Over the past few years Microsoft have been continuously improving the user experience and controls for sharing files in SharePoint Online and OneDrive for Business, for both end users and administrators. We now have per-site sharing settings, expiration controls for sharing links, the new sharing dialog and the Shared by me page, just to name a few. In this article, I will cover some of the latest improvements that were announced at Ignite in September which are now starting to appear in our tenants.
New Sharing Control – Block download
One of the more interesting settings that Microsoft showcased back at Ignite was the ability to prevent people from downloading files shared with them. In other words, we now have an option that will ensure the file(s) we shared can only be accessed via the relatively safe environment of Office Online, with any Save, Copy or Print functionalities disabled.
You can configure this setting directly from the Share dialog, by toggling the corresponding Block Download control, as illustrated below. A small indicator will appear next to the link once this option is configured, making it easier to identify links with Block downloadenabled.
There are few important things you should note about this feature. First, the type of sharing link you create must be read-only, as this setting cannot be used together with the Allow Editing setting. In addition, this setting is currently only available for anonymous Anyone with the link and tenant-wide People in Organization Name links. In the future, it will also be available for direct sharing links, via the Specific people option.
On the recipient’s side, clicking the link will open the document in a reduced functionality version of Office Online, like the one you get with the Conditional access/device restrictions feature. As shown on the screenshot below, the File menu and the Ribbon are missing and there is no way to open the document in edit mode. The right-click menu and shortcut keys are also disabled, so you cannot copy information from the document, and printing is also disabled (although you can still use the browser’s print functionality or take a screenshot). Using the Share button is also restricted and the only type of link you can create by using it is one for people with existing access.
It is also important to understand that this functionality is available only for files that can be opened in Office Online, that is Office documents. Finally, it seems that in the current implementation of the feature, you can bypass the restrictions by simply navigating to the Shared with me page in their OneDrive, then pressing Open > Open in Word to get the document opened in the desktop application. This might be a side effect of the incomplete rollout of the feature though, and will likely be addressed in the future.
Better notifications and reminders
Another feature that has already made its way to release are the email notifications for opening shared files, or a link open receipt. The idea is to let you know when the user has accessed the file, but unfortunately in my experience this feature doesn’t seem that reliable. I’ve had it in my tenant for over two months now, yet I’ve only received a handful of notifications, out of few dozen sent and accessed. When I do receive a notification, it looks something like this:
Unlike the sharing notifications, these messages are generated using the default email@example.com address. They also feature some additional text that guides the user on what to do in case the file was accessed unexpectedly, which basically redirects him to the new Manage Access experience for OneDrive files, which I will discuss in the next section. An interesting observation is that those notifications also feature an Unsubscribelink, which is handy considering there is no UI option to toggle them on or off.
In addition to the link open receipts, a new feature has been added to automatically remind people about shared file(s), if they haven’t clicked the link after seven days have passed since the initial email. The automatic reminders look just like a standard sharing notification email, with slightly changed text and subject. Another new element worth mentioning is the branding support for the sharing notification emails. If your organization has configured Azure AD branding, the Company logo will now be added as part of the notification email, as illustrated below.
Continuing with the notification improvements, the desktop client will now show sharing notifications as well. And, whenever you are uploading files to a shared library, you will now be able to notify your team members about the new file(s) you just added, all with a single click.
Lastly, we have some improvements around Access requests. First, we can now define a custom message that will be shown as part of the request access workflow. As this message is configurable per site, we can use it to inform users why they must file an Access requestand who to contact for in case of issues. And, the actual access request notifications are easier to work with now, as they use the actionable messages functionality in Outlook.
Easier management of sharing
Yet another set of improvements makes it much easier to manage sharing, both for end users and admins. On the user side of things, the Shared by me page can give you a quick overview of which items you have shared, as well as give you information about the last activity – such as who modified the file and when did that happen. The Shared with me page has also received some love and now features externally shared files, as in files shared with you by users from other organizations. Such items will have the “globe” icon and although some options will be missing from the UI, this is still a handy addition.
The new Manage Access UI allows you to manage all direct and link-based permissions to a given item from a single location. Additional information about the type of link will be presented as well as a quick option to remove a given link or Stop sharing the item altogether. Or, you can Share or Grant Access to another person directly from the same UI, using the familiar suite-wide controls. In the future, even more information will be presented by a new Link details control.
What’s even more important, the same experience will be integrated into the desktop client, allowing you to perform all the sharing or revoking access operations directly from your device, without having to open the browser. The screenshot below shows a comparison between the Manage Access experience on the desktop (left) and in the browser (right). While there are some differences in the way the UI elements and actions are presented, the core functionality is available, which is a great step forward.
Another very useful improvement is the ability to @mention a person, which not only makes it easier to comment on a given file but can also automatically grant permissions to people that were mentioned and don’t already have them. To wrap up new user improvements, it’s worth mentioning that we can also deep-link to the Manage Access UI, for example this link will open up the Manage Access UI for item “30914”: https://tenant-my.sharepoint.com/personal/user_domain_com/_layouts/15/onedrive.aspx?managePermissionsForListItemId=30914.
On the admin side of things, the team has moved away from their custom implementation and the permissions model is now fully integrated with the Azure AD B2B experience. Among other things, this means that a new Guest user object will be provisioned the moment you send a sharing link, and you can take advantage of features such as Conditional Access.
Some cross-suite improvements have made it possible for the Share UI to immediately reflect on changes made to the link settings in the SharePoint Online and OneDrive admin portals. Similarly, Outlook’s cloud attachments functionality should now respect the default link type and settings configured by admins. And, those settings can be configured per-site now, via new parameters introduced for the Set-SPOSite cmdlet.
Other features worth mentioning
The improvements we listed in the previous section don’t represent even a half of the new features that were showcased at Ignite. While I’ve focused on the ones that we can already play with, the rest of them should hopefully be landing in production in the coming weeks and months. An example is the password-protected sharing links, which allows you to configure a password at the time of link creation. The user accessing the link will have to then provide the password to open the document, regardless of whether he’s currently logged in with his Office 365 account or not.
Among the other interesting updates, we should mention the Smart People Picker, which will assist you in selecting the right people to share with, or the much-anticipated External sharing reports and re-attestation for External users. The unified sharing and access management experience across all devices and endpoints should be coming soon as well, meaning that regardless of whether you are using the browser, the desktop client or the mobile app, you will have access to the same set of functionalities, presented in a unified fashion. Sharing with Teams or from within the Teams client is a prime example of this unified approach, which can even be extended with workload-specific functionalities, such as surfacing an only this Team share link. For this and additional demos, make sure to watch the BRK3100 recording, if you haven’t done so already. We will make sure to cover those updates once they make it to production.