Over the past few years Microsoft
New Sharing Control – Block download
One of the more interesting settings that Microsoft showcased back at Ignite was the ability to prevent people from downloading files shared with them. In other words, we now have an option that will ensure the file(s) we shared can only be accessed via the relatively safe environment of Office Online, with any Save, Copy or Print functionalities disabled.
You can configure this setting directly from the Share dialog, by toggling the corresponding Block Download control, as illustrated below. A small indicator will appear next to the link once this option is configured, making it easier to identify links with Block download enabled.
There are
On the recipient’s side, clicking the link will open the document in a reduced functionality version of Office Online, like the one you get with the Conditional access/device restrictions feature. As shown on the screenshot below, the File menu and the Ribbon are missing and there is no way to open the document in edit mode. The right-click menu and shortcut keys are also disabled, so you cannot copy information from the document, and printing is also disabled (although you can still use the browser’s print functionality or take a screenshot). Using the Share button is also restricted and the only type of link you can create by using it is one for people with existing access.
It is also important to understand that this functionality is available only for files that can be opened in Office Online, that is Office documents. Finally, it seems that in the current implementation of the feature, you can bypass the restrictions by simply navigating to the Shared with
Better notifications and reminders
Another feature that has already made its way to release are the email notifications for opening shared files, or a link open receipt. The idea is to let you know when the user has accessed the file, but unfortunately in my experience this feature doesn’t seem that reliable. I’ve had it in my tenant for over two months now, yet I’ve only received a handful of notifications, out of few dozen sent and accessed. When I do receive a notification, it looks something like this:
Unlike the sharing notifications, these messages are generated using the default no-reply@sharepointonline.com address. They also feature some additional text that guides the user on what to do in case the file was accessed unexpectedly, which basically redirects him to the new Manage Access experience for OneDrive files, which I will discuss in the next section. An interesting observation is that those notifications also feature an Unsubscribe link, which is handy considering there is no UI option to toggle them on or off.
In addition to the link open receipts, a new feature has been added to automatically remind people about shared file(s), if they haven’t clicked the link after seven days have passed since the initial email. The automatic reminders look just like a standard sharing notification email, with slightly changed text and subject. Another new element worth mentioning is the branding support for the sharing notification emails. If your organization has configured Azure AD branding, the Company logo will now be added as part of the notification email, as illustrated below.
Continuing with the notification improvements, the desktop client will now show sharing notifications as well. And, whenever you are uploading files to a shared library, you will now be able to notify your team members about the new file(s) you just added, all with a single click.
Lastly, we have some improvements around Access requests. First, we can now define a custom message that will be shown as part of the request access workflow. As this message is configurable per site, we can use it to inform users why they must file an Access request and who to contact for in case of issues. And, the actual access request notifications are easier to work with now, as they use the actionable messages functionality in Outlook.
Easier management of sharing
Yet another set of improvements makes it much easier to manage sharing, both for end users and admins. On the user side of things, the Shared by me page can give you a quick overview of which items you have shared, as well as give you information about the last activity – such as who modified the file and when did that happen. The Shared with me page has also received some love and now features externally shared files, as in files shared with you by users from other organizations. Such items will have the “globe” icon and although some options will be missing from the UI, this is still a handy addition.
The new Manage Access UI allows you to manage all direct and link-based permissions to a given item from a single location. Additional information about the type of link will be presented as well as a quick option to remove a given link or Stop sharing the item altogether. Or, you can Share or Grant Access to another person directly from the same UI, using the familiar suite-wide controls. In the future, even more information will be presented by a new Link details control.
What’s even more important, the same experience will be integrated into the desktop client, allowing you to perform all the sharing or revoking access operations directly from your device, without having to open the browser. The screenshot below shows a comparison between the Manage Access experience on the desktop (left) and in the browser (right). While there are some differences in the way the UI elements and actions are presented, the core functionality is available, which is a great step forward.
Another very useful improvement is the ability to @mention a person, which not only makes it easier to comment on a given file but can also automatically grant permissions to people that were mentioned and don’t already have them. To wrap up new user improvements, it’s worth mentioning that we can also deep-link to the Manage Access UI, for example this link will open up the Manage Access UI for item “30914”: https://tenant-my.sharepoint.com/personal/user_domain_com/_layouts/15/onedrive.aspx?managePermissionsForListItemId=30914.
On the admin side of things, the team has moved away from their custom implementation and the permissions model is now fully integrated with the Azure AD B2B experience. Among other things, this means that a new Guest user object will be provisioned the moment you send a sharing link, and you can take advantage of features such as Conditional Access.
