Why you shouldn’t disable external sharing (really)Alex Fields
Okay, so anyone who has ever done consulting with Microsoft / Office 365 before has probably heard this question:
“Can we disable external sharing?”–Any customer at every Office 365 consulting engagement, ever.
Bless their souls, these questions are usually coming from a good place, but to see why this is actually not a great idea, let’s look at this chart.
You see, disabling the external sharing capabilities of OneDrive or SharePoint or any other modern application does not make you any safer. In fact I argue that it does the exact opposite. It keeps your users in the dark ages of document sharing and collaboration.
Let’s look at just one more chart that demonstrates what I’m talking about:
And we could go on. When you disable guest access or external sharing, this is what you’re doing to your users: relegating them to an ancient technology that was never designed for file sharing to begin with.
Everyone needs external sharing
If you are in the business of making money, then I am guessing you need to:
- Produce stuff that is of value to others
- Share said stuff with said others
If you were in a company that allowed zero external sharing, I can’t imagine that you would be in business too long. Every single person who could be called an “information worker” essentially has the same job description, or one of a handful. They:
- Report on…
On… what? On data. People today must know how to do one or more of the above things with data. Data in the 21st century is officially more valuable than oil or gold. So you are going to have to learn to work with it better–you will need to become a steward of data.
How quickly can you find data?
How easily can you share it, manipulate it, and iterate on it?
Can you govern and protect it effectively–granting only as much access as is necessary to those whom need it (and for the time they need it)?
Or what about managing data life cycles? Can you sunset data when it is no longer serving you, and indeed, when it could even become a liability?
Getting the picture?
If you’re still relying on ancient technology like monolithic file servers with archaic folder hierarchies and email attachments… I’m sorry to say but you’re not well prepared for the future of data stewardship.
Everyone is responsible for data
In some sense every person needs to become an IT person moving forward. Not a full fledged IT professional, but there is certainly a baton that is being passed here. With great power comes great responsibility, right Spidey?
Modern tools like Microsoft 365 give users SUPERPOWERS that they have never had before. People can provision and create their own technology resources, their own permissions and groups! They can decide when, how and with whom they will share their content.
Data governance, too, is a concept that is just barely entering the collective consciousness of small and mid-sized businesses. And, with the mix of various personal devices becoming part of the corporate fold, this implies even more responsibility.
Therefore, technology is not the purview of IT alone (it never was), because the data belongs to everyone–to the organization as a whole and to individuals within the organization. It is how businesses interact with and provide value for their customers, their partners and so forth.
Therefore, external sharing is not something you disable. It’s just not. Govern it? Sure. Train users on it? Definitely. Block it? Goodness, no–rarely, if ever.
Remember that you can leave External sharing wide open, but adjust it down on any given site collection or library, as needed. You can have totally confidential libraries. Just don’t throw out the baby with the bath water by smashing down the external sharing capabilities at a global level. Please!
Great article Alex! This reminds of several questions I wanted to ask that includes this. How do you train end users? Individual or group training? Do you create your own training material? This is for me the biggest and most difficult part of my job as an MSP and Microsoft CSP. Could you write an article about end user training?
This is certainly an undertaking. Yes, there are multiple learning formats and I can plan to write more about this, as it is an important and oft overlooked piece of implementation.
External sharing isn’t like sharing email though. In email you share individual files. Here you share collection of files. That includes files you add to that collection later. That means you have to look through who the connection is shared with everytime you add a file. That’s cumbersome at best.
By sharing externally you’re potentially sharing with a user at a partner organisation. How are you keeping track of users like that leaving the partner and start working for a competitor.
Disabling external sharing does offer some protections. It’s not the best way to go about it, true. But enabling external sharing requires extensive processes and auditing to be in place to avoid data leakage.
