10 things to know about Copy to and Move to (in SharePoint Online)

CopyMove-headerOf course you all know a number of ways to move documents from one place of SharePoint to another, such as Open With Explorer*, Content and Structure** and 3rd party tools.

But have you tried the “Copy to” and “Move to” options in SharePoint Online?
(I will use the words Copy and Move throughout this blog as this makes it easier to read…and write)

CopyMove-bar
Copy To and Move To become visible when you select one or more documents

I knew that Copy has been available for some time in document libraries, but only recently I have also discovered Move. So I decided to find out how it works and how I can explain this best to our audience. The Microsoft Help is accurate and helpful, but it does not mention everything.

1. This is only available in document libraries with Modern Experience. 

2. Copy and Move are available for Document, Asset and Picture Libraries.

You can Copy and Move folders or individual documents to other Document Libraries.
You can Copy and Move images from Asset and Picture Libraries, but only to the same Asset or Picture Library or other Document Libraries.
In Pages Libraries, you can only Copy a page and then only to the same Pages Library. This is useful when you want to base a page on an existing one.

CopyMove-Pages
In a Pages library, you can only Copy a page to the same library. No other targets are available.

 

CopyMove-targetoptions
Source and possible target libraries

3. Copy and Move can be done between OneDrive and SharePoint Online and vice versa.

CopyMove-OneDrive
Your OneDrive is always shown as option.

4. Copy and Move can be done between different site collections, unlike “Content and Structure”.

5. What you can do depends on your permissions.

a. To Copy, you will need at least “Add” permissions in the target site.
You will be adding documents, so you will need Contribute, Edit or Full Control or similar.
“Read” permissions to the source site are sufficient in order to be able to Copy content.
b. To Move, you will need at least “Add” permissions in the target site AND “Delete” permissions in the source site, as Move deletes the documents in the source site.

CopyMove-Permissions
The roles you need

 

6. Copy only copies the latest version, Move moves all versions.

This is the same as with Content and Structure, but it does not hurt to mention it again, as this is now available for more users and can have consequences!

CopyMove-Versions
Differences in Copy and Move w.r.t. versions

7. Move keeps the original Created and Modified dates and names.

Copy keeps the original Modified date and Modified By name, but Create date will be now and Created By will be the name of the person who copied. This makes sense, as you are creating a new instance with new Create info.
This can also be slightly confusing, as the Create date can be later than the Modified date.
In the screenshots below, I have used the same Source Library and two different Target Libraries, to show the difference between Copy and Move.
The documents have different dates, people and versions.

First, let us Copy the 3 selected documents

CopyMove-Copy3docs
Version number are 3.0, 2.0 and 5.0, respectively. Different names in Modified By and Created By.

 

This is the result:

CopyMove-3docscopied
All documents have been copied as a new version with the Created date of some minutes ago – while the Modified date is earlier! Created By is me (I did it) while the Modified By is still the same.

 

Now, let’s Move the same 3 documents to a different library:

CopyMove-Move3docs
Now we are moving these same 3 documents

This is the result:

CopyMove-3docsmoved
The original names and dates are in Created By, versions are the same.

 

8. You will receive warning messages in certain scenarios.

a. You Move a document to a target document library that has fewer versions enabled than the source. In this case, document Sharing 9 has 5 versions, the target library 3. You will get a useful warning and the option to stop the process. You do not get this warning when you Copy, as this only copies the latest version.
(This will become less of an issue with the changes in versioning coming up)

CopyMove-VersionWarning
Warning about fewer versions

b. You Move a document to a document library with fewer/different metadata. In this case, I am moving a document that has a Topic column to a target without that. Again, you can Copy it with no warning.

CopyMove-metadatawarning
Warning about different metadata

c. You Copy or Move a documents to a target location that already has a document with the same name.

