Allow creation of guest links for specific users only

Brass Contributor

Hi,

 

How can I allow the use of guest link only for specific users in an organization?

 

thx

16 Replies

AFAIK you can't.

Salvatore is correct...you can only configure the link type at the tenant level what means this is a global feature

I would expand on that. The setting does have to be set at the global level yes, but then its also set at the individual site collections (Sharepoint site collections, meaning I can have the global setting on, while having other site collections disabled).

Also I believe each users OneDrive is its own site collection, even though somehow the settings for User's guest links, is one setting for all users's OneDrive??
I hope this feature becomese available soon, to where we can control guest links for only specific users, not all users or no users...
thx

If we are talking about ODFB here, it should indeed be possible as you can now control the sharing options per SC. However, the "allow guests" setting is "less restrictive", and the per-SC permissions can only be "more restrictive". Thus you take to do it the other way around - configure ExternalUserAndGuestSharing at the Global level and then switch Guest sharing off for everyone apart the user(s) you want to be able to use this.

 

That's assuming you only want to give them permissions to share files in their own ODFB.

Hi Vasil.

Interesting perspective, as usual!

I have tested it and it appears to work.

A couple of questions:

  1. As a GA I have indeed been able to set by PS the sharing capability of an user ODFB SC. I was surprised about this... Shouldn't I be an SCA?
  2. The user, being the SCA of his/her ODFB SC, should in theory be able to change again the sharing capability setting. But how, provided that he/she can't login in PS as a GA?

I don't particularly like this solution, as I am having to then remember to turn off guest-sharing for each new person that is created, which can be easy to forget. But I suppose it is a method it could work, since a regular user would not be able to connect to PowerShell to turn it back on, unless there is another way for that to happen, because as Salvatore points out, a user would be a SCA of his/her own ODFB SC.

@Salvatore Biscari I dont think PowerShell respects the SCA settings, the GA/SPO Admin permissions you need to run PowerShell superseed those I guess. @jcgonzalezmartin is the authority on SharePoint, he might be able to give more insight 🙂

 

As for the owner being able to revert them, in theory this is indeed the case, if he is able to access the relevant settings. Pretty much the same issue we had with the owner of the ODFB site being able to remove IRM protection.

@VasilMichev


@VasilMichev wrote:

As for the owner being able to revert them, in theory this is indeed the case, if he is able to access the relevant settings.

I think so too, in theory.

But how can an user access, in practice, the sharing capability setting of his/her ODFB SC?

cc @jcgonzalezmartin

Ey guys,

Sorry for being late at the party...basically as you have already said, end user is not going to be able to configure (and he/she shouldn't even knowing he/she is the owner of his/her site collection) the sharing setting for ODFB...this capabilitie should remain on the GA / SPO Admin

Thank you Juan.

But let us suppose the user is you ( i.e. a super expert, but nevertheless a simple user, not a GA / SPO admin).

My question is : will you be able to change the sharing capability setting of your ODFB SC ?

If yes, how?

Well, as a regular user you won't be able to use SPO cmdlets because they will require you to be at least a SPO Admin... but as a regular user and site collection owner of your OneDrive, you will be able to use Client Side Object Model (CSOM) against your OneDrive...so to answer your question I would have to dig into what CSOM allows to do in regards of sharing capability at the site collection level. If you review this post from a year ago, http://sadomovalex.blogspot.com.es/2015/10/set-sharing-capabilities-of-sharepoint.html, you could change sharing capability using CSOM, but since you need a tenant object you won't be able to do it since you are a simple site collection owner...but, as I said, a deeper dive into CSOM it's required to fully answer to your question

I'll try to summarize:

  1. A GA / SPO admin can change the sharing capability setting of every ODFB SC using PowerShell, despite the fact that he/she is not an SCA for that SC.
  2. Conversely, a normal user cannot change the sharing capability setting of his/her own ODFB SC using PowerShell, despite the fact that he/she is an SCA for that SC (because he/she is not a GA / SPO admin). Also, he/she cannot use an UI for that purpose, because it doesn't exist. Maybe (not sure), if really a great expert, he/she could use CSOM...

Wow!

Thanks. 😉

That's a good summary 🙂

Hi all,

 

 

As you may know, we have a feature coming out soon that will allow admins to specify which security groups are allowed to share externally. This feature will restrict only those users in the specified SG's from sharing both externally and anonymous (if enabled). Now, that doesn't sound like it would be useful in this case, but we also have some work planned to separate out the "anonymous" and "authenticated external" setting.

 

This would mean you could set something like:

  • Security group A and B can share with authenticated external users
  • Only security Group B can share via anonymous links

Would that satisfy your requirement? Also, usual disclaimer: This is all still under design and nothing is committed or planned just yet. So stay tuned 🙂

 

Stephen Rice

OneDrive Program Manager II

 

 

 

 

 

 

@StephenRice That is exactly what we are looking for. Has this been implemented yet? If not, what timeline are might we expect?

 

Thanks

Hi @Johann Hough,

 

Yes, this feature is now available. You can find it in the SharePoint Admin Center on the sharing tab. Thanks!

 

Stephen Rice

OneDrive Program Manager II