SharePoint Holmes and the Haunted Homepage

sphomepage-thumbPart of my role is solving user issues. Sometimes they are so common that I have a standard response, but sometimes I need to do some sleuthing to understand and solve it.
As many of my readers are in a similar position, I thought I’d introduce SharePoint Holmes, SharePoint investigator, who will go through a few cases while working out loud.

The case

“Oh, Ellen, I think I have done something terrible to my site”, the site owner said, a note of panic in her voice. “I keep getting requests for access, while this is a site for all employees, and I do not know what I have done wrong”.

We had already noticed a number of tickets where people complained that they had lost access to this important site (and it was period-closing time so many people had to upload reports).

My first thought was “I hope she has not clicked “Delete Unique Permissions” when on the site permissions page” because that inherits the permissions from the parent AND removes all unique permissions from the site.
Although I like that as a thorough cleansing option for when you do not know how your permissions are set, in this case it would have been rather disastrous.

SharePoint Holmes to the rescue! I put on my admin cap and ventured into the site.

The investigation

  1. I opened the site. No problems for me, but then I am an admin so I have permissions for everything.
  2. Gear wheel > Site Settings > Site permissions. Phew, “This web site has unique permissions” was still there. So permissions had not been inherited.
    There were a number of groups with a variety of permission sets, including a Visitors group with Read permissions, which included all company employees. That looked OK.
    Of course there were also a few items with unique permissions, but that is not unusual and it hardly ever leads to a sudden flood of support tickets.
  3. I looked at what had been set as the homepage. (Site Settings > Welcome Page). “Homepage_New”.  That made sense.

    SPHomepage-WelcomePage
    You can determine the welcome page yourself.
  4. I checked the Pages library. Yes, there was a page called Homepage_New and it was the page I had seen when I entered the site.
  5. It was time to check the permissions for the Pages library. Aha, “This library has unique permissions” and only the Owners (Full Control) and Visitors (Read) were mentioned. Good idea – you do not always want everyone with Edit or Contribute permissions to manage (and mess up) your pages.

    SPHomepage-Libraryperms
    The Pages library had limited permissions to avoid unwanted editing. But Visitors (Bezoekers) have Read (Lezen) permissions. (I have tried everything to get this page to display in English, not Dutch, but it does not work.)
  6. Then I noticed something in the yellow box: “Some items of this list may have unique permissions which are not controlled from this page”. And yes, one of the pages was “Homepage_New” to which only the Site Owners had access…

    SPHomepage-Pageperms
    The Welcome page had different permissions – in this case only the Owners had access.

The solution

I quickly deleted the unique permissions from the page so at least Visitors could access the homepage again. Then I informed the site owner what had been causing the issue.

So yes, this was a permissions issue, but everyone still had access to the site. It was only the Homepage that was restricted, leading everyone to believe that they could also no longer reach the content of the site.

Tip

When this ever happens to you or your audience, and you expect that you have access to this site (e.g. because you have always had access or you have just been invited), try checking Site Contents.
Take the root of the site (https://company.sharepoint.com/…/sitename/) and then add “_layouts/15/viewlsts.aspx?view=14” to it. Create the link and paste it in the browser.
If you still get an access denied, you likely have no permissions.
If you see the content, it means there is something wrong with the welcome page.

Has this ever happened to your users?

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

Advertisements

8 Tips to avoid overwriting Excel files in SharePoint Online

Overwritten ExcelOne of the myriad changes announced at MSIgnite was the mention that all files in OneDrive will soon open in edit mode directly, so you can work faster.
I hope Microsoft  will wait a bit before rolling that out for SharePoint as, since moving to SharePoint Online, we have had a number of incidents where users have inadvertently overwritten or otherwise messed up a shared Excel Online file, resulting in incorrect data.

I do not quite get how that has happened, as Excel Online files always open in read mode (in Internet Explorer and Edge, in any case, and only very few people have another browser) and you have to specify whether you want to edit in Browser or in Client.
But it has happened more than once, also with people who are quite SharePoint-savvy, so I guess it is a thing. Perhaps it is the “autosave” option when you are in Edit mode, so your changes are saved, even if you do not intend to?

OverwriteExcel-readmode
In my experience, an Excel Online file ALWAYS opens in Read-mode.

This is a major annoyance, as we can not restore a single file from Office365. We can only restore the full site collection…
So more than ever before, prevention is key! Here are a few ideas to prevent and remediate incorrectly overwritten (Excel) files – pick the option(s) that suit your situation best:

1. Adjust permissions

Make sure only those people who really need to edit the file can do that.