CopyMove-Titlewarning
You can not Copy or Move when a document or folder with the same name exists in the Target library

9. This functionality is not available for guests.

Guests who want to Copy or Move get an error message, even if they have the correct permissions and see the options. Judging from the error message, the sites shown in the panel are sites you follow and/or have recently visited. As externals have no OneDrive to store their Followed sites, nor Delve to see the recently visited sites, this makes sense.
This may get awkward for long-term trusted external partners, though.

CopyMove-MysteryGuestIssue
Even though the option to Copy or Move is displayed, external users/guests can not do this.

10. The sites that are suggested as targets are based on the Office Graph. 

A good reason to Follow your sites – they show in the targets panel and save you searching. The suggestions are based on the Office Graph and this explains why external guests can not Copy or Move – they have no Office Graph. Thanks to Greg Zelfond for providing me with this info! 

CopyMove-followed sites
What is shown here depends on your Office Graph.

 

My two cents

I am quite happy with this functionality. It is very simple and it will be very useful in case of organizational change or archiving a project.
I now use it all the time when I move instruction and help documentation (that I write using a Word template on my laptop) from my OneDrive to SharePoint. Somehow it feels easier.

However, I would not be me if I did not see some risks. But as this is already quite a long post, I will leave that for next time.

Special characteristics of other ways to move documents

*Open with Explorer
Microsoft help
• Needs Windows on your PC as it opens Windows Explorer
• Needs Internet Explorer 32 bits, does not work with any other browser
• Only works with Classic SharePoint
• Content takes Create/Modify dates and names from the person performing the action and the date/time of the action
• No versions can be copied or moved

**Content and Structure
• Only accessible for people with Contribute or higher
• Only available to copy and move within the site collection
• Only available when your site collection has publishing features enabled

Image courtesy of Baitong333 at FreeDigitalPhotos.net

Advertisements

SharePoint Holmes and the Missing Metadata

SH-MissingMetadata

After all the recent permissions issues it was nice to get a Document Management case for a change.

The case

The issue was: “Every time I edit a document and save it, it is checked out and we need to check it in again and add the metadata. We have not set mandatory check-out in this library – what is going wrong?”.

I put on my SharePoint Holmes paraphernalia and set out to solve yet another case. Or so I hoped 🙂

The investigation

  1. I looked at the recently edited document. Indeed, the document was checked out with the yellow box where the metadata should have been.

    SH-MissingMetadata-ClientLibrary
    The document was checked-out and missed required metadata.
  2. I checked the Library Settings. Set to modern view, to open documents in the Client application, indeed no check out required. The “Topic” field needed a value.
  3. I uploaded another document and edited it without any issues – the document stayed checked in and retained the metadata. I edited the properties, no problem.
    Hm.
  4. I selected the checked-out document to view the properties. I quickly scrolled down the details pane to see the metadata. Yes, no topic selected, as expected.
  5. I Googled on the check-out issue as I had no clue what happened here.
    The solutions all pointed to something with “metadata” so I selected the document again to have a closer look at the metadata, and hoped that permissions and edit history would provide some extra clues.
  6. Someone called me on Skype so I left the details pane open without scrolling down.
  7. When I came back from my call, the answer stared me in the face.

    SH-MissingMetadata-NoPreview
    No preview available – aha!

The solution

I had seen this “No preview” message before on a password-protected Excel file. The owner confirmed this.
After some searching I came across several posts describing this behaviour. Apparently, SharePoint does not only respect the content of a password-protected document, but also the metadata. Hence, you have to re-add the metadata after each edit.

A request to change this behaviour has been submitted to Office 365 User Voice.

I discussed with the owner whether password protection was really needed as SharePoint has its own protection. As it turned out, the people who had the password were the same people who had access to the document and the document library, so she decided to remove the password.

I also checked what happens if this would have been a document library that opens documents in the Online version.
First, you get a warning message:

SH-MissingMetadata-Online

 

After editing in the client, you have the same result in the document library: the document is checked out and has missing metadata.

Another reason not to use password-protected documents in SharePoint!

