Sep 25 2019 07:55 AM
Sep 25 2019 07:55 AM
We've had a few cases of users reporting that they can see documents that they shouldn't see via the "Discover" section of Outlook mobile, OneDrive and Delve. In investigating these cases, it appears that "organization" scoped sharing links were created for the files or folders in which the files reside. I'm trying to determine the consequences of creating such a link for a file or folder (ie: should they show up to folks via "discover" and is there any way to control that?).
Let's say a user selects a file or folder in a SharePoint Library and clicks the Share button. They click the audience selector and choose "People in <tenant> with the link", leave the "Allow editing" box checked and proceed to specify one or more people to whom the link will be sent.
Obviously, those people that were specified will get the email with the link. Because of how the link is scoped, everyone in the tenant technically has edit permissions to the file/folder, but they don't have the link. In this sense, it was my understanding that these links were like "unlisted" videos on YouTube. That is, without the link to get to that video, people can't find it; it doesn't show up in search results, isn't indexed by Google, etc.
However, the reports of documents showing up in discover seems to indicate that something (MS Graph?) is actively displaying the files to users who have not specifically been sent the link. I understand this is really a "security by obscurity" thing and that those users technically do have permissions to the files via that link. Although, this last part brings up another interesting point.
Being all too familiar with SharePoint permissions, I always reach for the "Check Permissions" tool (in Advanced Permissions) to determine what access a specific user has to a file, folder, item or site. The problem is that that tool does not factor in those "sharing" links. Specifically, when I did "Check permissions" on the document the user was accessing, the result was "None". So, in my experience, user does not have permission to view the file. Except they do, via that sharing link. So, the Check permissions tool either needs to be update to account for sharing links, or we need another method of enumerating actual user permissions to the object. Maybe there is such a tool in the O365 admin center?
Sep 30 2019 09:59 AM
Your initial impression is correct. While the link does work for anyone in the organization, it doesn't actually grant access to any user until they have either been sent the link (e.g. the send link option in the share dialog) or they click on it. If you create a link but don't send it to anyone, no one should be able to find it in Discover or Shared With Me. Hope that helps!
Senior Program Manager, OneDrive
Sep 30 2019 11:10 AM - edited Sep 30 2019 01:30 PM
Thanks, @Stephen Rice, that does help a bit. I'm still puzzled by the "Discover" feature, though. It seems like it would be useful in a smaller and more peer-based organization, where it's easier to keep the "sensitive documents" under tighter control. However, in an academic environment with ~40,000 users, about ~5,000 of which (faculty and staff) have their own definition of "sensitive", it seems like it's a big problem just waiting to happen.
There's no clear documentation (that I've found, anyway) as to what shows up in Discover and how. It's all based on MS/Office Graph, but what does that really mean in practical terms. In this particular example, let's say that org-scoped sharing link was created and sent to one employee. That employee happens to be in regular correspondence with a particular student. The employee gets the email and opens the document. Does Graph see the situation and say (in simplified terms, obviously): "that student is conversing with that employee and that employee just opened a file that the student also has access to via that link...let's show that to the student since they may want to see it, too!"
To clarify, I'm taking the student at their word when they say "I found the document in the Discover section of the Outlook app" and trying to figure out how it ended up appearing there. I have not seen proof that the student saw it there, but I do have a record (from the audit log) that they accessed the file, so it's reasonable to assume they're being honest. What we don't seem to have is a way to determine to whom that org-scoped link was sent (except to ask the person who sent it). So, there are a few gaps in the audit trail, which makes it hard to know exactly what happened.
Sep 30 2019 02:27 PM
@Chad_V_KealeyI have this issue all the time with Delve and customers not liking that it highlights content that users may not necessarily know they have access to, and in some cases shouldn't have access.
However, Delve is completely permission based, if a user does not have permission to the file they 100% will not see it. This is the basis that SharePoint is built on so we can be assured that this works.
For organisational wide links you can see which users have accessed the file by looking at the unique permissions on that file, whilst the link is created users do not have permissions to that file until they access the link and at that point they are added into the unique permissions on the file.
Sep 30 2019 02:34 PM
Hi @Chad_V_Kealey ,
As for your specific use case, in order for the student to have found the document in Discover, someone must have sent it to them (either via e-mail or some other client and then they clicked on it). Unfortunately, if you don't see an audit even for someone sending it to them directly, then it must have happened outside of where we (the service) can track it.
Another possibility is that the file is on a site that is accessible by the student (a site shared with the entire organization maybe?) and that could also cause things to show up there. Hope that helps,
Senior Program Manager, OneDrive