Microsoft Teams Tech Blog Part 1: Sharing Options

Michele Casazza
02.03.20 09:14

Sharing in Office 365 has come a long way in the past few years. Microsoft has been taking users feedback seriously and as a result released many new features and improved the user experience.
In this three-part series I will cover Sharing in Office 365 and Microsoft Teams from different perspectives: end users to understand how to best use the sharing options; administrators to understand the sharing model and settings; governance to have the right measures in place to protect the company's information based on policies and regulations.

 

  1. Part 1: Microsoft Office 365 Sharing options and features
  2. Part 2: Sharing Model and Microsoft Teams Guest Access
  3. Part 3: Microsoft Teams Governance (coming soon)

In part 1 we will explore the different sharing options, what they mean and when to use them, so that you can still get your job done, follow best practice and comply to your company's policies.

Let's start with a common denominator for most of the services in Office 365. Where is the content stored?

Apart from a few exceptions, the vast majority of content in Office 365 services is stored in SharePoint. Some examples:

  • All your SharePoint sites
  • OneDrive is essentially SharePoint behind the scenes
  • Teams Channel files are stored in the default "Documents" Document Library used by Teams (a folder for each channel, except for Private Channel whose content is stored in a separate site collection)
  • Planner files are also stored in the default "Documents" Document Library used by Teams (and are not removed when tasks are deleted)
  • OneNote notebooks created in Teams
  • Wikis created by Teams (in a library called Teams Wiki Data)
  • New Office 365 connected Yammer groups store content in the SharePoint site associated with that group
  • Office files created in the Office 365 portal end up in your OneDrive

Microsoft Teams Free Ebook

Microsoft SharePoint is the storage king in Microsoft Office 365

So hopefully this is enough to convince you that Microsoft SharePoint is the storage king in Microsoft Office 365. Why am I bringing this up? Because when dealing with Sharing in Office 365, all the security and permission concepts of SharePoint still apply. Let's start with a refresher, or simple SharePoint security 101:

Security is based on the concept of inheritance. By default when files are created or uploaded to a location in SharePoint they inherit the permission of the parent, say a document library, who in turn inherits permission from the site, who inherits the permission from the site collection contained in.

If we need to restrict access to a library to a small group of people, we "break" the inheritance. This means that if permissions are changed at the site level, they won't affect the library and its files. From now on the library manages its permission separately, in other words it has unique permissions.

 

The different types of sharing in Microsoft Teams and Office 365 overall 

Now that we understand the basics let's see the different types of Sharing available in Office 365.

Unless you have been living under a rock in the last few years, you are likely to be familiar with the Office 365 sharing window. It's being standardised across most Office 365 workloads and desktop apps, Windows Explorer, and you will find exactly the same on mobile devices when using OneDrive, PowerPoint or the new Office mobile app.

The first thing to note is that there is a type of sharing selected by default, in this case is People in your Organisation. This will depend on a couple of settings that we'll see in Part 2, but it's also important to know that you can select another option. In fact there are four options in total. Let's see each one in details and when to use them

Anyone with the link (also known as Anonymous)

The name is quite self-explanatory, and as you'd expect you type in a recipient's email address and they'll get access straight away. Its properties are:

  • Anyone can open the link from anywhere without having to sign in (yes DropBox style)
  • The link can be forwarded to others
  • Access can be revoked anytime (i.e. stop sharing the link)
  • The link is needed to gain access (cannot access via a location like a folder or site)
  • Can be shared as read-only (view) or allow editing
  • Can block the download (if using read-only; applies to Office files, PDF soon)
  • Can set a password
  • Can set an expiration date
  • Not available for sites or libraries, only files or folders

Microsoft Teams Sharing Anyone with a Link

Sharing window on mobile

People in my organization

As you can guess this grants access to internal users only.

  • Requires sign-in with an account in the organization
  • The link can be forwarded to others
  • Access can be revoked anytime (i.e. stop sharing the link)
  • Can be shared as read-only (view) or allow editing

Specific People

This might not be as intuitive as the previous ones. With this option you grant access to specific recipients, including external users. The main difference is that new external recipients need to verify their identity via one-time passcode they receive in their mailbox as part of the process. The link cannot be forwarded to others, and the access can be revoked anytime (stop sharing the link). If you share with an internal user, only the recipient will be granted access, not everyone in the organisation.

People with existing access

There can be external users that have been manually added to the organisation's directory by an administrator, and therefore have exiting access in the organisation. Another scenario is when external users were initially allowed and disabled at a later stage. Users that received sharing invitation during that time would still be in the organisation's directory unless an administrator have manually removed them.

In my experience this is the least understood sharing option and often people are unsure if or when they should use it.

The main concern is that end users that haven't received proper training, will try to use this option (especially if it's set by default) by typing in an external recipient's email address, and will receive a message that it cannot be shared (because this person did not have previous access). The frustrated user that wants to get the job done will then select another option like Specific People and will always share it this way. This is why educating users is a crucial part of technology adoption and cascading effects like satisfaction, motivation, productivity

This option can be useful:

  • When sites owners or admins have spent additional time customising the permissions
  • When sharing particularly sensitive content to avoid giving someone access accidentally
  • when sharing content with people you know do already have access

 


Microsoft Teams - If the new Sharing experience in Microsoft Teams is not yet available in your tenant, to achieve the same result, you can select a file and use the Open in SharePoint option, then from there you can share the file. For more information see this Blog post in the Microsoft Tech community


Chain break in Microsoft Teams

Now to tie all this back in to the inheritance concept, you might be surprised to know that apart from People with existing access all the other options do break the inheritance of the file/object that is shared (more on this in a moment)

Manage Access is a handy little feature that allows a file owner to manage sharing and permissions, specifically:

  • See the shared links separately with the names of specific recipients
  • Change permissions for a specific link (e.g. from edit to view only)
  • Remove a link (revoke access)
  • Stop sharing all together (this will remove all access except for owners)

Note: Original permissions can only be restored via Advanced Settings (delete unique permission)

Send Link in Microsoft Teams
Send Link Dialogue

The ultimate question however is should you or your users care about broken permissions?

This comes down to a compromise in my view. Breaking inheritance at the file level can impact future access, for example if new users or groups are added to the library or site, they won't be able to access those uniquely 'permissioned' files. On the other hand having an agile sharing function allows end user to get their job done without resorting to third party tools and potentially exposing company's sensitive information. There is more to it, as we will see in Part 3, because this relates to Change Management, and to have established a proper governance, where your services are configured according to the organisation's policies.

Recommendations:

  • Use People with existing access when you can
  • Set a default expiration for Anyone links
  • Set a default permission for Anyone link (View only)
  • Change the default sharing link to something other than Anyone (e.g. People in your organisation). Users can still use Anyone If enabled, but this it can help avoid accidental sharing of sensitive files
  • Add a header/footer/watermark for files that shared externally using Sensitivity Labels for Office 365.

Bonus

Another great feature that has been recently launched is Request Files. If your company has allowed Anyone in your OneDrive, you can use this neat function to collect files from multiple external parties without them see each other's files.

Microsoft Teams Einführung Praxis Guide

FREE EBOOK

Language/Sprache: German/Deutsch

Download Ebook

CYCLOPEDIA Blog

News, trends, insights and opinions
about the modern workplace

Subscribe to Updates

Subscribe by Email