hi @ScottShearer. Well, the expected behaviour for the link is not to work. The problem is that:

- While the tenant has the most restrictive policies possible, I can create the link and it works. The generated link contains a pre-authenticated WJT token which is good for one hour. It meas tenants affected by this issue cannot prevent users from creating these links.

- The produced link can be opened from an unmanaged device without a credentials priompt.

---

@VictorIvanidze wrote:

Hi @DenisMolodtsov,

 

it's just a shot in the dark, but anyway: can you filter/block already created links in the already existing emails instead of preventing their creation? 

---

Do you know where would I find a repository of these pre-authenticated links? Do you think it might be possible via API? 

When I go to the file's Manage Access, the panel says that there are no links giving access. But I know for a fact that there are "preauthenticated" links. These links just don't show up here for some reason:

---

@jinivthakkar wrote:

@DenisMolodtsov I have seen your other post also I was able to reproduce the issue on my tenant as well

---

Thank you for checking! I am glad a few other people were able to verify this issue independently. 

Thank you for the suggestion. Unfortunately, this report does not list any of these "pre-authenticated" links. This is despite the fact that I can see that these links are working:

Hi @DenisMolodtsov 

I've not got time to test the scenarios at the moment but have you explored here:

Not sure if flow honours these settings (you would hope) but you could implement a security group in AAD and then choose the type of sharing that you allow (authenitcated guests or anyone).

I saw a discussion about OneDrive sharing here https://onedrive.uservoice.com/forums/913531-onedrive-sharing-collaboration/suggestions/17715682-dis... and one suggestion is DLP - for which I don't have the necessary experience of I am afraid.

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.
Cheers,
Damien

P.S. take a look at my new blog here and like & subscribe to my YouTube Channel thanks 😉

Thank you,  @DamoBird365. I want to add more information for the context.

Least permissive policy

External sharing settings are not applicable when we choose the "least permissive" sharing policies. Notice how the "More external sharing settings" is greyed out:

We can verify that it is impossible to generate the anonymous links via the user interface: 

Blocking sharing altogether

https://onedrive.uservoice.com/forums/913531-onedrive-sharing-collaboration/suggestions/17715682-dis... <- this suggestion is about blocking sharing altogether. This is not quite what we are trying to do. We merely want Power Automate/OneDrive to respect the tenant settings that prohibit Anonymous links. Looks like the Power Automate OneDrive for business connector somehow bypasses all restrictions and just creates these "pre-authenticated links" that work no matter what. 

Blocking OneDrive for business connector and DLP

The DLP policies don't allow blocking certain connectors like Teams, Outlook, SharePoint and OneDrive for business:

Pre-authenticated links vs Anonymous links

As one Microsoft representative pointed out, the Anonymous links is not the same as "pre-authenticated" links. The latter work only for 1 hour and contain a JWT token that will let you download a document using. However, it does not make sense to have the least permissive sharing policy while you can easily bypass it by using Power Automate "Share a file" action.

Replication steps

- Make sure the tenant has the "Least permissive" sharing policy

- Create a flow with a single "Create share link" ation

- Run the flow

- Try opening the resulting string from a different browser/computer/device :

Note that there was at least one person who was not able to reproduce this issue. He is a Tenant admin and he has no idea what he did to fix this issue.