cancel
Showing results for 
Search instead for 
Did you mean: 
Reply
DenisMolodtsov
Kudo Kingpin
Kudo Kingpin

Disable "Create share link" action or the entiore "OneDrive for Business connector"

We are trying to figure out how to disable/block OneDrive for business connector completely or the "Create Share link" actions. Is it possible? On the photo below, you can see that at some M365 tenant it was possible to block this action somehow. The only issue is that the user who took this photo is not my colleague and they have no idea how it was set up. Basically, we are trying to disable this feature in our organization:

 

Photo.jpg

From what I can see we can't block OOB connectors such as OneDrive for Business:

 

!!!.jpg

Sharing capabilities are disabled at the Tenant level

- Sharing capabilities and anonymous links are completely disabled on the Tenant level and on OneDrive sites level. SharingCapability : Disabled

 

Any help will be greatly appreciated!

12 REPLIES 12
ScottShearer
Super User
Super User

@DenisMolodtsov 

Have you verified that the link that is created actually works as expected?  

If I have answered your question, please mark your post as Solved.
If you like my response, please give it a Thumbs Up.

Scott

hi @ScottShearer. Well, the expected behaviour for the link is not to work. The problem is that:

- While the tenant has the most restrictive policies possible, I can create the link and it works. The generated link contains a pre-authenticated WJT token which is good for one hour. It meas tenants affected by this issue cannot prevent users from creating these links.

- The produced link can be opened from an unmanaged device without a credentials priompt.

jinivthakkar
Super User
Super User

@DenisMolodtsov I have seen your other post also I was able to reproduce the issue on my tenant as well

VictorIvanidze
Community Champion
Community Champion

Hi @DenisMolodtsov,

 

it's just a shot in the dark, but anyway: can you filter/block already created links in the already existing emails instead of preventing their creation? 

--------------------------------------------------------------------------------------
Contact me if you are interested in custom Power Automate development.


@VictorIvanidze wrote:

Hi @DenisMolodtsov,

 

it's just a shot in the dark, but anyway: can you filter/block already created links in the already existing emails instead of preventing their creation? 



Do you know where would I find a repository of these pre-authenticated links? Do you think it might be possible via API? 

 

When I go to the file's Manage Access, the panel says that there are no links giving access. But I know for a fact that there are "preauthenticated" links. These links just don't show up here for some reason:

DenisMolodtsov_1-1623331474152.png

 

 


@jinivthakkar wrote:

@DenisMolodtsov I have seen your other post also I was able to reproduce the issue on my tenant as well


Thank you for checking! I am glad a few other people were able to verify this issue independently. 

jinivthakkar
Super User
Super User

@DenisMolodtsov get sharing report

 

To run the report (OneDrive)

  1. From the Microsoft 365 app launcher, select the OneDrive tile.
  2. On the Settings menu, click OneDrive settings.
  3. Click More settings, and then click Run sharing report.
  4. Choose a location to save the report, and then click Save.

Link - https://docs.microsoft.com/en-us/sharepoint/sharing-reports

 

--------------------------------------------------------------------------------
If this post helps answer your question, please click on “Accept as Solution” to help other members find it more quickly. If you thought this post was helpful, please give it a Thumbs Up.

Thank you for the suggestion. Unfortunately, this report does not list any of these "pre-authenticated" links. This is despite the fact that I can see that these links are working:

 

Shared links reportpng.png

jinivthakkar
Super User
Super User

@DamoBird365 Hi Damien, can you please help on this ?

Hi @DenisMolodtsov 

 

I've not got time to test the scenarios at the moment but have you explored here:

 

DamoBird365_0-1623398057059.png

 

Not sure if flow honours these settings (you would hope) but you could implement a security group in AAD and then choose the type of sharing that you allow (authenitcated guests or anyone).

 

I saw a discussion about OneDrive sharing here https://onedrive.uservoice.com/forums/913531-onedrive-sharing-collaboration/suggestions/17715682-dis... and one suggestion is DLP - for which I don't have the necessary experience of I am afraid.

 

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Cheers,
Damien


P.S. take a look at my new blog here and like & subscribe to my YouTube Channel thanks 😉

jinivthakkar
Super User
Super User

@DamoBird365 thanks Damien, even I have very less experience in DLP but I had tried creating a DLP but even then it did not block the anonymous link creation(may be I did not create DLP correctly)

 

Thank you,  @DamoBird365. I want to add more information for the context.

 

Least permissive policy

External sharing settings are not applicable when we choose the "least permissive" sharing policies. Notice how the "More external sharing settings" is greyed out:

DenisMolodtsov_0-1623450228970.png

 

We can verify that it is impossible to generate the anonymous links via the user interface: 

DenisMolodtsov_1-1623450251275.png

 

 

 

Blocking sharing altogether

https://onedrive.uservoice.com/forums/913531-onedrive-sharing-collaboration/suggestions/17715682-dis... <- this suggestion is about blocking sharing altogether. This is not quite what we are trying to do. We merely want Power Automate/OneDrive to respect the tenant settings that prohibit Anonymous links. Looks like the Power Automate OneDrive for business connector somehow bypasses all restrictions and just creates these "pre-authenticated links" that work no matter what. 

 

 

Blocking OneDrive for business connector and DLP

The DLP policies don't allow blocking certain connectors like Teams, Outlook, SharePoint and OneDrive for business:

DenisMolodtsov_2-1623450391563.png

 

Pre-authenticated links vs Anonymous links

As one Microsoft representative pointed out, the Anonymous links is not the same as "pre-authenticated" links. The latter work only for 1 hour and contain a JWT token that will let you download a document using. However, it does not make sense to have the least permissive sharing policy while you can easily bypass it by using Power Automate "Share a file" action.

 

 

Replication steps

- Make sure the tenant has the "Least permissive" sharing policy

- Create a flow with a single "Create share link" ation

- Run the flow

- Try opening the resulting string from a different browser/computer/device :

 

DenisMolodtsov_3-1623450459359.png

 

Note that there was at least one person who was not able to reproduce this issue. He is a Tenant admin and he has no idea what he did to fix this issue. 

 

Helpful resources

Announcements
Power Automate News & Announcements

Power Automate News & Announcements

Keep up to date with current events and community announcements in the Power Automate community.

Community Calls Conversations

Community Calls Conversations

A great place where you can stay up to date with community calls and interact with the speakers.

Power Automate Community Blog

Power Automate Community Blog

Check out the latest Community Blog from the community!

Users online (5,460)