I’ve got a special topic for you today – there’s one little security issue I’ve recently discovered with external sharing in SharePoint Online. Microsoft says it’s by design. Unfortunately, it can lead to a situation where your users share the sensitive document with the wrong person. Let’s have a look at that in detail.
External Sharing Options?
External sharing in SharePoint Online is one of the features hard to build using SharePoint Server. Your users can share documents with people who are not members of your organization. There are a couple of scenarios available in such case:
- First – Inviting someone by sending a unique link to the document. Every person with this link can view or edit this document.
- Second – You can send an invitation to the document to a specific user. They can access the document using his Microsoft or organizational account.
How does the default option work?
Now, the clue to our problem is the word “invitation” in the second option.
Let’s imagine I have a file that I want to share with Adam Smith who is not our employee. I’m sending him a link to the document. Adam gets an email that looks like a standard notification, but it isn’t. This is kind of interesting since we haven’t granted permissions yet. When Adam clicks “Open Document,” he has to choose which account type he wants to use. Then his external account is added to our Office 365 tenant and permissions are set on SharePoint.
For now, it works fine but what happens if Adam doesn’t click “Open Document” link, but instead forwards the message to Emma?
Yep. You’ve got it. Now the truly interesting stuff happens. Emma gets the message and clicks “Open Document.” Now she has to choose the account type and she can edit the document.
As the owner of the document, I immediately get a notification that Emma opened the document shared with Adam. I can revoke permissions – this is quite nice and easy. Unfortunately, the BAD thing has already happened. Just take a look at what’s going on when I want to share another document with Adam. We have quite an intriguing user in SharePoint who’s name is Emma but has Adam’s email.
What went wrong?
According to Microsoft, it works as it should – I confirmed it with Office 365 Support. The user’s profile now exists on SharePoint with the following parameters:
- User login is set to Emma
- User mail is set to Adam
- User Display name is set to Emma
Having such profile evokes a number of consequences. Probably a normal user won’t notice these and send an invitation to Emma. But the invitation will arrive at not Emma’s, but Adam’s mailbox! For me, this is a huge security issue – the user can share sensitive information with the wrong person by mistake!
What are your options?
You can ask “what I should do”? There are couple options, but the most popular one amongst our customers is just to disable external sharing feature.
The second one (recommended by the Support team) is to turn off the ability to forward an invitation to the document. You can do it by setting the following parameter using SharePoint Online PowerShell:
Set-SPOTenant –RequireAcceptingAccountMatchInvitedAccount $true
After setting it up, even after sending an invitation to another user, he will get the following message:
So, to wrap things up, I’d say the External Sharing option in SharePoint Online is a powerful feature that gives your employees easy ways of collaboration with external users. However, in some scenarios, it can lead to bizarre and insecure situations. But fortunately, it’s possible to change the configuration to allow your people to work securely with others.
Now, I have one last thing to remind you. You can be the first one to join the WEBINAR on 5 Hottest IT Trends In Productivity, Analytics & AI I’ll be hosting in a week! See you online 🙂