Sharing End User Controls
Sharing can be done by almost all clients. Supported clients include the following:
- Mobile app
- Web client
- Desktop sync client
- Outlook client
- Teams web, desktop, and mobile app
Outlook sharing is particularly interesting because it allows users to attach files to email messages as cloud attachments, thus automatically sharing those files out of their OneDrive personal storage. Endusers can even configure the permissions the recipients can have for these files, as shown in Figure 7.13:
Figure 7.13 – Managing attachment permissions in Outlook
In addition, owners or users with the appropriate permissions can review and even revoke permissions that have been assigned to others at any time through the SharePoint or OneDrive user interface by performing the following steps:
- Select the file.
- Click on Details.
- Choose Manage access. An example of managing permissions is shown in Figure 7.14:
Figure 7.14 – OneDrive permissions management
If you click Stop sharing, the link to the document becomes invalid to external users. External users, as discussed previously, are users that are outside the boundary of the tenant.
Sharing Admin Controls
As an administrator, you can govern how sharing will be configured for the organization under the following categories:
- Anyone: Users can create links to files that can be shared with others without requiring any type of authentication.
- New and existing external users: Users can invite existing or external users who aren’t enrolled in their organization directory.
- Existing external users: Users can only invite external users who have already accepted an invitation.
- Only users in your organization: Users can invite internal users only. This means files can’t be shared with external users.
OneDrive, SharePoint site administrators, and Teams owners can invite internal and external users (if the overall tenant settings are configured to allow it). However, if needed, organizations can leverage a Guest inviter role, granting non-administrators the ability to invite guests.
Note
Organizations can also restrict which domains users can share with. By defining allow or block lists, administrators can allow or prohibit sharing with specific domains.
While many settings can be configured globally, exceptions can still be made for groups of individuals. Sharing controls can be modified to give different levels of permissiveness between SharePoint (which also governs Teams) and OneDrive, though the OneDrive setting may never be more permissive than the overall SharePoint setting.
Sharing controls are managed in the SharePoint admin center under Policies > Sharing, as shown in Figure 7.15:
Figure 7.15 – SharePoint and OneDrive sharing different levels of controls
Several best practices can be utilized to protect an organization while allowing guests to collaborate with it. Among them are the following:
- Defining group and team classifications (such as Internal Only, Confidential, and so on) and limiting which groups are eligible for guest access
- Defining authentication requirements for guests, such as MFA
- Forcing guests to accept terms of use
- Frequently reviewing guest access to ensure that only allowed users are guests (such as with access reviews)
- Defining client access requirements for guests
- Frequently reviewing activities in the audit log search
Security, compliance, and governance conversations should include a proposed strategy for guest access.
Note
You can gather more information on configuring guest access for Microsoft Teams athttps:// learn.microsoft.com/en-us/microsoftteams/guest-access.
