More secure file sharing for OneDrive Personal
Today a shared folder or document ist just protected by the link to it. If someone captures the email containing the link, then he has access to all the shared files.
To share more confidential files I would like to share with a specific microsoft account. Then the files are at least as secure as the microsoft account of the person i shared the files with.
Why to pay for office 365 home for 5 family members when I can't share the 1 TB of OneDrive space securely with them?
We’re working on the ability to share a file or folder with a specific Microsoft Account.
James D commented
Potential work around... But unsure if this is secure.
1) Create a sharing link that is password protected
2) Send link and password to the person you want to share with
3) They open the link and enter password (They are already logged in with their own Microsoft account)
4) They add the folder to their one drive, which creates a named share on the folder
5) I then remove the password protected link as it is no longer needed
This appears to have created the desired result of an identity driven share without a public self authentication url being generated and sent out.
My worry is that there is a public url generated in the background it's just I don't know it! Confidence in the security of One Drive sharing is low.
James D commented
This is very unclear that this is how it works. I've recently discovered that personal folders I thought I had specifically shared with an individual could have been accessed by anyone with the link sent out in the email. Why is it not possible to securely share with a specific set of identities that require authentication to access shared content!
Christian Wagner commented
Using a paid Office 365 account, I was expecting better security, when sharing by email. I will have to look for a different provider for secure sharing and I fully agree with the following comment:
>> Sharing a folder "by email" is almost as insecure as sharing a folder "by link". When you share a folder "by link", the normal user understands the anyone who gets the link can access the files, so you know to tell the recipients not to forward the link. But when you share a folder "by email", I'm sure that the normal user expects that OneDrive controls who can or cannot access your files, but in actuality, it just creates a link that anybody in the world can use to access the files. So when you share "by email", you also need to tell the recipient to never forward the link, and you need to trust them to keep the link secret. Although it is not at all clear from the user help, the current security is based on how much you trust your friends to keep the links secret, not on any kind of user authentication provided by OneDrive. OneDrive Home should be fixed so that you can share files only with the users you select, and you should be able to trust that OneDrive will disallow access to those files to all other users, regardless of whether they got the link from someone else. In other words, OneDrive should first authenticate the user, then verify that that user is on the list of permitted users, before giving access to the files shared "by email". <<
I came hear after struggling to understand what I had done wrong. I specifically did not create a link, because I didn't want unauthorized users to get access. Instead, I e-mailed and invited only approved users to a certain shared folder. To my horror, I found that if the recipient shared the link, it effectively made access to my folder public!!! This is a security disaster. Please fix ASAP -- if a user is shared by e-mail invite, then that user should only gain access if signed in with the invited e-mail address. And that user must not be able to forward the share.
Sean W commented
Douglas Pearce have you redirected this to /dev/null? its been more than 2 years since this was feature was removed and you've been thinking about it for more than 18 months.
Why not just come out and say "It's been removed so you have to pay more for Office 365 - live with it or go somewhere else. We're ok to provide an insecure file sharing service... if users are dumb enough to use it then they deserve what they get."
Keith Enevoldsen commented
I also found OneDrive sharing "by email" to be surprisingly insecure. (I'm using One Drive Home version in April 2018. There may be other options with other versions.)
Sharing a folder "by email" is almost as insecure as sharing a folder "by link". When you share a folder "by link", the normal user understands the anyone who gets the link can access the files, so you know to tell the recipients not to forward the link. But when you share a folder "by email", I'm sure that the normal user expects that OneDrive controls who can or cannot access your files, but in actuality, it just creates a link that anybody in the world can use to access the files. So when you share "by email", you also need to tell the recipient to never forward the link, and you need to trust them to keep the link secret. Although it is not at all clear from the user help, the current security is based on how much you trust your friends to keep the links secret, not on any kind of user authentication provided by OneDrive. OneDrive Home should be fixed so that you can share files only with the users you select, and you should be able to trust that OneDrive will disallow access to those files to all other users, regardless of whether they got the link from someone else. In other words, OneDrive should first authenticate the user, then verify that that user is on the list of permitted users, before giving access to the files shared "by email".
In the meantime, if Microsoft is not going to fix sharing "by email" to be more secure, then it needs to revise the wording of all the help text about sharing "by email" to make it clear that it is almost the same as sharing "by link" and that anybody in the world who gets the link will be able to access the files.
I just stumbled upon the "User must sign in" option when sharing a OneDrive link from the Android OneDrive app. (Migrating from a Lumia 950LX to Galaxy S9+.) Went to the Live website to see if it also had the option now, but didn't find it. Suggests that the underlying OneDrive system can handle the concept, but the web UI doesn't support it.
