Mar 24 2018 08:35 AM - edited Mar 24 2018 08:36 AM
Hello Community,
Cross-posting here from another forum to ensure visibility:
Essentially, it appears that giving guest access to a SharePoint document by way of the Share command gives this guest access to my directory data even though they technically do not have sufficient rights/permissions to Share the document in the first place.
I am wanting to, of course, protect my organization's data as much as possible from external sources. Is there an obvious setting somewhere that turns off the Share functionality if the user does not have access/permission to do so?
Thank you for any assistance you can lend!
Mar 26 2018 01:01 PM
Hi Michael,
If you invite a guest user to a SharePoint site, they should only be able to see other guest users in that site collection. If your guest users are seeing users from outside the site collection, please let me know. Thanks,
Stephen Rice
OneDrive Program Manager II
Mar 26 2018 02:26 PM - edited Mar 26 2018 02:30 PM
Hi Stephen, thank you for your reply. Unfortunately this does appear to be what's happening. These are the steps as best as I can reproduce them:
In my estimation, the external guest user should not see the Share functionality to begin with by default. This should only be a feature that is allowed for domain members only (again, by default). At a minimum a guest user should not be able to simply type a few characters within a field and do a poll on my domain membership as that is technically unauthorized activity and they are gaining access to unauthorized data. Additionally, it doesn't take much from there to create an automated bot of some sort to perform the lookups in an automated fashion, essentially pulling my directory contents for whatever uses they like, nefarious or otherwise.
Please let me know if I have something misunderstood, if I am overlooking an obvious setting, and/or if you have any further questions around this.
Thank you,
Michael
Mar 26 2018 03:25 PM
Thanks for elaborating Michael. Let me investigate further with the team and I'll get back to you. Thanks!
Stephen Rice
OneDrive Program Manager II
Mar 26 2018 11:41 PM
Awesome, thank you Stephen. FWIW I have been exploring this a little more as I do believe there is some confusion on my part with Site Collections vs. domains. Additionally, there seems to be different behavior with sharing a document vs. sharing a folder.
Sharing a document works better from a security perspective than sharing a folder. With a document, a guest user can see the parent folder, but when they visit that parent folder they see the document and no other information. Perfect.
Sharing the folder, however, I as an external guest user can see the full membership of that folder in the top right. This again seems like unnecessary (default) information for a guest user. Additionally, the guest user can see all recent activity for a document, but not who did it. That tells me that some effort is made somewhere to conceal identity information (good thing) but now there is at a minimum inconsistent behavior as all members who are in the group are in plain sight anyways (bad thing).
Finally, I did manage to create several new users who were not in the site collection. As a domain member I was able to query them in the Share feature. As a guest I was not. I was able to add the non-site domain user's email but their name did not resolve like site domain users. So, this appears to be working as you have stated.
However, I was also able to query other guest users of both folder and document, which I feel is a concern. If I am invited to view an external document somewhere, it is not my expectation that other guest users can pull my information without my consent and/or awareness. Additionally, being able to query *any* member -- regardless of whether they are domain or guest -- as an external guest is a security concern. Consider that:
Mar 27 2018 12:50 PM
Hi @Michael DeMond,
The model for ODB/SPO is that permissions/discovery occurs at the site collection level. We allow users to see other people in the site to enable easy collaboration. There's certainly a balance here though. Also, the list of people you are seeing in the upper right is actually the membership of the site, not the permission of the folder (I believe at least, depending on which list of faces you are seeing :) ).
If you have any other concerns, feel free to submit a Design Change Request to the team. Thanks!
Stephen Rice
OneDrive Program Manager II
Mar 27 2018 12:58 PM
OK that sounds good Stephen. How does one go about doing that? :)
FWIW, I believe there are two scenarios for collaboration here:
In the first scenario, especially when the document is given edit permissions, I can see providing more information to this registered external guest user. In the 2nd one, however, I think it makes more sense that the user has less access to domain information.
Also, please do not lose sight of having someone's PII given to other members of a document/site without their permission. I think if you did a survey/poll and asked external users of SharePoint/OneDrive sharing if they are OK with this, a good majority would find this surprising. I certainly was because there is no messaging provided that this happens anywhere.
That said, I would like to pursue the design change request. Please let me know what the next step would be for this and I will certainly provide my thoughts.
Thanks again!
Michael
Mar 27 2018 01:36 PM
Actually, there is no difference between the two scenarios you listed (wrt the final outcome)...