Image courtesy of Simon Howden at FreeDigitalPhotos.net

7 SharePoint permissions bloopers

Permissions bloopers 4

The other day I came across an interesting tweet:

Yes, been there, done that! And this made me think of all those other times that I, or my users, have made a mistake with permissions, either by forgetting to think and doing this on routine, or by ignorance.
Here they are, for your learning and enjoyment.  Laughing is allowed; sharing your own bloopers is encouraged!

2. Deleting a group

Did you know that deleted Groups do not go via the Recycle Bin, so they are gone for good?
So, when you want to do this, first check to which content the group has access. If that is only to your site, you can safely delete it; if is has permissions to other sites, please talk to the owner(s) of the other site(s) first!

How to check: Click on the group name on your permissions page, click Settings > View Group Permissions and you will see a pop-up like this:

accessforgroups
In this case the group only has access to one site, so it can safely be deleted if needed.

3. Removing a group from a site and forgetting its name

Good luck finding that in your site collection’s list of groups! (which likely contains at least 3 x as many groups as there are sites, and most likely many more)

A good naming convention, as well as keeping some documentation or screenshots of your permissions setup may help limit the damage. Another good idea is noting the MembershipGroupID’s of the group’s URL. These can be found in the group’s URL, e.g.

…/Share/_layouts/15/people.aspx?MembershipGroupId=165

The 3 default groups of a site are created with subsequent numbers, so if you remove one of those you can probably find them by changing the MembershipGroupID at the end of the group URL. In the screenshot above, Owners, Members and Visitors group have numbers 164, 165 and 166, respectively.

4. Clicking on “manage parent” to edit permissions

You need to change permissions of a site that has inherited permissions. Without thinking you click on “Manage parent” and start making changes, not fully realizing that you are now changing the permissions for both sites. You should have clicked on “Stop Inheriting Permissions” first!
The damage can vary.
I have once changed the top site of a site collection that way. The good news was that I finally got rid of a lot of outdated “Limited Access” users, but it was only later that I realized I had also removed everyone’s permissions from various site collection galleries.

5. Removing yourself from a group, site or library

This is generally annoying but benign, as long as you have quick access to a site collection administrator who can add you back.  I get about one call a week from someone who has locked themselves out.

6. Not clicking “Show Options” when you  share something with “Everyone”

Sharesitewitheveryone
Do click that “show options” link on the bottom of the Share screen!

This sends an email to all the company (and gives them contribute permissions if it is a site). Well, at least people know you and your site exist, but I do not know if “Everyone” will appreciate your marketing tactics! 🙂

And (in my opinion) the most disastrous of them all:

7. Inheriting the permissions from the parent site

You click “Delete unique permissions’ without realizing you are not at the document library, but at the site level. The permissions of your site will now be the same as the parent site.
You may not be the site owner of that site. Even worse, you may not even have access! An even if someone is kind enough to create unique permissions again and give you back your access, all unique permissions are gone.

An example: this site has unique permissions.

UniquePermissions
If you see “This Web Site” you are at site level!

This site has some content with different permissions

UniqueExceptions

When I click “Delete unique permissions” in the site I get a warning in a mix of English and Dutch – which is the first time I have seen this:

UniquePermissionsWarning

And if you click OK the permissions are inherited from the parent and there are no unique permissions anymore. The original groups also have no access anymore.

Uniqueafterinherit
No content with unique permissions after inheriting permissions from the parent site.

While this may be a good reset of your site if you have completely lost the overview of the permissions, it can be a nightmare if you have a well-managed site with confidential content that needs well-managed unique permissions.

General recommendations

  • Make sure you have an overview of the permissions of your site. It can be a simple mention in the description of the list or library (“this list is only accessible for the MT”), or a separate document with a detailed description.
  • Stop and think before you hit a button – if in doubt contact your help person.

Have you made any other permissions management mistakes? Do share!

Update March 2018:
Via Twitter I received some more gems from Stefan S:

8. Renaming a SP group that is used in the Target Audiences setting of a webpart; it will disappear. You should re-enter the group.

