Ability to Share with "Anyone" permission change?

Matt Coats · ‎Nov 07 2017

Our organization very recently discovered that the ability to share a document from a library in an external-sharing-enabled site seemingly requires higher permissions than it once did. In debugging this issue, I found that the only permission levels outside of "Full Control" that could share documents with "Anyone" were those that included the "Manage Permissions" and "Enumerate Permissions" privileges, which are considered Site-level permissions; the most any other permission level allows our users to do is share with users that already have access or specific people. This had not always been the case, and as my organization creates many of these links every day, I've only just heard of this from my users today. This is a problem for us in that the only OOTB permission level that includes "Manage Permissions" and "Enumerate Permissions" is Full Control, which we clearly can't start giving out to everyone.

I recognize that it is not outside the realm of possibility that some other Sharing setting could have caused this to occur, but after checking our Sharing settings org-wide, I see no indication that external sharing has been affected, and the fact that "Manage Permissions" and "Enumerate Permissions" do allow us to share as we normally have been make me think that Microsoft might have made a change to who is and who isn't allowed to create anonymous access links. Is anyone else experiencing this, or has anyone else encountered this issue to find that some setting had been changed to create this scenario?

Matt Coats · ‎Nov 07 2017

Make sure someone didn't mess with the Site access requests page. /_layouts/15/user.aspx

Shown here, maybe this got turned off?

Matt Coats · ‎Nov 08 2017

Checked this, was left untouched. This issue isn't site-specific, though--it's org-wide.

Salvatore Biscari · ‎Nov 08 2017

I don't see such behavior: everything here appears to work as usual...

cc @Stephen Rice

Matt Coats · ‎Nov 08 2017

Are these group connected sites or stand alone? I've never been able to share with external users without powershelling the sharing options on a group site even though my tenant is set to allow sharing. Wondering if with this latest rollout they are doing they fixed this? What are your tenant SharePoint sharing settings set to in the OneDrive admin?

Matt Coats · ‎Nov 08 2017

These are Classic site collections, but my issue isn't with inviting external users, it's with creating anonymous access links, as below.

The permissions of this user, SharePoint's OOTB "Edit", once allowed a link for "Anyone" to be created, now it can't.

Matt Coats · ‎Nov 08 2017

Yeah that's odd, it's like sharing links is turned off somewhere, not sure where that actual setting is. It might be tied to the external user option thou, since basically the "People in City" option is also a sharing "Link". Go ahead and screenshot your Sharing page if you can, I'm betting if External sharing is off, then that other option will be off as well.

Matt Coats · ‎Nov 08 2017

Here's my Sharing settings from the SharePoint Admin Center:

Matt Coats · ‎Nov 08 2017

Odd. Is there a chance someone could have powershelled all your sites to a different setting? If you can powershell and do a get-sposite -identity "URL" | fl and see if your Sharing capability got changed?

Stephen Rice · ‎Nov 08 2017

That's very odd. @Matt Coats, can you check to make sure that the Limited Access publishing mode isn't turned on for any of those sites? Thanks!

Stephen Rice

OneDrive Program Manager II

Matt Coats · ‎Nov 08 2017

@Deleted, it's unlikely anyone else would've Powershelled anything in SharePoint, though not impossible; I'm the only SharePoint admin in my organization and I've never used Powershell for administration, but that's not to say one of our global admins could've gotten adventurous. I'm having trouble getting to our SPO tenant through Powershell at the moment (haven't done it before, having authentication trouble), but I'll keep at it.

@Stephen Rice, Limited Access permission-lockdown mode is enabled in all of our sites. I think it always has been, but I'm not sure if that's the same feature you're talking about (if it's not, where would I find it)?

Stephen Rice · ‎Nov 08 2017

@Matt Coats, yes, that is the setting I was referring to. Can you try disabling it on a site and see if that solves the issue you're seeing? Thanks!

Stephen Rice

OneDrive Program Manager Ii

Stephen Rice · ‎Nov 08 2017

Good call Stephen, I don't even know what that setting is, you must have encountered this before :p

Stephen Rice · ‎Nov 08 2017

@Deleted, I'm not 100% sure what it is either to be honest but I've seen it cause this problem far too many times :)

Stephen Rice

OneDrive Program Manager II

Matt Coats · ‎Nov 08 2017

@Stephen Rice, I checked another site that didn't have it on already (never turned it on intentionally, assumed it was default for all of our sites), and same issue, can't create anonymous links unless you have Full Control or Manage/Enumerate Permissions rights.

Matt Coats · ‎Nov 08 2017

oh, so people on the site can share links just not certain users.... I forgot about that part. Yeah ignore the powershell thing from earlier that's not going to make a difference in this case.

Stephen Rice · ‎Nov 08 2017

@Matt Coats,

Thanks for checking. Let me forward this around internally and see what we turn up.

Stephen Rice

Stephen Rice · ‎Nov 08 2017

@Matt Coats,

Can you try this in Classic and see if it still repros? If so, are you able to get a Fiddler trace when you open the sharing dialog by chance? You can e-mail it to me at srice@microsoft.com. Thanks!

Stephen Rice

Matt Coats · ‎Nov 08 2017

@Stephen Rice, great suggestion--I am able to create anonymous access links (and organization links, too) using the Classic experience.

We've used sharing through the Modern experience for quite a while now without issue. Hopefully this is helpful to your team!

Matt Coats · ‎Nov 08 2017

Do you have the new webparts that are being deployed to modern and or flow SharePoint integration pushed to your tenant yet? Wondering if when you get those something got changed there and it's related to that push?

Ability to Share with "Anyone" permission change?

Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Re: Ability to Share with "Anyone" permission change?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Ability to Share with "Anyone" permission change?