How: Go to the library, folder or file and check and adjust the permissions.

2. Set mandatory check-out

If people have to consciously check out a file, they will be made aware they are going to edit it, and they can stop if they do not want that. It does not change the auto-save, however.

How: Gear Wheel > Library Settings > Versioning settings > At the bottom, check “Require documents to be checked out before they can be edited” and click OK.

OverwriteExcel-checkout
How to set mandatory check-out before editing.

This can be a pain for users, as they will have to remember to check the file in when it is finished (and preferably before they go on holiday  🙂 ). On the other hand, a checked out file can not be edited, so it may also be a blessing!
Remember that a Site Owner or site collection admin can always override the checkout or check the file in.
If many people need to edit the file in a short timeframe before a deadline (e.g. end of month), option 7 may be a better solution.

3. Always open the document in the Excel client

SharePoint Online allows you to select the opening behaviour of a file. If you set this to “Client” the file will always open in Excel desktop version, read mode, which will need a conscious effort to edit the file. (Unless you have “Autosave” enabled in your Excel client!)

How: Gear Wheel > Library settings > Advanced Settings > In the 3rd paragraph from the top, select “open in the client application” and click OK.

OverwriteExcel-clientopening
This setting will always open the file in the client application.

Please note there are differences between working in Excel Online and Excel client.

In general, the Online version is limited; it is useful when you just need to make a few simple content edits. The Client version is more powerful.

4. Set versioning

This is remediation, not prevention. Having versioning set means you can restore an older correct version if the current one has been corrupted. By default, SharePoint Online document libraries have 500 major versions already enabled, which should be sufficient. 🙂

How to set versioning: Gear Wheel > Library Settings > Versioning settings > Document Version History > make sure this is set as below (or use a smaller number) > Click OK.

OverwriteExcel-versioning
This is the default setting for all document libraries created in SharePoint Online.

How to restore a version: Select the document > Click version history from popup or command bar > Hover over date and time of version to restore and click the black triangle that appears > click Restore from the popup. Please note this version will be copied to the top as a new version.

OverwriteExcel-restoreversion
In this case, I restore version 4.

For more info about versioning:

10 things I learned about versions 

5. Create a dedicated document library

Options 2, 3 and 4 (and ideally, 1 as well) have to be set for the complete document library in which this document lives. If that is difficult or unpleasant, why not create a new document library especially for this document?

How: Gear wheel > Add an app > Document Library > Specify name > Create.

6. Use a password-protected workbook or worksheet

You can protect your Excel file with a password and only give the password to those people who need to change the data. You may need to rearrange your Excel for that, since you can view a password-protected sheet, but not a password protected workbook, in the browser.
This is never my preferred option, as I think we have SharePoint permissions for this scenario, but in some cases it can be useful.

How: Open the file > click File tab > Info > Protect Workbook > select “Encrypt with Password” (for the complete file – if you want to open in the client) or “Protect Current Sheet” > add password and options > OK.

OverwriteExcel-password
Here you can also protect your workbook or -sheet

 

7. Turn this Excel file into a SharePoint list

This can be a good option if your Excel file is relatively simple and does not contain complicated calculations or relationships between sheets etc.
You can use the SharePoint list to collect the data, export the data into Excel and do your advanced data processing in Excel.  In case of many people having to process data before a deadline, e.g. end of month, this method is preferably over mandatory check-out of a file as everyone can work on their own lines without having to wait for others or messing up other people’s data.

How: The simplest way is to use the Import Spreadsheet app.
Then create good views so your audience can view or edit their data according to their needs with the least amount of hassle.
I have streamlined a lot of processes in this way, check out my Business Examples.

8. Instruct your users

Once you have taken your measure(s) of choice, let your users know how they should work with the file. For instance, how to disable Autosave in their Excel client, or how to properly check out and check in.
Add the info on your site’s homepage, create a document that you pin to the top of the library, record a short demo, etc.

OverwriteExcel-pindocument
You can pin the instructions on top of your library so people can not miss it.

Have you had this issue as well and if yes, how are you trying to prevent it?

Image courtesy of Stuart Miles at FreeDigitalPhotos.net

SharePoint Holmes and the elusive Link

HH-header“Users can not access links”.
What a boring title, I thought when this incident was assigned to me. But, as usual, there was a twist to it.

The case

Several users of a local site received a “you do not have access” when they clicked a link that was added to a news item on the homepage. This link directed to a pdf-document.  According to the site owner, they should have access.

