Nov 07 2017 02:57 PM
Our organization very recently discovered that the ability to share a document from a library in an external-sharing-enabled site seemingly requires higher permissions than it once did. In debugging this issue, I found that the only permission levels outside of "Full Control" that could share documents with "Anyone" were those that included the "Manage Permissions" and "Enumerate Permissions" privileges, which are considered Site-level permissions; the most any other permission level allows our users to do is share with users that already have access or specific people. This had not always been the case, and as my organization creates many of these links every day, I've only just heard of this from my users today. This is a problem for us in that the only OOTB permission level that includes "Manage Permissions" and "Enumerate Permissions" is Full Control, which we clearly can't start giving out to everyone.
I recognize that it is not outside the realm of possibility that some other Sharing setting could have caused this to occur, but after checking our Sharing settings org-wide, I see no indication that external sharing has been affected, and the fact that "Manage Permissions" and "Enumerate Permissions" do allow us to share as we normally have been make me think that Microsoft might have made a change to who is and who isn't allowed to create anonymous access links. Is anyone else experiencing this, or has anyone else encountered this issue to find that some setting had been changed to create this scenario?
Nov 07 2017 03:19 PM
Make sure someone didn't mess with the Site access requests page. /_layouts/15/user.aspx
Shown here, maybe this got turned off?
Nov 08 2017 05:52 AM
Checked this, was left untouched. This issue isn't site-specific, though--it's org-wide.
Nov 08 2017 06:17 AM
I don't see such behavior: everything here appears to work as usual...
Nov 08 2017 07:56 AM
Nov 08 2017 09:16 AM
These are Classic site collections, but my issue isn't with inviting external users, it's with creating anonymous access links, as below.
Nov 08 2017 09:44 AM
Yeah that's odd, it's like sharing links is turned off somewhere, not sure where that actual setting is. It might be tied to the external user option thou, since basically the "People in City" option is also a sharing "Link". Go ahead and screenshot your Sharing page if you can, I'm betting if External sharing is off, then that other option will be off as well.
Nov 08 2017 09:45 AM
Here's my Sharing settings from the SharePoint Admin Center:
Nov 08 2017 09:57 AM
Odd. Is there a chance someone could have powershelled all your sites to a different setting? If you can powershell and do a get-sposite -identity "URL" | fl and see if your Sharing capability got changed?
Nov 08 2017 10:07 AM
That's very odd. @Matt Coats, can you check to make sure that the Limited Access publishing mode isn't turned on for any of those sites? Thanks!
Stephen Rice
OneDrive Program Manager II
Nov 08 2017 10:38 AM
@Deleted, it's unlikely anyone else would've Powershelled anything in SharePoint, though not impossible; I'm the only SharePoint admin in my organization and I've never used Powershell for administration, but that's not to say one of our global admins could've gotten adventurous. I'm having trouble getting to our SPO tenant through Powershell at the moment (haven't done it before, having authentication trouble), but I'll keep at it.
@Stephen Rice, Limited Access permission-lockdown mode is enabled in all of our sites. I think it always has been, but I'm not sure if that's the same feature you're talking about (if it's not, where would I find it)?
Nov 08 2017 10:41 AM
@Matt Coats, yes, that is the setting I was referring to. Can you try disabling it on a site and see if that solves the issue you're seeing? Thanks!
Stephen Rice
OneDrive Program Manager Ii
Nov 08 2017 10:42 AM
Nov 08 2017 10:44 AM
@Deleted, I'm not 100% sure what it is either to be honest but I've seen it cause this problem far too many times :)
Stephen Rice
OneDrive Program Manager II
Nov 08 2017 10:53 AM
@Stephen Rice, I checked another site that didn't have it on already (never turned it on intentionally, assumed it was default for all of our sites), and same issue, can't create anonymous links unless you have Full Control or Manage/Enumerate Permissions rights.
Nov 08 2017 10:54 AM
Nov 08 2017 10:56 AM
Thanks for checking. Let me forward this around internally and see what we turn up.
Stephen Rice
Nov 08 2017 11:20 AM
Can you try this in Classic and see if it still repros? If so, are you able to get a Fiddler trace when you open the sharing dialog by chance? You can e-mail it to me at srice@microsoft.com. Thanks!
Stephen Rice
Nov 08 2017 11:41 AM
@Stephen Rice, great suggestion--I am able to create anonymous access links (and organization links, too) using the Classic experience.
We've used sharing through the Modern experience for quite a while now without issue. Hopefully this is helpful to your team!
Nov 08 2017 11:57 AM