9. Forgetting that Members groups have the permission level Edit instead of what used to be Contribute.

 

7 steps to clean up unique permissions

cleanup-headerIn my latest post I showed you how you could limit the options to share the content in your site. I hope that you have made some decisions, so now it is time to clean up the mess.
Let me remind you why too many options to share can turn into a problem:

  • Sharing a document or list item, or using the “Get a Link” option, creates unique permissions, and that means that the permissions of a document or list item no longer follow the permissions of the site. So if you add a new group (recommended) or a new person (not recommended) to the site, this group or person will not automatically get access to those items.
  • This will lead to unexpected access denied messages and therefore Access requests.
  • Approving Access requests may lead to more unique permissions AND they give people Contribute permissions by default, which may be too much.
  • Unlimited sharing (especially with external users) can lead to your documents falling into the wrong hands.

So, how to take back control of your site after you have changed some of the settings?

Have a note-taking system ready – paper, OneNote, Notepad, document – whatever is your thing. You will need to make some notes.

1. Process pending Access requests

Go to Site Settings > Access Requests and Invitations and see who has requested access.
Click the … next to each name and add people to site groups as much as possible. If you do not see the site group mentioned, note down their names with the group that you want to add them to.

2. Remediate content with unique permissions

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show items
Show the items with unique permissions, intended and accidental. Very useful functionality!

b. You will get a pop-up with all lists and libraries that have different permissions.

Cleanup-showitemsiwhtuniquepermissions
Focus on the lists with “View exceptions”. Those contain the items where you have created unique permissions by accident.

c. The items marked as “manage permissions” are usually lists and libraries that have different permissions by design. Skip these.
d. Click on “view exceptions” for the first list or libraries that has this mentioned. You will see all documents (including pages and images) or list items that have unique permissions.

Cleanup-Documentswithuniquepermissions
List of documents (or items) that have unique permissions. Rightclick “manage permissions” and open the link in a new tab.

e. Using Rightclick > Open in new tab, click “manage permissions” for the topmost item.  (If you just click “manage permissions”, you will have to start at a. again for the next document or list item)
f. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.
g. Click “Delete Unique permissions” to re-inherit the permissions from the list or library.

Cleanup-deleteuniquepermissions
After noting down Kimberley B as a potential Visitor click “Delete Unique Permissions” to bring the document’s permissions in line with the rest of the document library and site.

h. Repeat steps e, f and g for the next document or list item.

3. Weed out “limited access”

Limited access is an annoying thing that tells you that there are, or have been, unique permissions – or it may mean nothing at all.
If this site has existed for some time and you do not know it very well, you can skip this step for now because you might remove people who are there for a good reason.

a. Go to Site settings > Site permissions and click on this link:

Cleanup-Show users
Show people with limited access. This can be caused by Sharing, Get a Link or accepting an Access request.

b. Check if there are any people mentioned that you may want to add to one of the site groups, and note down their names + intended site group.

Cleanup-RemoveKimB
You can remove Kimberley B from this page. (“Beperkte toegang” means “Limited Access”)

c. Remove any individual users so you are left with only the site groups.

4. Add the new users

Add the users that you noted down during steps 1, 2 and 3 to their respective groups.

5. Review the Members group

During the time that you had no restrictions, Members may have added other Members.  Review your list of Members and change their roles or remove them where needed.

6. Replace any “breaking links” on your pages

Hover over every link on every page in your site and look at the link in the bottom-left of your screen. Links of the “Can View” or “Can Edit” type  will generally have  “guestaccess”  in their link and they will cause unique permissions.

When I did not know all this yet, I had created some Promoted Links with the “Get a Link – Can View” link to a page. As soon as I created the link, the permission inheritance for the page was broken and everyone who clicked on the link was added as individuals to the page.

Cleanup-GetaLink
Link “”Document 5″has been created with “Get a Link”. The URL is: …../Team/Share/_layouts/15/guestaccess.aspx?/….