So I put my SharePoint Holmes Admin Hat on, and dove into the site.

The investigation

The homepage contained an Announcement list in Newsletter Style. The text “read more” (I know, not the best way to name a link) led to a pdf in a document library in the same site, called News Documents.

HH-Local News
The Local News list. “Read More” should take you to a document.

The News Documents library contained 2 items.

HH-NewsDocuments
The News Documents library
HH-NewsDocumentsLibrary
The 2 documents

The document library inherited permissions from the site.
The audience included myself, so I decided to take a look as my “normal” self.

Yes, I could access the page. But when I clicked on the link “Read more” I got a “Sorry, you don’t have access to this page”.

I looked into Site Contents and saw that the library contained 2 items, but when I opened the library, I saw no documents. Hmmm.

HH-Library-user
As a normal user, I can see the News Documents library contains 2 documents.
HH-emptylibrary
As a normal user, I do not see any documents in this library.

I went back into admin mode, and checked again.

  1. I checked the link on the homepage – was it perhaps a broken link? No, it looked solid and led to the pdf without further ado.
  2. Did the documents open in browser by default, which might hamper the opening of a pdf? I checked the Advanced Settings but it opened by default in the client.
  3. Had the documents been checked out? No, I did not see the green tell-tale mark.
  4. I wanted to take a better look at the views, to see if those could tell me more.  There were rather a lot of columns in the default view, so I had to do some horizontal scrolling to get to the Views link.
    “Draft” I suddenly noticed in the right-hand column.
    “0.1” I saw in the column next to it. That column was called Version.
HH-FullDocumentLibrary
I had not seen the “Version” and “Approval Status” columns in my earlier investigation…

AHA.

The solution

In the Versioning settings I noticed that content approval was enabled, and only people with approve permissions and the author could see drafts.

HH-ContentApproval
The Content Approval settings

Both documents had never been approved and were therefore visible for only a few users.  Everyone else got a “you do not have access” as for the majority of users, these documents were not yet accessible.

That explained why I could see it as an admin, but not as a normal user.

The site owner was not aware of the versioning as he had inherited the site. When I explained, he decided to turn of the content approval as that was not really needed for these documents.

Another issue solved! Now would you classify this as a document management issue or a permissions issue?

Image courtesy of vectorolie at FreeDigitalPhotos.net

Where do SharePoint permissions live?

permissions-treasuremapAfter we moved to SharePoint online, users did not know how to find or change permissions in folders and items anymore. In general I prefer to keep it that way 🙂 but I was curious to learn how it was done now, since I provide support on permissions issues.

Permissions pages for sites and lists/libraries have not changed for ages, but in SharePoint Online you have to follow a different path than before to get to the permissions page for folders, documents and list items.

When talking about the permissions page: I am referring to a page like this:

Permissions Page
The permissions page has a complete overview of groups and individuals, the ribbon, and a yellow bar with information about unique permissions in this unit, users with limited access and more.

Of course you can see the permissions page via my new BFF, the link “show items with unique permissions” on the Site Permissions page, but there are times when you do not want to see if there happens to be an exception, but what the permissions actually are for a certain folder or item.
(I recently saw a site with so many unique permissions that I completely lost track and could not figure out what was NOT in that list)

I am not very good at drawing or illustrations, but I want to learn. Here’s my attempt to show how to find the permissions page for a team site, containing a list, containing a folder, containing an item. (An item can be inside or outside a folder)

Folders and items: Details pane in list/library

Whether the item is in a folder or not, in both situations the permissions page is found via the details pane.

Details Pane
The details pane is on every list/library and is context-sensitive. When you select a folder, document or item it shows info for the selected item.

You need to be in the list or library (i.e. via Site Contents) to see the details pane. When you click “Change permissions” under “Has access” (this will be under the metadata) you will see this:

Permissions-advanced 2
Go to the permissions page via the details pane

You can also go to the above place by using the new Share interface and clicking the … top right and then the “Manage Access” link that appears which leads to a similar pop up as the screenshot above. Click “Advanced” to go to the Permissions page.

Permissions -advanced 3
The new Share interface with …

Folders and items – Share/Get a Link in web part

If you use a list or library web part, and the … are displayed, you can use the “Share” or “Get a Link” option to get there using the “Shared with” link and then clicking “Advanced”. The web parts use the “old” Share experience, which I expect will be replaced with the new Sharing experience, above.

Permissions-advanced1
Web parts still use the “old” Share interface. I expect this will change over time.