In any case, in order to access a tenant' s resources, the external user should be present as a guest in the tenant's AAD. You have several ways, both direct and indirect, to add a guest, but you get the same final result.
Mar 27 2018 02:11 PM
Right @Salvatore Biscari there is no difference currently and what I am suggesting is that there should be, as one (the former) is more of a collaborative intent, whereas the other (latter) is more focused on sharing. With collaborative intent, the guest user should have more information (which is known and accepted by all parties). Otherwise, the guest should only be given access to the specific resources and information that they are explicitly provided and no more.
Also, I am in agreement when your statement about tenant resource access, but looking in my AAD, I do not see any guest users that have been added to my directory as a result of the the share functionality that we're discussing here.
Also also. :) Having said that, I think there's a distinction between accessing:
THAT said (whew!), there is still the whole issue of accessing PII by external users without explicit permission which I have not heard addressed by anyone just yet. There is nothing that is sent via the invite or authentication code message about this taking place. It would be great to know if I am overlooking an obvious consideration here as it seems very doubtful to me that external users would agree to having their PII available to anyone who has access to any of the documents in the same site collection (which is quite the exposure, IMO).
I think we have to only look at the recent Facebook scandal to know that users are not exactly happy with this sort of activity happening without their consent.
Mar 27 2018 03:33 PM - edited Mar 27 2018 03:35 PM
A couple of thoughts:
Mar 27 2018 10:55 PM
Thank you for your continued dialogue here @Salvatore Biscari. :)
However, when I do go now as an external user, when I click the "i" (or Information), both the "Share" and "Grant Access" features are still readily available to me. In fact, the drop down to perform a query is still displayed but quickly hidden from me. I am actually able to type a few characters before it is hidden.
Why is "Share" (or worse yet Grant Access) even displayed to me as an external if it has been turned off altogether in administrative controls? This seems (and feels) very sloppy and provides users with unnecessary surface area and awareness around the capabilities of my (or rather, YOUR :)) offering.
Thank you again for your assistance @Salvatore Biscari!
Mar 28 2018 01:57 PM
Popping back in here. :)
You can submit Design Change Requests via the Office 365 Admin Center (I believe). I can't guarantee that any specific changes will come of it but it is a good way to suggest improvements on the product. The other thing you can do is submit a request for the OneDrive or SharePoint User Voice. We use votes/popularity of items in those lists to help guide our priorities for features requested by the community.
Can you describe the experience you are seeing when that box is disabled? Does the Share command come up and then disappear after a few seconds?
Going back to your privacy concerns, the model we generally propose is for each site collection to be scoped to the set of external users you want to collaborate with. For companies that have strict privacy requirements around external sharing, we recommend separating them into separate sites. This model has generally resonated well with the customers we've talked to but we're always open to feedback via the channels above (and forums like this). Thanks!
Stephen Rice
OneDrive Program Manager II
Mar 29 2018 12:08 AM
Awesome, thank you @Stephen Rice for that information. Actually, from a design perspective, everything is technically operating as I'd like now, thanks to @Salvatore Biscari taking the time to point me in the direction of the share controls (thanks again Salvatore!).
The only suggestion I have at this point from a design perspective is to make these advanced controls more obvious to administrators so that they can modify them accordingly. I will look into sending a design change request and/or UserVoice to your team in for this issue.
From a privacy perspective, however, I still have concerns. I hear what you are saying in regards to your modelling at the site collection and that makes sense, in fact I am in agreement with it. However, the assumption and perspective here is from the site owner and not its external participants.
I cannot stress this enough (until I hear a reply for it from someone :) :( the external user never signs a terms of use that says that their PII is available to other quasi-authenticated external users of the same site collection.
Again as a user, if someone from an organization sends me a link to one of their documents, the default expectation is that the organization has access to my PII (that's how they contacted me, after all), but other external users do not (unless provided explicitly).
But the worse part is that at present, external users can still harvest PII using the means above, even if you turn off external sharing as prescribed by Salvatore. Since all the UI is still sent to the client and then later disabled/hidden by script, a nefarious actor can still simply use the browser's development tools to unhide the necessary UI and perform the actions as if they had the proper permissions.
Does this all make sense? Please let me know if you have any questions around this as I still believe this is cause for concern and outside the realms of a design change request. That is, I feel this is more of a security issue and bug. However, if a design change request is required to report a bug and/or security consideration, who am I to argue with your process? :) Please let me know the best way to proceed.