This is what it looks like to create an access link, in this blog I will explain which settings affect what options are available on these link creation pages. SharePoint is all about collaboration and sharing, and in the SharePoint Online cloud, giving access to resources is a bit different than the traditional method of giving a user or group access to something. In SharePoint Online access is primarily controlled via Access Links which can be shared with other users.
I would also like to point something out that may or may not be common sense which is: The stricter you are with Access Links, the harder it will be for your end-users to collaborate with others and the more likely it will be that they use an alternative method to share what they want to share anyway. There are certainly diminishing returns when it comes to strict security especially in a platform that’s designed to make sharing easy.
The other important thing to understand about Access Links which will be the main focus of this blog is how to control what types of links your users have access to. I will start with the settings at the highest level (O365 admin center) and cover how they translate to the links available at the actual site or OneDrive level.
SharePoint Sharing settings in the O365 admin center
From within the O365 admin center, Microsoft provides a super high-level way of setting organization-wide settings for all of your SharePoint Online sites.
These settings aren’t granular at all, but can make it easier for admins to control the downstream permission options for the rest of their SharePoint tenant.
Navigate to the O365 admin center -> Settings blade -> Org settings -> Scroll to the SharePoint option and you will see the options available.
As you can see, these are very limited options but the idea is that this gives organizations an easy way to restrict or allow external interaction with their entire SharePoint Online tenant in one place. It is important to note that allowing ‘Anyone’ at this level does not automatically push that to all of your sites – it simply allows your SharePoint admins to choose to allow anonymous sharing on their sites.
If you click where it says ‘Manage additional settings’ in the screenshot above you will be brought to my next topic in the blog which is the top-level SharePoint Online/OneDrive settings.
These settings will determine what level of external access is available for your SharePoint site owners/SharePoint admins. For example, if you navigate to the resources blade of the O365 admin center and click on a site and click Edit under the Sharing Status section you are brought to an External Sharing options panel.
These settings directly control the settings available to your end-users when they try to create an access link to a resource in SharePoint Online. There are a plethora of other settings related to these later on in this blog but these top-level settings are what decides what high-level external access is available to a site.
Additional SharePoint Admin Center Settings for Access Links
From within the O365 SharePoint admin center, you can also easily set the restriction level of access links across your SharePoint Sites and OneDrives. Navigate to the Policies blade and expand it to expose the Sharing option, you will see a number of settings starting with a simple slider to adjust access link sharing restrictions.
These settings will similar to the settings in the O365 admin center, set the bar for Access Link permissions enforced on all your sites, and OneDrives. Keeping in-line with what I mentioned in the beginning, I recommend keeping your site security settings less strict at this level in order to allow collaboration in areas where it is necessary.
As you can see from figure 1 there are 4 primary permission levels associated with access links in SharePoint which range from Anyone to only people in your organization.
- Anyone
- Allowing links to be shared with Anyone may be a bit too open for most organizations but that’s not to say it isn’t useful. For documents that you want to make easily accessible to external entities the Anyone access level allows for the creation of Anonymous Access Links which do not require authentication to access. These are good for advertising and marketing locations.
- One thing you may want to keep track of is who has access to both locations where anonymous access is allowed and others that do not. In this scenario, there is a data exfiltration path for those users to move sensitive information to sites that allow anonymous access where they can then create anonymous links to sensitive data.
- Overall, these links can be very useful but you should keep a close eye on where they are being created and what they are giving access to. A report like the Anonymous Access Link report from Stealthbits for example helps to understand these links, where they exist, and what they point towards.
- New and existing guests
- This level is a good moderate option which gives yourself the flexibility to invite new external users as well as retain external access to locations where they already existed.
- Best for site collections which have external collaborators, especially if you’re in the process of migrating to a newer version of SharePoint.
- Existing guests
- This permission level is a good option if you are currently collaborating externally and are migrating to SharePoint Online but want to also limit external collaboration in the future.
- Only people in your organization
- As stated in its name, this permission level does not allow any new or existing external access to the site or OneDrive.
Further down the same page, there are some additional external sharing specific settings you can configure at this level to provide a little more granularity.
At this level, you can also control the access link permissions for Files and Folders specifically. (see Figure 3) This is nice because maybe you want to allow external access for some files but can’t find a reason to ever allow that for folders, this is a pretty quick and easy way to enforce that across your entire SharePoint Online/OneDrive tenant.
You can also give the ability to choose what options are available for Anyone links specifically, from requiring an expiration date to choosing whether these links to files or folders can be viewed or edited.
In the next and final section, I will go one level lower and show you what the effect these settings have with respect to the type of links you can now create in a given site or OneDrive.
SharePoint Site Level Shared Link Settings – Site Owner’s Perspective
At this level, the options available should be restricted to only what you think is reasonable for your site owners for them to make decisions on. Again, your site owners can still make their sites more restrictive depending on the nature of the site’s content, but allowing some discretion for your owners can go a long way in benefitting your end-user experience and overall security.
From a given SharePoint site select settings and choose Change how members can share to reveal some sharing settings which can restrict who is allowed to share (create access links) to files, folders, or the site.
This helps narrow down who can share what on the site pretty easily. To show you what this looks like when trying to share a file, here are the options available:
You’ll notice that the Anyone with the link option is greyed out despite me allowing that at the tenant level. That is because that still requires a SharePoint admin to go into the SharePoint admin center and specifically enable Anonymous Sharing for the site in order for that to be an option.
Again, all of these settings can be controlled at the levels I mentioned above.
Conclusion
Don’t be afraid of access links. Understand how they work and set up a permission structure that works for your organization. Disallowing external access really limits your end users’ ability to use the software and they will figure out ways to share things externally if they need to. Allow them to collaborate but configure rules which keep your data safe from external users and invest in security tools like StealthAUDIT for SharePoint to reinforce that posture.
Chris studied Information Systems at Hofstra University before joining Stealthbits – now part of Netwrix where he took on the role as the Technical Product Manager of SharePoint, Dropbox, and Box solution sets. His focus is primarily on SharePoint security, but data security, in general, is a passion. Aside from technical interests, he enjoys the outdoors and hopes to one day start an animal rescue and rehabilitation center for injured, disabled, and orphaned animals.
Related Posts
- What is the Difference Between an O365 E5 and an E3 License with Respect to Security Features?
- Where do My Files Sent Using Teams Chat Go?
- How to Use Native SharePoint Online and OneDrive Activity Auditing
- Migrating Azure Information Protection (AIP) Classic Labels to Unified Labels
- An Amazon Macie Alternative
- Announcing StealthAUDIT 10.0 – Mitigating Security Risks On-Premises and in the Cloud
- How to Harden your SharePoint Online Environment by Disabling Legacy Authentication
- Microsoft Teams Quick Admin Guide to Collaborating Safely with External Users
- How to Secure SharePoint
- How SharePoint Permission Levels Work
Leave a Reply