We are trying to figure out how to disable/block OneDrive for business connector completely or the "Create Share link" actions. Is it possible? On the photo below, you can see that at some M365 tenant it was possible to block this action somehow. The only issue is that the user who took this photo is not my colleague and they have no idea how it was set up. Basically, we are trying to disable this feature in our organization:
From what I can see we can't block OOB connectors such as OneDrive for Business:
Sharing capabilities are disabled at the Tenant level
- Sharing capabilities and anonymous links are completely disabled on the Tenant level and on OneDrive sites level. SharingCapability : Disabled
Any help will be greatly appreciated!
Have you verified that the link that is created actually works as expected?
hi @ScottShearer. Well, the expected behaviour for the link is not to work. The problem is that:
- While the tenant has the most restrictive policies possible, I can create the link and it works. The generated link contains a pre-authenticated WJT token which is good for one hour. It meas tenants affected by this issue cannot prevent users from creating these links.
- The produced link can be opened from an unmanaged device without a credentials priompt.
@DenisMolodtsov I have seen your other post also I was able to reproduce the issue on my tenant as well
Hi @DenisMolodtsov,
it's just a shot in the dark, but anyway: can you filter/block already created links in the already existing emails instead of preventing their creation?
@VictorIvanidze wrote:Hi @DenisMolodtsov,
it's just a shot in the dark, but anyway: can you filter/block already created links in the already existing emails instead of preventing their creation?
Do you know where would I find a repository of these pre-authenticated links? Do you think it might be possible via API?
When I go to the file's Manage Access, the panel says that there are no links giving access. But I know for a fact that there are "preauthenticated" links. These links just don't show up here for some reason:
@jinivthakkar wrote:@DenisMolodtsov I have seen your other post also I was able to reproduce the issue on my tenant as well
Thank you for checking! I am glad a few other people were able to verify this issue independently.
@DenisMolodtsov get sharing report
To run the report (OneDrive)
Link - https://docs.microsoft.com/en-us/sharepoint/sharing-reports
--------------------------------------------------------------------------------
If this post helps answer your question, please click on “Accept as Solution” to help other members find it more quickly. If you thought this post was helpful, please give it a Thumbs Up.
Thank you for the suggestion. Unfortunately, this report does not list any of these "pre-authenticated" links. This is despite the fact that I can see that these links are working:
I've not got time to test the scenarios at the moment but have you explored here:
Not sure if flow honours these settings (you would hope) but you could implement a security group in AAD and then choose the type of sharing that you allow (authenitcated guests or anyone).
I saw a discussion about OneDrive sharing here https://onedrive.uservoice.com/forums/913531-onedrive-sharing-collaboration/suggestions/17715682-dis... and one suggestion is DLP - for which I don't have the necessary experience of I am afraid.
If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Cheers,
Damien
P.S. take a look at my new blog here and like & subscribe to my YouTube Channel thanks 😉
@DamoBird365 thanks Damien, even I have very less experience in DLP but I had tried creating a DLP but even then it did not block the anonymous link creation(may be I did not create DLP correctly)
Thank you, @DamoBird365. I want to add more information for the context.
Least permissive policy
External sharing settings are not applicable when we choose the "least permissive" sharing policies. Notice how the "More external sharing settings" is greyed out:
We can verify that it is impossible to generate the anonymous links via the user interface:
Blocking sharing altogether
https://onedrive.uservoice.com/forums/913531-onedrive-sharing-collaboration/suggestions/17715682-dis... <- this suggestion is about blocking sharing altogether. This is not quite what we are trying to do. We merely want Power Automate/OneDrive to respect the tenant settings that prohibit Anonymous links. Looks like the Power Automate OneDrive for business connector somehow bypasses all restrictions and just creates these "pre-authenticated links" that work no matter what.
Blocking OneDrive for business connector and DLP
The DLP policies don't allow blocking certain connectors like Teams, Outlook, SharePoint and OneDrive for business:
Pre-authenticated links vs Anonymous links
As one Microsoft representative pointed out, the Anonymous links is not the same as "pre-authenticated" links. The latter work only for 1 hour and contain a JWT token that will let you download a document using. However, it does not make sense to have the least permissive sharing policy while you can easily bypass it by using Power Automate "Share a file" action.
Replication steps
- Make sure the tenant has the "Least permissive" sharing policy
- Create a flow with a single "Create share link" ation
- Run the flow
- Try opening the resulting string from a different browser/computer/device :
Note that there was at least one person who was not able to reproduce this issue. He is a Tenant admin and he has no idea what he did to fix this issue.
User | Count |
---|---|
25 | |
15 | |
14 | |
10 | |
9 |
User | Count |
---|---|
50 | |
29 | |
28 | |
25 | |
23 |