Replace every one of those links with the “Restricted Link” equivalent.

7. Monitor

Review on a regular basis if the restrictions and the cleanup work make you feel more in control of your site. Depending on your choice of measures, you may need to do more approvals from Visitors or Contributors who want to share content.

How have you dealt with the “Unholy trinity of creating unique permissions” 🙂 ? Would you like to share your frustrations or have you found a good way to deal with this that other readers can benefit from?

Image courtesy of artur84 at FreeDigitalPhotos.net

Limiting unwanted sharing and unique permissions

Preventsharing-fenceIn my recent posts you have seen that you can create unique permissions for list items and documents very easily, with

Additionally, you often add people with Contribute permissions while your normal Members group has Edit permissions (=Contribute + Manage Apps).
Plus your site members can add practically anyone to your site without informing you.

Why am I making such a fuss?

  • Maintenance and support
    Unique permissions create extra issues with access, and provide extra work for the Site owner.
    You may also need more support, although your support team might like that 🙂
  • Information security
    People with Edit or Contribute permissions can share content with external users, who then are often able to share your content with others if given those permissions. Your information may be shared with your competitors in this way!
  • Performance
    Having lots of unique and individual permissions may slow down your site.

Office365’s out-of-the-box functionality allows unlimited sharing. My own environment is like that, so all experiences that I have described before are done in the “unlimited sharing” default mode.

Fortunately, there are some options that a tenant administrator, a site collection administrator and a site owner can do to limit the potential damage.

1. Disable anonymous access

Disabling anonymous access lets you get rid of the “no sign-in required” options that you have when you get a link, or the “sign in required” when you share a folder or list item. While it may not reduce the creation of unique permissions too much, it will make it more obvious who has been given access. This will allow you to determine whether those people need to be added to a site group, or removed from your site.

Your tenant administrator can disable this at the Office365 Admin center for all Office365 applications, or at the SharePoint admin center for the SharePoint sites.

Preventsharing-GetaLink
This is Get a Link after I have disabled anonymous sharing. Only 3 options left for the Site owner instead of 5.

2. Disable external sharing

While this also will not prevent all unique permissions, it may limit them, because of sheer numbers. Chances are your colleagues will already have access to your site, making the chances of unique permissions during sharing a bit less.
Of course this will make it impossible to share confidential stuff with externals.

It is a good practice to reserve one or some site collections for sharing with externals, so you can keep the other site collections for purely internal content.
Your tenant admin can disable external sharing on various aspects at the Office365 tenant and the SharePoint admin level.  Gregory Zelfond has already documented how to do that.
By the way, Gregory has written more useful posts on external sharing.

This will give the following results, depending on whether the external user is already in your site collection or not.

preventsharing-noexternalsharing-indirectoy
This message will appear when you want to share with an external user who has been added to another (external) site collection in the tenant earlier.

 

preventsharing-noexternal-usernotindirectory
And this message I received when I wanted to share with a completely new person.

3. Change Sharing settings in your site

This will probably be in your control, so go to Site Settings > Site Permissions > Access Requests and look at the two check boxes on the top of the pop-up.

preventsharing-defaultsharingsettings
By default the access request and sharing settings are like this. Read the explanation carefully!

This will mostly influence what a Site member can do.

You have four options:

4a. Both checked: I have done my experiments with this setting. You know what that does 🙂

4b. Top checked, bottom unchecked

Share:
Member: Can share documents without approval from the site owner, but needs approval for sharing the site.
Visitor: Can share site and documents with approval from site owner.

Get a Link:
Member sees “Edit link” option
Visitor sees the “Restricted Link” option

4c. Top unchecked, bottom checked:

Share:
Member=Visitor: Can share site and documents but needs approval from site owner

Get a Link:
Member=Visitor: Restricted Link

This option brings another message to your Site Permissions page:

prebensharing-tiredofapprovals
If you get tired of approvals, you can change the settings again. (But look: no item with unique permissions…until you approve a request)

4d: Both unchecked:

Same as 4c.