Have you found any more ways to go to the page with the permissions?

photo credit: MontyAustin Goonies Treasure Map via photopin (license)

7 steps to clean up unique permissions

cleanup-headerIn my latest post I showed you how you could limit the options to share the content in your site. I hope that you have made some decisions, so now it is time to clean up the mess.
Let me remind you why too many options to share can turn into a problem:

  • Sharing a document or list item, or using the “Get a Link” option, creates unique permissions, and that means that the permissions of a document or list item no longer follow the permissions of the site. So if you add a new group (recommended) or a new person (not recommended) to the site, this group or person will not automatically get access to those items.
  • This will lead to unexpected access denied messages and therefore Access requests.
  • Approving Access requests may lead to more unique permissions AND they give people Contribute permissions by default, which may be too much.
  • Unlimited sharing (especially with external users) can lead to your documents falling into the wrong hands.

So, how to take back control of your site after you have changed some of the settings?

Have a note-taking system ready – paper, OneNote, Notepad, document – whatever is your thing. You will need to make some notes.

1. Process pending Access requests

Go to Site Settings > Access Requests and Invitations and see who has requested access.
Click the … next to each name and add people to site groups as much as possible. If you do not see the site group mentioned, note down their names with the group that you want to add them to.

2. Remediate content with unique permissions

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show items
Show the items with unique permissions, intended and accidental. Very useful functionality!

b. You will get a pop-up with all lists and libraries that have different permissions.

Cleanup-showitemsiwhtuniquepermissions
Focus on the lists with “View exceptions”. Those contain the items where you have created unique permissions by accident.

c. The items marked as “manage permissions” are usually lists and libraries that have different permissions by design. Skip these.
d. Click on “view exceptions” for the first list or libraries that has this mentioned. You will see all documents (including pages and images) or list items that have unique permissions.

Cleanup-Documentswithuniquepermissions
List of documents (or items) that have unique permissions. Rightclick “manage permissions” and open the link in a new tab.

e. Using Rightclick > Open in new tab, click “manage permissions” for the topmost item.  (If you just click “manage permissions”, you will have to start at a. again for the next document or list item)
f. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.
g. Click “Delete Unique permissions” to re-inherit the permissions from the list or library.

Cleanup-deleteuniquepermissions
After noting down Kimberley B as a potential Visitor click “Delete Unique Permissions” to bring the document’s permissions in line with the rest of the document library and site.

h. Repeat steps e, f and g for the next document or list item.

3. Weed out “limited access”

Limited access is an annoying thing that tells you that there are, or have been, unique permissions – or it may mean nothing at all.
If this site has existed for some time and you do not know it very well, you can skip this step for now because you might remove people who are there for a good reason.

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show users
Show people with limited access. This can be caused by Sharing, Get a Link or accepting an Access request.

b. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.

Cleanup-RemoveKimB
You can remove Kimberley B from this page. (“Beperkte toegang” means “Limited Access”)

c. Remove any individual users so you are left with only the site groups.

4. Add the new users

Add the users that you noted down during steps 1, 2 and 3 to their respective groups.

5. Review the Members group

During the time that you had no restrictions, Members may have added other Members.  Review your list of Members and change their roles or remove them where needed.

6. Replace any “breaking links” on your pages

Hover over every link on every page in your site and look at the link in the bottom-left of your screen. Links of the “Can View” or “Can Edit” type  will generally have  “guestaccess”  in their link and they will cause unique permissions.

When I did not know all this yet, I had created some Promoted Links with the “Get a Link – Can View” link to a page. As soon as I created the link, the permission inheritance for the page was broken and everyone who clicked on the link was added as individuals to the page.

Cleanup-GetaLink
Link “”Document 5″has been created with “Get a Link”. The URL is: …../Team/Share/_layouts/15/guestaccess.aspx?/….

Replace every one of those links with the “Restricted Link” equivalent.

7. Monitor

Review on a regular basis if the restrictions and the cleanup work make you feel more in control of your site. Depending on your choice of measures, you may need to do more approvals from Visitors or Contributors who want to share content.

How have you dealt with the “Unholy trinity of creating unique permissions” 🙂 ? Would you like to share your frustrations or have you found a good way to deal with this that other readers can benefit from?

Image courtesy of artur84 at FreeDigitalPhotos.net

Limiting unwanted sharing and unique permissions

Preventsharing-fenceIn my recent posts you have seen that you can create unique permissions for list items and documents very easily, with

Additionally, you often add people with Contribute permissions while your normal Members group has Edit permissions (=Contribute + Manage Apps).
Plus your site members can add practically anyone to your site without informing you.

