Comparing attachments to sharing guest links

For a number of years I have avoided the use of attachments where possible, and those who know me are aware that sending an email to me with an attachment will usually be replied with something like “could you not share this? Let me introduce you to OneDrive for Business…. again”.

Sometimes however it does make sense to send an attachment, especially where the document didn’t originate from you or in the case where you actually don’t care to keep the file.

The focus of this blog post is to compare sending attachments to external recipients, vs. sharing guest links from SharePoint Online or OneDrive for Business (or Office 365 Groups).

I often give the example of a new sales person I was recruiting with the assistance of an external consulting firm. We had completed all rounds of interviews and were ready to hire. I sent around the letter of offer rand employment agreement to two of my colleagues to check. One came back and said everything was ok. So instead of sending the document as an attachment in PDF I chose to share the file as a guest link from our SharePoint Online site with View Only access. I then left the office for a lunch meeting, leaving my computer at the office. While waiting at the tram stop I got an email from the other colleague informing me that I’d used the wrong word.

Instead of having to go back to the office, make the change, and then email an updated PDF – I simply opened the document on my phone, editing the document, and then closed the app. Because I’d shared a guest link to the file I didn’t have to email anybody anything, or even inform them!

The challenge of sharing guest links is that you have virtually no control of what happens to the content after you send out the link, so you cannot see who is accessing it and who else it has been shared with.

The same can be argued of email attachments. To simplify the comparison, I’ve put together the following table outlining the pros and cons of the two methods of sharing content with external people.

Emailing attachments Sharing guest links
  • Simple, easy to do
  • Any attachment type
  • Can apply Data Loss Prevention policies and Exchange transport rules to monitor for restricted content and audit or apply actions
  • Simple, easy to do
  • Any attachment type
  • Can specify expiration of link (eg. valid for xx days)
  • Can stop sharing at any time
  • Email stays to a few kilobytes when including URL instead of file
  • Can delay email being sent in the case of large attachment or bandwidth limitations
  • Cannot recall once email has left the organisation
  • Cannot stop document from being shared with others
  • No visibility into who is opening the link

While it is possible to also disable guest links and allow only name-based sharing with external parties (eg. where the external person must have an Office 365 or Microsoft account in order to access it), the purpose of this blog post was to compare the concept of blind sharing of files as is done via email attachments and sharing guest links.

Microsoft provides a good support page that outlines the different ways sites & files can be shared with people outside of your organisation.

To those organisations who choose not to enable sharing guest links because of fear of data leakage: unless you have set up DLP rules or implemented Azure Information Protection then it is a moot point as the data is unprotected regardless of transmission medium, and users will find a way to get the content to the other person one way or another.

Ideally organisations should approach sharing & security together – you shouldn’t have one without the other. Often organisations choose the security by obscurity route of “if I don’t give it to my users then it won’t happen”. Shadow IT has already proven that wrong (thank you Dropbox!), and so it is important that organisations promote new ways of working and provide their staff with the ability to simply and quickly share content with external parties – while making sure security is adhered to without requiring user intervention.

A more feature rich Office 365 experience coming soon

There’s no doubt that Office 365 presents significant value for money. Historically naysayers have struggled with the concept as they have merely compared Office 365 against their on-premises license equivalent, and in many cases feel that because of their existing investment in infrastructure the operation of their services is “free” (don’t get me started on that one).

At present in the Enterprise end of Office 365 we have 3 licenses: E1, E3 and E4. In a nutshell:

E1 – gives you access to the core services such as Exchange, SharePoint, Skype for Business, Yammer, OneDrive for Business, etc.

E3 – the same as E1 but with unlimited mail archive, voicemail capabilities, Office 365 ProPlus desktop/mobile software, enterprise features of SharePoint, and more

E4 – the same as E3 but with the Enterprise Voice license component. While this doesn’t do anything in the cloud it is a handy way of licensing on-premises users of Lync Server 2013 / Skype for Business Server 2015 to use their service like a normal phone extension/line.

So what is E5? Well E5 is effectively Office 365 on steroids. It gives you everything from the lower-level licensed services, PLUS:

  • Cloud PBX and PSTN conferencing (goodbye on-premises or separate phone systems and conference services, Skype for Business Online will now do it all)
  • Power BI Pro (normal Power BI is a separate and not-exactly-cheap license)
  • Delve Organisational Analytics (a new feature bringing the best of Delve to the surface)
  • eDiscovery with Equivo Zoom (a higher level than the out of the box eDiscovery service already part of Office 365)
  • Customer Lockbox (which gives you the customer the ability to control what Microsoft sees when they have to access your environment for support)
  • Data Loss Prevention (I can only assume this is a higher level than what is currently available)
  • Advanced Threat Protection (a higher level of service than currently available in Exchange Online Protection)

What all of this is heading towards is the Office 365 service being a complete end to end solution for both desktop as well as mobile workers, regardless of position or function in their organisation. By enabling features like PBX (phone system) it truly means that people are free from their desks. Paradyne currently uses a hosted Skype for Business Enterprise Voice service which allows us to work truly from anywhere. While the concept of a hosted PBX is not new – a fully functional Skype solution that is both your corporate instant messaging and conference solution that also acts as your phone system is a much richer experience for end users.

Like any service there will be those among us who don’t need it all, and the benefit is that you can pick and choose. However as always Microsoft will most likely make it more attractive for users to have the full suite.

I look forward to seeing this E5 license level become active in the later half of 2015. As always countries like Australia won’t see the Cloud PBX and PSTN conferencing components until sometime in 2016 if we’re lucky as always after the US goes Europe, however the light is at the end of the tunnel.