Yes, this is another post where I go on an unhinged rant about something I’ve been seeing for too long. There are so many things I see out there that I think this is going to become a series.
If you work in an organisation that allows external sharing, you can stop reading here (although stay tuned for future posts as I’m sure I’ll find something wrong with your approach to something else).
I help a lot of organisations built out Microsoft 365 governance frameworks. No, not Teams governance. Not SharePoint governance. Whole of Microsoft 365 governance. We look under every rock and find the things that people don’t know about or don’t want to see.
Every so often I come across an organisation that doesn’t want to allow their staff to share externally. When pressed as to why the response will be something around their legislative or privacy requirements, or because they are in industry X they need to comply with Y. More often than not I’ve previously dealt with an identical organisation in the same field (i.e. government, financial services, education, etc.) who has no issue with external sharing – so why can they do it but you can’t?
Wrong approach: we’ve disabled external sharing from SharePoint and OneDrive
The issue I see with this view is that people often talk about external sharing in Microsoft 365 as if it only applies to SharePoint Online and OneDrive.
External sharing exists in a number of workloads where data can be captured and stored such as: Sway, Forms, Outlook calendar, Power BI, Bookings. While the data stored in these is not the same as a file share, there can still be small snippets of privacy or information that is enough to cause an issue – because all it takes is just one little thread to be pulled…
Wrong approach: we’ve disabled external sharing from every service in Microsoft 365
Well, even with sharing from SharePoint and OneDrive disabled, you can use Power Automate so that every time a file is deposited in location X a workflow takes a copy and puts it in an external service.
Don’t believe me? Have a look at this template, provided by Microsoft themselves:
Wrong approach: we’ll just bury our head in the sand
Easy you say – you’ll just turn those app, services and features off; problem solved.
Well, aren’t you just a party pooper. What a dull, windowless existence your staff must lead, being prevented from sharing content externally.
Here’s the thing: if you stop people from doing something they really want to do – they’ll find a way around it.
Turn off external file sharing? They’ll use Dropbox, Box, Google Drive, etc.
Disable Forms? They’ll use SurveyMonkey.
Disable Bookings? They’ll use Calendly.
Anything you disable in Microsoft 365 has an equal (and sometimes better) equivalent service. And I’m fairly sure when they log into that external service it’s with an account that isn’t connected to your Azure Active Directory – so now you have no knowledge, no visibility, and no control over it. And if they do log in using their Azure AD account… well, that’s equally as concerning because now that third-party service has access to your directory, staff details, perhaps the users mailbox and OneDrive, every SharePoint site they use, etc.
Wrong approach: we’ll block external services at the firewall
Really? Every single service out there?
Also, who sits behind a firewall these days, especially in this COVID era of working from home?
And anyway, they can always just send the files as an email attachment, copy them onto a USB stick, Bluetooth transfer them to another device, beam them to another computer across WiFi, etc.
Wrong approach: we’ll block attachments, disable USB storage devices, and disable a bunch of other methods
At this point I need to ask – should you even be in the cloud, and especially in a multi-tenant environment? No, you shouldn’t.
You should be sitting in a dark room with multiple locks on the door, a jammed shut window, writing things on paper, storing them in a filing cabinet with lock and key, only letting people in if they know the secret handshake, and burning documents when you’ve finished with them.
I mean come on, what’s the point of even being digital and using a collaborative platform like Microsoft 365 if you’re going to do everything in your power to stop people collaborating with external people. Because not everyone exists in your bubble. There are people outside of it, people your staff need to interact with, share information with, and work together on common files.
Better approach: choose where can be shared externally
Yes, that’s right, in Microsoft 365 you can choose which site you want to be able to share externally. You can set the allowed sharing level for SharePoint and OneDrive to be all the up to anyone (which means anonymous links), and choose what level each site should be able to share to.
Figure 2: Tenant-level sharing settings
Figure 3: Site-level sharing settings
Better approach: choose who can share externally
Use group membership to define who can share externally, if you don’t want everyone in the organisation to have full access.
This can work separate to, or in conjunction with site-level sharing.
Figure 4: Group-level sharing settings
Better approach: chose what can be shared externally
Another layer that can be added, or used standalone, is to control who can access the content – regardless of sharing permissions or location.
Using sensitivity labels we can apply permissions based on content, location, group membership, domain, and others.
This allows us to have a scenario where files can be shared externally by anyone, but only people who are members of a specific group can even open those files. This works well with sharing files externally as we can enforce terms like “valid for 30 days” or “commercial in confidence” by actually expiring or withdrawing access to files.
Figure 5: Group-based access to files
This scenario is different from site permissions, because this allows us to have internally sensitive files sitting in a SharePoint site that a group of people can access but only a subset of people can access those specific files. So a user can share them, but the file can’t be opened if the person isn’t a member of the specific group.
Additionally, organisations can look to utilise Data Loss Prevention (DLP) to stop the person from sharing something that shouldn’t be shared (as it may be a legitimate accident).
Figure 6: DLP policy being applied to content shared externally with sensitive words
Better approach: review the audit log and set alerts
The audit log in Microsoft 365 captures almost everything. You open an email – it’s logged. You open a file – it’s logged.
More importantly, you share a file – it’s most definitely logged.
Because of this we can set up alerts to notify administrators or compliance officers when something is being shared that shouldn’t be.
Figure 7: Activity alert policy on external file sharing
But what about anything that’s not SharePoint or OneDrive?
Different apps and services in Microsoft 365 have different levels of controls. For Sway and Forms for example, the setting is tenant-wide.
For Power Automate it is possible to create DLP policies that block connection to external services.
For Azure AD it is possible to stop users from consenting to apps accessing their account and the organisation’s environment, and currently in preview is the ability to have an approval process.
Power BI can leverage Information Protection as well has using group-based access controls as to who can share externally.
This is where organisations need to look at the bigger picture, then the little picture, then the big picture again, and think about how they should approach things.
It’s unrealistic to expect organisations to get this right the first time, especially as technologies evolve and new levels of control are introduced.
The management of external sharing should not simply be considered by tenant, site, and group-based controls.
More so organisations should address their policy requirements, understand product capabilities, and educate their people.
Get your head out of the sand. Let your users share externally. Be smart about it. Educate them, educate yourself, and put the proper systems in place to strike a balance between user friendly and secure.
Also published on Medium.