Why am I making such a fuss?

  • Maintenance and support
    Unique permissions create extra issues with access, and provide extra work for the Site owner.
    You may also need more support, although your support team might like that 🙂
  • Information security
    People with Edit or Contribute permissions can share content with external users, who then are often able to share your content with others if given those permissions. Your information may be shared with your competitors in this way!
  • Performance
    Having lots of unique and individual permissions may slow down your site.

Office365’s out-of-the-box functionality allows unlimited sharing. My own environment is like that, so all experiences that I have described before are done in the “unlimited sharing” default mode.

Fortunately, there are some options that a tenant administrator, a site collection administrator and a site owner can do to limit the potential damage.

1. Disable anonymous access

Disabling anonymous access lets you get rid of the “no sign-in required” options that you have when you get a link, or the “sign in required” when you share a folder or list item. While it may not reduce the creation of unique permissions too much, it will make it more obvious who has been given access. This will allow you to determine whether those people need to be added to a site group, or removed from your site.

Your tenant administrator can disable this at the Office365 Admin center for all Office365 applications, or at the SharePoint admin center for the SharePoint sites.

Preventsharing-GetaLink
This is Get a Link after I have disabled anonymous sharing. Only 3 options left for the Site owner instead of 5.

2. Disable external sharing

While this also will not prevent all unique permissions, it may limit them, because of sheer numbers. Chances are your colleagues will already have access to your site, making the chances of unique permissions during sharing a bit less.
Of course this will make it impossible to share confidential stuff with externals.

It is a good practice to reserve one or some site collections for sharing with externals, so you can keep the other site collections for purely internal content.
Your tenant admin can disable external sharing on various aspects at the Office365 tenant and the SharePoint admin level.  Gregory Zelfond has already documented how to do that.
By the way, Gregory has written more useful posts on external sharing.

This will give the following results, depending on whether the external user is already in your site collection or not.

preventsharing-noexternalsharing-indirectoy
This message will appear when you want to share with an external user who has been added to another (external) site collection in the tenant earlier.

 

preventsharing-noexternal-usernotindirectory
And this message I received when I wanted to share with a completely new person.

3. Change Sharing settings in your site

This will probably be in your control, so go to Site Settings > Site Permissions > Access Requests and look at the two check boxes on the top of the pop-up.

preventsharing-defaultsharingsettings
By default the access request and sharing settings are like this. Read the explanation carefully!

This will mostly influence what a Site member can do.

You have four options:

4a. Both checked: I have done my experiments with this setting. You know what that does 🙂

4b. Top checked, bottom unchecked

Share:
Member: Can share documents without approval from the site owner, but needs approval for sharing the site.
Visitor: Can share site and documents with approval from site owner.

Get a Link:
Member sees “Edit link” option
Visitor sees the “Restricted Link” option

4c. Top unchecked, bottom checked:

Share:
Member=Visitor: Can share site and documents but needs approval from site owner

Get a Link:
Member=Visitor: Restricted Link

This option brings another message to your Site Permissions page:

prebensharing-tiredofapprovals
If you get tired of approvals, you can change the settings again. (But look: no item with unique permissions…until you approve a request)

4d: Both unchecked:

Same as 4c.

So, this setting will help you to “tame” your site members, and give them the same sharing options as your site’s visitors. You will have more approvals to do, but are more in control.
But beware hitting the “Accept” or “Approve” button in sharing requests for documents or list items!

4. Remove access request email

If you can not get access requests, you can not break permissions when accepting them!

Preventsharing-noaccessrequest
You can uncheck the “Allow access requests” box and no email will be sent.

This can work in formal all-company sites with official content and little collaboration.
On the other side of the spectrum, it is also an option for sites with a strictly defined and controlled audience, e.g. a management team.
It will however be very clumsy in a project site!

But…your visitors will get a nasty error message when they try to share a document or site, and when you are combining this with options 4c or 4d, your members will experience that too.

preventsharing-noemail
Not a very nice message, and also not exactly correct. It should say “There is no email address to send the request to”,

Realize that all of these settings have been developed with a reason, so you may want to ponder what is really important for you and if you need to lock down everything or just a few features.

While you think about this, I will go and write how to check and fix the permissions, where needed, after you have taken your measures.