Some cross-suite improvements have made it possible for the Share UI to immediately reflect on changes made to the link settings in the SharePoint Online and OneDrive admin portals. Similarly, Outlook’s cloud attachments functionality should now respect the default link type and settings configured by admins. And, those settings can be configured per-site now, via new parameters introduced for the Set-SPOSite cmdlet.
Other features worth mentioning
The improvements we listed in the previous section don’t represent even a half of the new features that were showcased at Ignite. While I’ve focused on the ones that we can already play with, the rest of them should hopefully be landing in production in the coming weeks and months. An example is the password-protected sharing links, which allows you to configure a password at the time of link creation. The user accessing the link will have to then provide the password to open the document, regardless of whether he’s currently logged in with his Office 365 account or not.
Among the other interesting updates, we should mention the Smart People Picker, which will assist you in selecting the right people to share with, or the much-anticipated External sharing reports and re-attestation for External users. The unified sharing and access management experience across all devices and endpoints should be coming soon as well, meaning that regardless of whether you are using the browser, the desktop client or the mobile app, you will have access to the same set of functionalities, presented in a unified fashion. Sharing with Teams or from within the Teams client is a prime example of this unified approach, which can even be extended with workload-specific functionalities, such as surfacing an only this Team share link. For this and additional demos, make sure to watch the BRK3100 recording, if you haven’t done so already. We will make sure to cover those updates once they make it to production.
Another feature that has already made its way to release are the email notifications for opening shared files, or a link open receipt.
Can you please share the link for this, We need to receive an email when the user opens the shared file
thanks for this info – Question: I’m now receiving auto generated emails reminding me that a file was shared with me. Is there anyway to turn these emails off? They are creating clutter and distraction in my inbox.
thanks!
It’s 2021 and still no shared column or some indication that file is shared. One Drive has this feature but no SPO 🙁
Thanks for writing this article.
I just found out the notification for external shared files only works when during the share action the option to send the default mail is chosen.
So when users use the ‘copy link’ option the notification email won’t be send.
Good to know, so that’s why I am sharing it here.
We are instructing our users to make use of the ‘copy link’ option instead of the default ‘send’ email while using the ‘share’ action.
1. Because of it flexibility to share links in others way’s than traditional email, i.e. chat or inside other documents or systems.
2. Security wise, since the default ‘ has invited you to ..’ mails are a very commonly used in email phishing attacks as well.
I don’t see the Set Expiration Date setting, how does that get enabled?
Expiration has been available for maybe 2 years now, but only for anonymous links (“Anyone with this link”). Or “shareable links”, as they are designated in the OneDrive admin center. So make sure you have anonymous sharing enabled, then share a file via such link and you should see the option. And you can also configure default expiration via the admin center.
Great write-up. Sharing in SharePoint can be very confusing for the less-tech savvy users out there. You mention “fully integrated with the Azure AD B2B experience. Among other things…”. You have more info on what these other things are except for the info in BRK3100? We want to use Azure B2B more heavily with some customers.
What I meant was that people you share with now get added as Guest users and on the backend are treated like any other Guest user provisioned via the B2B capabilities. This includes controls such as CA policies, MFA, Terms of Use and so on, but also the ability for the admin to go ahead and make changes to the corresponding user object even before the user has “redeemed” the invite. In contrast, the “old” experience we had only provisioned the Guest user object after the invite was redeemed, wasn’t subject to policies and so on.
Thanks for that clarification! So do you think when, from SharePoint Online, invite someone to a document, will a Guest user get created automatically in Azure AD? Does this mean there will no longer be possible to share a file with only a 6-digit passcode which happens now when you share with someone who doesn’t already have an Azure AD Guest account?
Yes, this will be the behavior going forward. And no, one-time passcode flow will still work as before, the only difference is on admin side of things where you will be able to see the Guest user provisioned immediately after sending the request, and perform actions as needed. There’s a demo of this in the session: https://youtu.be/KvcYz3ERZSY?t=2944
Incidentally: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/Azure-AD-makes-sharing-and-collaboration-seamless-for-any-user/ba-p/325949
Password protected link has been advertised more that a year ago on Office 365 Youtube channel like an already available feature.. Maybe by mistake, but i was waiting for it for many months. All these additions are nice (when they work, like notifications), but i still find it all very confusing for regular users.
Agreed, it’s annoying how much time it takes for the stuff we see at Ignite, other conferences or blog posts to actually arrive. Or how long certain features stay in “preview”. But that’s one of the main reasons for articles like this one – to let folks know that some feature has finally made it to production, and of course add some notes on my experience with it.
In particular for password protected links, someone mentioned that they should roll out by end of January… I guess we’ll see.
Great article.
Is the password protected link feature available now?
Thank you,
Roberto
I dont have them in my tenant yet, and they are still listed as In development on the Roadmap. Perhaps something they will announce on the SP conference later this month…