What you have said is inaccurate. You can absolutely share individual files and in fact that is the more common way of doing it. When you share a link with specific people then they have to identify themselves using a round trip code to their recipient address. If they lose their job at a partner org then they lose access to the link. You should read up on the sharing features–they are designed for sharing. Email was not. Disabling external sharing does not offer protection it offers crippling of productivity and making life harder for your users, and in fact is opening more issues. You can revoke any link at any time. The links are secret and revocable. Emails can not be pulled back, and you lose control of the data quickly. So basically I would say that everything you said is the exact opposite of the reality. You don’t make people safe by taking away modern collaboration capabilities. You keep them safe with proper policy and TRAINING. Start here to learn about external sharing.
Are you saying external sharing is about individual files all of the time? Whether you belief that is the most common way of doing it hardly matters.
If they lose their job, they lose access at the time the partner org revokes that access. You’re not in control over that process. You’re dependent on the processes of that partner.
What? You can choose to share either folders or files. Links can be configured with any of the following options: allow edit, or view-only, block download, require password, require expiry (links expire after X days). Links can be renewed if set to expire. Links can be revoked at any time by the data owner or an admin (YOU are in control). If you share a link to an external partner and that person is fired, they would lose access to their corporate email and therefore lose access to your links. You can put any protections in place that you want to with links. You can take it even further with Conditional access, Microsoft Cloud App Security and DLP, etc. In the case of email attachments, you have zero control after the data has been shared. It just lives in that mailbox. They can download it to whatever location they want, they can make and send copies anywhere they want to. You can maintain much better control if you invite them into your house to work on the data according to your rules.
So, folders can be shared if you enable external sharing. You don’t control whether users share files or folders. If they share folders they might inadvertently share things.
You can only revoke access if you’re aware that access needs revoking. Someone needs to tell you that needs to happen. Then you’re in control.
And access is revoked if the external company takes their side of identity security seriously.
Again, you’re not in control. I like external sharing, but pretending there are no data leakage challenges only works if you live in an ideal world.
Pretending all of that can be solved with user education within your own organisation has similar problems.
I know, the world is scary place and people can make mistakes. But that is true in all situations. The fear that something might happen that shouldn’t is not reason to throw out baby with bathwater. You are absolutely in control.
And you have to be extending some trust no matter how you choose to share. My argument is that you retain more control and options for yourself when you use sharing links. There is no way to dismantle that, it’s just true. Your argument that you’re not in control of the other org applies whether you use sharing links or email to share. You have far more capabilities to protect and alert on bad behaviors though when you keep it in your house. Cloud App Security can alert you to suspicious behaviors, and even if something bad happens with that data, you will have a full audit log with IP addresses and everything. You don’t get that when you just leave it go to the other org’s email server as an attachment. You lose all visibility and leverage over the documents or locations.
In our own company’s environment, the last time we ran an audit there were no folders shared. Only docs. So training must have at least some effectiveness. But I wouldn’t be scared of sharing a folder anyway, if you had several related docs to share for example that might be more efficient. But the access is audited and logged, and there is version history built-in. Single source of truth. Hard to beat that.
Example of controlling accessing in a highly sensitive environment with M365: Conditional access rule that does not allow download from unmanaged and guest devices. External sharing link to specific person. That person is required to prove they are the intended recipient with round trip code. When they click on the document they can collaborate but not download. That is just one possible configuration. Another option for highly sensitive content would be to allow download but require it to be stamped with Sensitivity label. That way they must authenticate to open the document, and the document itself is encrypted. But most people don’t need to be that strict. In fact 80% of cases could probably even be covered using an anonymous link, which is a secret and revocable key that requires no verification. Sensitive data is usually a very small percentage of what is shared, and for those you can have different protections in place. But the worst thing you could do is take down the capabilities of sharing externally on a global level. Maybe only restrict that where it is absolutely necessary. And it’s more effective to use Sensitivity labels for that (Confidential label = cannot share outside the org).
Which is an example of ‘requires extensive processes and auditing to be in place to avoid data leakage.’ as mentioned in my original reply. The one you called out as being wholly inaccurate.
again that type of thing applies to a very small subset of data; on the whole, especially in the general SMB market, external sharing is an everyday reality. It’s happening over email and shadow IT, which are locations that you exercise no control over, and have no visibility on. It’s silly to say that external sharing should be disabled. It’s the only thing that can restore any semblance of control.
Nice Conversation talking about real use case.