We have a scenario where:
--1. User uploads file and applies a list of 'external members' / users outside of our company they want to share the file with
--2. When the file is added, we immediately strip permissions to only the 'uploader' and a manager
--3. The person uploading the file also provides a list of these 'external members' emails via a text field with separate email addresses
--4. The manager then gets an approval email to verify the 'external members' should see the file
--5. If the manager approves, then we add the 'external members' to the file for permissions
Heard of anything like this w/o using a 3rd party permission tool on top of Flow? We know there's something to help with file level perms, but don't have licensing for it.
The hard part for us is figuring out how to add those 'external members' on the fly b/c what I'm told is the 'external members' have to be part of the site permissions before I can add them at a file level.
You can do all this using actions for SharePoint. Permissions can be adjusted using the Send an HTTP request to SharePoint and Sharing Links can be created using the Create a sharing Link for a file or folder. Trigger it when a file is uploaded.
How would we add users via Send an HTTP request to SharePoint?
I see an example here:
...but, in #2:
2.We need to find the user principal id from his e-mail address
...the external user isn't even added to the site yet, and wouldn't have a principal ID.
you use the Send HTTP request to complete #2. You use the Create a sharing Link for a file or folder to do #5. You don't have to add them to the permissions, creating a sharing link will do that for you.
For #2, they wouldn't be added to the site yet ...so, not sure how it would be possible to find their principal ID. Our SharePoint/tenant wouldn't know they even existed to use that method to grab their principal ID if they were an outside email address due to our company working with their company.
Seems like I'd have to add them to a global SharePoint group first ...to they get assigned a principal ID first...then run the method to grab their assigned ID. But, don't they have to accept the invitation first to get an ID assigned?
#2 says the permissions should be restricted to the user who uploaded the file and their manager. None of the external users are given permissions at that point. The user would need to be in the system to uplaod the file and I assume their manager would also be there. The External users are given permission when the sharing link is created, not by an HTTP call.
So, for the External users to get permissions to view this file, really it's just:
1. Get their email addresses from the text box values entered when the file is first uploaded by the file creator
2. Email these external users the sharing link by
--1. Create the link
--2. Email loop for each email...or parse them all via ";"
...that what you mean?
Yes, that should be all that's necessary to give the external users access to the file.
Maybe I'm missing something, but what about permission control?
What if we only want 2 external email addresses to have access and they forward the link?
We have the link sharing option turned off in site settings, but what if a site owner were to turn that back on?
Would a simple link share from one external user to another allow anyone with that link to see the file?
1) Creating a Sharing link takes care of any required permissions.
2) If Sharing is disabled in site settings then you won't be able to share with external users whether you use PowerApps or not.
3) Whether user's with the sharing link can pass it on to other people or not is dependent on your sharing settings. If anonymous links are disabled then external links will require a verification code sent to the same mailbox where the link was sent. This prevents passing the link on.
We have created the sharing link in Flow.
The link scope has to be people in our Org or at least in AD, and anonymous link access is turned off in our tenant.
As a test, if I send the link to my HotMail.com email account, and try to hit the link from my HotMail.com account I get:
That didn't work
We're sorry, but YOURACCOUNT@hotmail.com can't be found in the mycompanytenant.sharepoint.com directory. Please try again later, while we try to automatically fix this for you.
If the link scope is restricted to People in your org than I would expect a link sent to your hotmail.com account would fail since that address isn't in your org.
Anonymous is turned off, but if we manually give access via a SharePoint group to an outside entity/email address it will work. That's the whole objective...utilize Flow to allow 'access'...and just using the action of sharing the link doesn't do everything.
Are we now having to utilize the API to first add the outside vendor...then second, grab that outside vendor's identity ID and assign them permissions to the file?
Upon further research I find that the Sharing links are just authenticated or anonymous links only. So if anonymous is turned off they won't work for you. Your only real option is using a REST call to modify the permissions of the Folder or object. When I get a chance over the next couple of days I will try to figure out what the exact format of that REST would be and report back.
Join us for the first ever Power Platform Online Conference!
Keep your eyes open for our upcoming T-shirt design contest!
Look out for new contribution recognition badges coming SOON!
We've updated and improved the layout and uploading format of the Power Automate Cookbook!
Fill out a quick form to claim your user group badge now!
Find out where you can attend!