So, this setting will help you to “tame” your site members, and give them the same sharing options as your site’s visitors. You will have more approvals to do, but are more in control.
But beware hitting the “Accept” or “Approve” button in sharing requests for documents or list items!

4. Remove access request email

If you can not get access requests, you can not break permissions when accepting them!

Preventsharing-noaccessrequest
You can uncheck the “Allow access requests” box and no email will be sent.

This can work in formal all-company sites with official content and little collaboration.
On the other side of the spectrum, it is also an option for sites with a strictly defined and controlled audience, e.g. a management team.
It will however be very clumsy in a project site!

But…your visitors will get a nasty error message when they try to share a document or site, and when you are combining this with options 4c or 4d, your members will experience that too.

preventsharing-noemail
Not a very nice message, and also not exactly correct. It should say “There is no email address to send the request to”,

Realize that all of these settings have been developed with a reason, so you may want to ponder what is really important for you and if you need to lock down everything or just a few features.

While you think about this, I will go and write how to check and fix the permissions, where needed, after you have taken your measures.

Image courtesy of winnond at FreeDigitalPhotos.net

Let the right one in (your SharePoint site)

AccessRequest-KnockerWhat do you do when you receive a request for access to your SharePoint site? Accept it immediately (because you want to be done with it, or you feel a bit ashamed that you have excluded someone) or find out exactly what they want because there may be more to the request than meets the eye?

Yes, I thought so. 🙂

Let’s dig a bit deeper into Access Requests. There’s quite a lot you can do with them, including creating unique permissions. You know that I hate that!

Microsoft explains this in detail  but of course they  they let you figure out all the implications by yourself. Or by me :-).

If your email address is in the Access Request Settings, you will receive access requests via email, and the requests will be replicated in the Site settings > Access Requests and Invitations page.

AccesRequests-Link
If you do not see “Access requests and invitations”, you have not received a request yet.

How does it work?

When you get the access request in your mail, you will see the link to the desired content. You can immediately click the “Accept” button from the email and give them Contribute permissions by default.

Access Requests-request
At the bottom you see the link to the document.

Yes, Contribute. That means they can edit the content.

Hmmm, perhaps clicking Accept immediately is not such a good idea after all. Perhaps Read-permissions are good enough. Or, if you have sent this link assuming they had access, it may be a good idea to give them access to the complete site.

Alternative: the Access Requests and Invitations page!

So, here comes the Access Requests and Invitations page to look at (and manage) the request.

You will see three categories: Pending requests, External user invitations and History.

Access requests - page
The page where you can take a closer look at the access request.

Here again, you can click Approve or Decline, or check first what will happen if you click Approve. So, click the … next to the name of the requester. This pop up opens:

Access Requests-open.GIF
“Bewerken”  means “Contribute”, sorry, the language settings in my tenant are a bit out of my control.

Here you see some more info:

  • What Office365 has decided about their permissions. In this case Office365 would add them as an individual to this document with Contribute permissions – most unpleasant!
    You can click the drop down to select the Contributors or Visitors group for the site.
  • Who has asked access and what exactly for. Hover over the link to see the URL.
  • Date and time of the request
  • Approval state
  • Email conversation with the person who requests access. You see I was busy writing this post, so the impatient Mystery Guest asked for permissions again 🙂

What would have happened…

If I had clicked Accept from the email or Approve from the Access Request page, this is what would have happened:

Access request - acceptwithoutchanges
You see Mystery Guest now has unique permissions and is added as an individual with Contribute permissions.

Exception: Site welcome page

There is one exception to this rule and that is when you send the link to the welcome page of the site. In that case the requester is added by default to the Members group. This also may be more than you want, though.

Access requests-sharesite
If you share the site root or welcome page, the person is by default added to the Members group.

