing you could do is just "hide" the share option using some JavaScript / CSSS that it's going to work well for SPO classic sites and not for modern sites (we will be able to do it with App Customizers in the SPFx)

Thanks for the collaboration all.

 

Sounds like there isn't a native control or a way to combine user permissions to prevent internal sharing.

 

From my testing, clearing 'Allow members to share the site and individual files and folders.' under 'Access Requests Settings' doesn't prevent me from sharing.

 

Disappointing answer but appreciate everyone's contribution.

Haven't had time to test a possible solution but this is an interesting problem...
As the onedrive is essentially a SharePoint site.. if you can make a permission level that has everything selected but the "Change Permissions" option, then remove the user from the SCA group and add them to a new sp group using that non-change permissions option. Theoretically they should be able to use their onedrive for themselves but not let in anyone else. Of course...not sure how this would help when a user can just email a copy of the file to someone or other method of file transfer..but it would make it more of pain than sharing which the system is setup to do so easily...if above is possible. You can CSOM script that out and run it on all onedrives. My apologies in advance if this idea isn't feasible..just saw this post and it got me thinking. Hope it helps!

Hi Dennis.

We have already discussed in the past the option to remove the ODfB user from the SCA list.

Unfortunately, it looks like this option has several contraindications and hence is not feasible.

I have never tried it by myself, but @Juan Carlos González Martín could explain more...

Yeap, while it's true you can potentially change default security model in ODFB, I don't recommend it since you simply could break the way ODFB is designed to share information in a secure way....just my 2 cents
Good point...seems there is always unexpectedly bad fallout with work around ideas in 365. Has anyone posted this request to UserVoice yet? I'd vote on it...that would be very handy for an admin to be able to turn off sharing for certain or all users onedrives. Not every business wants the easy exfil possibility for staff personal drive space even though it is logged!
I just went back up to the top and re-read your post Guy...if your goal (which I share in a big way) is to drive users to shared storage (I just had to take ODFB content for a staff person that retired that had shared out stuff to their local staff(when they have a SP site!) and upload it to their SP site)...I am also looking for an "admin solution" to that as well...though I know the real answer is user-training. A highlight being "365 Sharing Explained: where to share?" trick is getting staff to read it!

User training and education is a vital component of any deployment but it can't be the only answer, especially if Microsoft OD4B to be seen as having governance advantages over the competition. The lack of full controls over sharing and per-user activation of the tool create a big gap over some competing solutions and over file shares which is the mechanism most organizations use today.

 

I've added my vote to this topic on UserVoice: https://office365.uservoice.com/forums/264636-general/suggestions/7950375-onedrive-for-business-admi.... Hopefully this will get some attention.

 

 

@Guy Yardeni - Would it work to:
1. Set ODfB Sharing to "Only people in your organization"

2. Set advanced settings to "Allow or block sharing with people on specific domains"

3. Select "Type of Restriction - Block these domains"

4. List the internal domain and then "Save"

 

@DaveCodes Adding the internal domain to the restricted domains list does not prevent sharing. This features only applies to guest accounts.

Hi folks,

 

Adding my 2 cents in here :) There is no way today to disable internal sharing in OneDrive (short of the permission approach discussed above which has many many negative side effects). Disabling the "Members Can Share" settings will still allow the owner of the OneDrive to share content but will prevent other users from sharing their content. 

 

As a principle, we consider the ability to share files and folders to be a core experience of OneDrive and while we can and do build restrictions via integration with things like DLP, we don't have any plan to let you just turn it off via a switch. To my knowledge, no other major cloud storage platform supports this capability (though do feel free to let me know if that has changed or I've missed something!). We have seen in the past that shutting down the ability to share doesn't prevent content from actually being shared, it just shunts it into other mediums (such as attachments) or shadow IT orgs (where the restrictions haven't been put in place). I usually point folks to education & guidance (as mentioned above) combined with using things like the compliance center to help monitor & correct bad behavior as needed.

 

If that's still not sufficient, the best thing to do is what you've already done which is to create the UserVoice post and gather support to help demonstrate the value of building such a feature in the product.  

 

Thanks!

 

Stephen Rice

Senior Program Manager, OneDrive

J.Shishir8@gmail.com
I've read about why Microsoft doesn't allow this on principle. However, I think there are use cases that they are not considering. We are migrating from Google Workspace and rather than migrate all security, communication, and documents at once. We are focusing on a staged approach.

Starting with building the security infrastructure in Azure, such as app authentication and device management. Then migrating over comm and file management. In this case we want to prevent people from using OneDrive, Outlook, and Calendar. It would be highly valuable to have these switches until we are able to migrate that data and train users on how to use new tools.

Microsoft, February 2020:
"the best thing to do is (...) to create the UserVoice post and gather support"

Microsoft, roughly one year later:
"Note: We will be moving away from UserVoice feedback sites on a product-by-product basis throughout the 2021 calendar year. We will leverage 1st party solutions for customer feedback."

 

--> UserVoice post and all support gathered so far: Gone.


Nice one.