I’ve got a special topic for you today – there’s one little security issue I’ve recently discovered with external sharing in SharePoint Online. Microsoft says it’s by design. Unfortunately, it can lead to a situation where your users share the sensitive document with the wrong person. Let’s have a look at that in detail.
External sharing in SharePoint Online is one of the features hard to build using SharePoint Server. Your users can share documents with people who are not members of your organization. There are a couple of scenarios available in such case:
Now, the clue to our problem is the word “invitation” in the second option.
Let’s imagine I have a file that I want to share with Adam Smith who is not our employee. I’m sending him a link to the document. Adam gets an email that looks like a standard notification, but it isn’t. This is kind of interesting since we haven’t granted permissions yet. When Adam clicks “Open Document,” he has to choose which account type he wants to use. Then his external account is added to our Office 365 tenant and permissions are set on SharePoint.
For now, it works fine but what happens if Adam doesn’t click “Open Document” link, but instead forwards the message to Emma?
Yep. You’ve got it. Now the truly interesting stuff happens. Emma gets the message and clicks “Open Document.” Now she has to choose the account type and she can edit the document.
As the owner of the document, I immediately get a notification that Emma opened the document shared with Adam. I can revoke permissions – this is quite nice and easy. Unfortunately, the BAD thing has already happened. Just take a look at what’s going on when I want to share another document with Adam. We have quite an intriguing user in SharePoint who’s name is Emma but has Adam’s email.
According to Microsoft, it works as it should – I confirmed it with Office 365 Support. The user’s profile now exists on SharePoint with the following parameters:
Having such profile evokes a number of consequences. Probably a normal user won’t notice these and send an invitation to Emma. But the invitation will arrive at not Emma’s, but Adam’s mailbox! For me, this is a huge security issue – the user can share sensitive information with the wrong person by mistake!
You can ask “what I should do”? There are couple options, but the most popular one amongst our customers is just to disable external sharing feature.
The second one (recommended by the Support team) is to turn off the ability to forward an invitation to the document. You can do it by setting the following parameter using SharePoint Online PowerShell:
Set-SPOTenant –RequireAcceptingAccountMatchInvitedAccount $true
After setting it up, even after sending an invitation to another user, he will get the following message:
So, to wrap things up, I’d say the External Sharing option in SharePoint Online is a powerful feature that gives your employees easy ways of collaboration with external users. However, in some scenarios, it can lead to bizarre and insecure situations. But fortunately, it’s possible to change the configuration to allow your people to work securely with others.
Along with improved DevOps expertise comes a better performance of delivery teams. And when many deployments take place ...
It is a very exciting moment for each team member when the project they are to work on has a well-defined scope and is w...