History

After approval, the request ends up under “Show History”. This gives a nice overview of everything that has happened in your site.
If you see a name very often, it may be an idea to give them access to the whole site.

Access Request - history
The Access Request history in this site. I may need to make this Mystery Guest a permanent member 🙂

Recommendation

When you receive an Access Request it may be better to spend some time figuring out the details, than to click Accept immediately. This will cost you some time now, but will save you time fixing unique permissions later (and dealing with even more access requests because too many inheritances are broken!).

Have you found any other “interesting” behavior of the Access Request?

Title based on the movie “Let the right one in“.

Image courtesy of cbenjasuwan at FreeDigitalPhotos.net

Get a Link – Get a Break!

getalink-brokenchocolate2As I am writing help materials for our new intranet I do not only have to think about “HOW do you do this” but also “WHY would you do this” and “How can you do this BEST, without spending too much time, adding maintenance or messing things up?”

With the migration of content to the new platform, many Site Owners need to rework their publishing pages. Generally these pages contain (clickable) header images, Promoted Links, Summary Links and links in the text.

On the old platform, when you want to grab the link to a document or image, you go to the library, right click on the name and select “Copy Shortcut” from the pop up. This is no longer available in SharePoint Online.

So, how does one get a link in SharePoint Online?

I have found 3 ways to link to a document, page or image:

  1. In Summary Links as well as the Rich Text Editor on a page (Wiki page style), you can browse for the link to a document or image that lives in your site or site collection.
    getalink-insertlink
    Insert > Link > From SharePoint will allow you to browse the libraries and lists in your site and link to the desired content.

    getalink-summarylinks
    When creating Summary Links you can browse for the content in your site.
  2. You can open the item and grab the URL from the address bar.
  3. There is the new Get a Link option, which you will see when you select a document or image from a library, in the Action Bar (is that what it’s called?) and the pop up menu.
    getalink-actionbar
    The Action Bar shows the Get a Link option when you select an item

    getalink-actionbar-gif-popup
    When you click the … behind an item name, you will see this in the pop up

The users in my company are all accustomed to grabbing a link when they want to share a document via email or on Yammer, so I think this “Get a Link” will appeal to them.

However, at first glance I see 5 different options. What to select?

getalink-options
5 options to Get a Link? Please note that the “no sign-in required” options can be disabled by the tenant administrator. This allows you to share links with anyone, in and outside of your company.

Let’s find out how this works!

Microsoft has already written about this but it is not very detailed.
So, I have created a brand new site in my own tenant. In this site I have uploaded 5 documents, each named after the action I will take.

getalink-documents

I assume the file type is irrelevant so I have used a mix of Excel, Word and PowerPoint.

Please note I am the tenant admin, so I am not a normal Site Owner. Some things may work differently for a regular Site Owner with Full Control.

My tenant is almost out-of-the-box and external and anonymous sharing has been enabled on all site collections.

How to use Get a Link:

  1. Select the document and click “Get a Link”
  2. Select one of the 5 options
  3. Click “Create” (if the link has already been created earlier you will immediately see “copy”
  4. Click “Copy” and the link will be added to your clipboard
  5. Paste wherever you need it.

You can remove a link if you longer want to share. This means the link will be disabled if someone clicks on it.

For links with “no sign-in required” you can set an expiration date. This means the link will no longer work if someone clicks on it after the expiration date.

getalink-expirationdate
For “anonymous sharing” you can set an expiration time.

