Comparing attachments to sharing guest links

For a number of years I have avoided the use of attachments where possible, and those who know me are aware that sending an email to me with an attachment will usually be replied with something like “could you not share this? Let me introduce you to OneDrive for Business…. again”.

Sometimes however it does make sense to send an attachment, especially where the document didn’t originate from you or in the case where you actually don’t care to keep the file.

The focus of this blog post is to compare sending attachments to external recipients, vs. sharing guest links from SharePoint Online or OneDrive for Business (or Office 365 Groups).

I often give the example of a new sales person I was recruiting with the assistance of an external consulting firm. We had completed all rounds of interviews and were ready to hire. I sent around the letter of offer rand employment agreement to two of my colleagues to check. One came back and said everything was ok. So instead of sending the document as an attachment in PDF I chose to share the file as a guest link from our SharePoint Online site with View Only access. I then left the office for a lunch meeting, leaving my computer at the office. While waiting at the tram stop I got an email from the other colleague informing me that I’d used the wrong word.

Instead of having to go back to the office, make the change, and then email an updated PDF – I simply opened the document on my phone, editing the document, and then closed the app. Because I’d shared a guest link to the file I didn’t have to email anybody anything, or even inform them!

The challenge of sharing guest links is that you have virtually no control of what happens to the content after you send out the link, so you cannot see who is accessing it and who else it has been shared with.

The same can be argued of email attachments. To simplify the comparison, I’ve put together the following table outlining the pros and cons of the two methods of sharing content with external people.

Emailing attachments Sharing guest links
Pros
  • Simple, easy to do
  • Any attachment type
  • Can apply Data Loss Prevention policies and Exchange transport rules to monitor for restricted content and audit or apply actions
  • Simple, easy to do
  • Any attachment type
  • Can specify expiration of link (eg. valid for xx days)
  • Can stop sharing at any time
  • Email stays to a few kilobytes when including URL instead of file
Cons
  • Can delay email being sent in the case of large attachment or bandwidth limitations
  • Cannot recall once email has left the organisation
  • Cannot stop document from being shared with others
  • No visibility into who is opening the link

While it is possible to also disable guest links and allow only name-based sharing with external parties (eg. where the external person must have an Office 365 or Microsoft account in order to access it), the purpose of this blog post was to compare the concept of blind sharing of files as is done via email attachments and sharing guest links.

Microsoft provides a good support page that outlines the different ways sites & files can be shared with people outside of your organisation.

To those organisations who choose not to enable sharing guest links because of fear of data leakage: unless you have set up DLP rules or implemented Azure Information Protection then it is a moot point as the data is unprotected regardless of transmission medium, and users will find a way to get the content to the other person one way or another.

Ideally organisations should approach sharing & security together – you shouldn’t have one without the other. Often organisations choose the security by obscurity route of “if I don’t give it to my users then it won’t happen”. Shadow IT has already proven that wrong (thank you Dropbox!), and so it is important that organisations promote new ways of working and provide their staff with the ability to simply and quickly share content with external parties – while making sure security is adhered to without requiring user intervention.