Image courtesy of winnond at FreeDigitalPhotos.net

Sharing = scaring (part 2)

Sharing2-imageIn my most recent post I focused on sharing documents and items by the Site owner, demonstrating that the Site owner him/herself can easily create lots of unique permissions by sharing folders, documents and items.

But what happens if a another user of your team site shares? Can a Member or Visitor create unique permissions as well, and does the Site owner know what the Site members are doing?

Once again, we start out with a team site with the standard permission sets (Owner, Member with Edit permissions, Visitor with Read permissions) and no unique permissions.

Durian Grey is a Visitor and Mystery Guest is a Member. We also introduce Kimberley B, who has no access at present.

Sharing documents/items by a Member

Now, Mystery Guest shares as follows:

  1. Durian, Can View
  2. Kimberley, Can View
  3. Durian, Can Edit
  4. Kimberley, Can Edit

The following results are as expected:

  • Document 1 does not change permissions since Durian already has Read access to this site.
  • Documents 2, 3 and 4 get unique permissions after clicking the “Share” button in the Sharing screen.
  • The persons are added as individuals to the document
  • Documents 3 and 4 have the individual added with “Contribute” while Members in this site have “Edit” permissions. (and the Share option is called “Can Edit”) So, a new role is added.

These following results were a surprise for me:

  • The documents shared with Kimberley B generate an External Sharing Invitation (access request) but the Site owner does not get an email notification.
  • Kimberley B can only share the document with existing site members when she has View permissions. but she can share the document with ANYONE, including new externals, when she has Edit permissions.
  • When Kimberley B shares with another external user this creates an External Sharing Invitation for the new person.
SharingbyexternalCanEdit
Kimberley B can share the Edit permissions for this document with everyone, even though she has no permissions on site level. Scary!

 

Sharing documents/items by a Visitor

Durian shares document 5 with Mystery Guest. He can not select Can View or Can Edit. When he clicks “Share”, he sees a message that this request is being sent to the Site Owner but that does not happen; the message goes straight to Mystery Guest. She can access in her normal role and no unique permissions are created. Phew!

Durian then shares document 5 with Kimberly B.

SharingbyVisitor
A Visitor can share but always needs approval from the Site owner.

 

When he clicks “Share” the following things happen:

  • The Site owner receives the normal “someone wants to share” email, Durian gets a copy
  • An access request in Pending Requests appears. By default, the request is for Edit (not Contribute), as an individual. The Site Owner can not select one of the permissions groups, so has to give individual permissions. 😦
  • As soon as the Site owner selects a permissions set and hits Approve, the item has unique permissions.
  • Durian receives an email that the sharing request has been accepted.
  • Kimberley B receives an email that a document has been shared.
  • Kimberley B can share the document with only existing members or anyone, according to her permissions.

Sharing a site

Since Mystery Guest has found that Kimberley has no access, she shares the complete site with Kimberley. She is not a Site owner, so she can not select a permission set when she shares the site.

As soon as Mystery Guest clicks “Share”

  • Kimberley B receives an email.
  • She is added into the Members group (even without having accessed the site).
Sharing2-KimBisaddedasmember
Uh…how does Kimberley B suddenly end up in this group?

 

Durian has the same thought.

  • He shares the site with Kimberley B.
  • His request is sent to the Site Owner and an Access Request is created.
  • The Site Owner goes to the Access Requests list and selects the Visitors group of the site and clicks Approve. (Members is the default, btw)
  • A confirmation email is sent to Kimberley B and Durian.

Now Durian wants to share the site with another external person, who has never been invited before. He can not do that.

Sharing2-Durianshareswithnsomeoneelse

What to think of this?

It is complicated!

Although a number of things are understandable this can turn into a messy site:

  • Get a Link, Share and Access Requests can all very easily create unique permissions for documents (including pages), folders and list items.
  • Members can use Get a Link and Share, create unique permissions, and add new Members, without the Site owner knowing.
  • Visitors can do less and generally need approval from the Site owner; this is better for the Site owner’s overview, but can create a lot of work because of the approval requests.
  • External users can share your document with anyone, if they have Edit permissions.

Don’t panic!

Before you start panicking, please be aware that my tenant is almost out-of-the-box and all the sharing options are turned on by default.  Tenant admins can take measures to reduce the unlimited sharing Microsoft thinks we need.
I will share those measures with you next time.

I have also found a few differences with regards to users who are mentioned in my tenant (with and without license) and who are not. When I have recovered from my current identity crisis, juggling 4 accounts and 3 browsers, I will try to find out more. 🙂

Image courtesy of marcolm at FreeDigitalPhotos.net