Results

  1. The links look as follows:

Restricted link:

https://company.com/Sharing/Shared%20Documents/GetLink-RestrictedLink.pptx?d=wa1065f209e79474cb70b1d349a3d5c1c

View Link – account required:

https://company.com/Sharing/_layouts/15/guestaccess.aspx?guestaccesstoken=g5GzCR4X%2bSQeQkoUVxhvy6ObgkIgAOAwWPxUubf%2bNlY%3d&docid=2_061f40460a0bb4a509b5f126109e2f28e&rev=1

View Link – no sign-in required

https://company.com/Sharing/_layouts/15/guestaccess.aspx?docid=0d7dc303b58164d169fe1e15c05981740&authkey=Acc4tb7-2Nb5GYqUQPj4Oy0

Edit Link – account required

https://company.com/Sharing/_layouts/15/guestaccess.aspx?guestaccesstoken=OygCzI%2f3Nkr8YKUhpYNPucCNr3H7x4zTfJowLrST0lI%3d&docid=2_17f6bad80545a42428c32907a3503e6f4&rev=1

Edit Link – no sign-in required

https://company.com/Sharing/_layouts/15/guestaccess.aspx?docid=11bf22e7919224e2987caf7ea39f9f4f5&authkey=AReBJ-AIIrhwFnuFeCqR1e

2. Using the “View” and “Edit” links will break permission inheritance for the document as soon as you hit “Create”.

getalink-what
Pardon my French, but what did you just write there?

Yes, you may want to read this again:

Using the “View” and “Edit” links will break permission inheritance for the document as soon as you hit “Create”.

I was a bit worried about the word “guest_access” that I saw appearing in 4 of the 5 links, so I decided to check the permissions of my site.
Microsoft mentions this in the small letters of their post, but it is easily overlooked.

You know you can now see immediately if you have items with different permissions in your site. That is very convenient. Normally, only the Microfeed has different permissions, but now my Documents have too!

getalink-brokenpermissions
The document library has “exceptions”. That means: some items have different permissions.
getalink-4outof5
Only the “Restricted Link” does not break permission inheritance!

4 of the 5 docs have broken permissions inheritance! The permissions have not changed yet, but the inheritance has broken. This may not appear to be a big deal now, but if you ever happen to add a new group or individual to your site, which is not unlikely, you will have to remember to give them access to these documents.
Do you seriously think any Site Owner will remember this? Or have the time for that?

More scary and inconvenient findings

  • As soon as someone clicks on a link they are added to the permissions of the document, regardless of their existing role in the site.
getalink-added-after-clicking
I am the tenant admin, and have Full Control of this site, yet I am added as soon as I click the link.
  • People in the Members group get all the options for “Get a Link” as well!
    I have tested this in my work environment and it turns out Members can see and use the “view” and “edit” options so they can break the permission inheritance of documents without the Site Owner being aware!
  • You can only find out which links have been created by checking the options for each document. Click “remove” if you see that an unwanted link has already been created. Now go find out which of your links (In a text, in Summary Links etc.) used this link 😦
  • You can remove the link, but the permission inheritance is still broken.
  • You can only “delete unique permissions”  per document, so you have to go to Site settings > Site permissions > Show items with different permissions > View Exceptions > Manage permissions > Delete unique permissions.
    This is a tedious process.

I think this can turn into a serious issue. I have found that many Site Owners do not fully understand the consequences of broken permission inheritance, and do not understand the extra maintenance and support issues involved. I have tried to tell them NOT to break permission inheritance unless it is really needed, and to never do this on a document or item level.
And even if they know, it is a time-consuming job to reset the permissions.

Also, why all this complexity for just getting a link? I think only the “Restricted link” would be sufficient. Who would ever want to use the “edit” options when linking to an image? Why would you use the “Get a Link” option to share via email if there is also a “Share” option which sends an email? (and which, in some cases, asks permissions to the Site Owner first?)

What would I recommend if you need a link?

  • Use the “Insert > Link > From SharePoint” option to link to a document or image when working in the text editor of a page
  • Use the “Browse” option when creating Summary Links
  • Use “Get a Link > Restricted View” when you want to get a link otherwise. This respects the permissions of your library.
  • Instruct your site Members about the dangers of Get a Link and ask them to use the Restricted Link.

What are your experiences with the Get a Link functionality? Have you been able to reduce the scope and if yes, how? I would appreciate to hear and learn from you!

Kitten image courtesy of Top Photo Engineer at FreeDigitalPhotos.net. Text added by myself.