Glad to see a whole community around this request. Yes, I remember "the old days" when a share could be restricted to a specific Live/Office user account. Like many, I have a paid Office 365 subscription. I want to create a folder I can share with my CPA and ONLY my CPA -- just like was possible in the old days.
Am I hearing Google let's a person do this? Does Microsoft REALLY want me hearing Google allows me to do something I can't do with Microsoft? Not good timing as I’m now learning Android phones because Microsoft is abandoning Windows Phones.
I used to work for companies that provided add-on/in products for HP LaserJet printers. Before HP eliminated anything on a new generation of printers, they always surveyed these companies to get feedback regarding the impact. MANY times, HP would realize they needed to NOT do the elimination in the upcoming generation and wait until they had provided an alternative approach to accomplish the same goal in a subsequent generation.
Important note here: The capability was still ultimately eliminated, but HP received the information necessary to provide a replacement capability to keep users happy.
Microsoft has been making a good effort at trying to find out from the user community what users think of new feature concepts, etc. I STRONGLY suggest Microsoft follow the HP model of ALSO asking the user community about what Microsoft is thinking about deleting.
Write blog posting about "we're thinking about eliminating X, does anybody care, how are you using X, etc, etc, etc." Like HP, Microsoft may find themselves coming to the intelligent conclusion "Woah, maybe we should slow down and rethink our approach to X. I don't think we realized all this stuff people are using it for."
And like HP, the "how are you using X" is very important because maybe getting rid of X can still move forward but introducing feature Y ahead of time provides the users of X with the functionality they said they needed.
James Davies commented
I can't believe this feature has been removed! It's absolutely crazy.
We've got Office 365 Home and I'm trying to share a folder of confidential information with my wife but all I can do is create a link which grants access to ANYONE who happens to comes across it. This used to work so well, why introduce such a massive security flaw in to something that used to work so easily?
Fortunately I have a folder I'd already shared with her under the previous secure sharing system so I can rearrange the folder structure, but that's not a workaround I should have to use.
We are paying for a service which is losing features, that's not a good way for a product to go.
Leslie LM commented
I'm trying to figure out how to securely share some sensitive documents. Rather than simply email, I thought there was a way to save my docs on OneDrive, as an encrypted file, for which I could send the password to, in a separate email. Is something like this possible? I really thought I had done something like that before, but from the sounds of it, that feature may no longer be available.
Any suggestions of how to more securely share a OneDrive file, would be greatly appreciated.
I have absolutely no intention of using Onedrive until they have SECURE file sharing. Share-by-link is TOTALLY INSECURE file sharing!
Josh Handel commented
This is an unexceptionable feature removal.. Seriously flip that switch back.. this is a needed feature.
Yes, the absence of this lockdown is rather a concern. I hadn't realised it had changed, remembering the previous arrangement as detailed by Matti:
The likes of cloud storage provider Box give account specific lockdown - file/folder owners able to grant access to specific , named box accounts only. Testing this OneDrive situation this evening, I am quite concerned that a recipient of an invitation to collaborate could forward an email and grant (at least) view access to a complete stranger.
Because I have an Office 365 subscription, I would rather not be paying extra for a more secure provider. So please, Douglas, can we get this level of security control back over what we share in OneDrive? The other cloud providers seem rather more focused on this security of sharing situation?
John Doe commented
Very Interesting. Lack of this feature gives me enough reason to cancel the renewal of my subscription. Just when I thought Microsoft was ahead of the curve in cloud computing.
Sean W commented
Douglas Pearce - can you please stop thinking about it and do something about it. Microsoft turned this off in March 2016 - its now more than a year that Microsoft has left user data at risk.
Gordon Chang commented
I can't believe someone (PM?) at Microsoft would be allowed to "simplify" the user experience by increasing sharing risk and remove the one common usage OneDrive.
Echoing... it is a deal breaker for me, and we are about to purchase Google instead of OneDrive/Office if this isn't fixed in few weeks.
quoting other's comment: "I want to securely share personal & business files, not share them with everyone who happens to get the link."
Un-be-lie-va-ble Microsoft gives users so little control on sharing safely.
As a workaround:
- Forced sign in still possible when you share from within an office file like word or excel (drawback: sharing needs to be set file per file and receiver does not see the files in their onedrive share apart from the "recent" folder)
- Use dropbox or box.com that if you want to maintain real time collaboration (but if I understand it correctly, this features only works if both users open the file from the cloud storage and edit it online)
Matti's comment does not work. I can share via email and it may look like you have shared to someone with a MS account requiring login. But no, the link sent to the recipent will work without a login! TRy yourself and paste it into an icognito mode browser window.
btw, today I noticed for the 1. time that onedrive offers to limit the lifetime of a share link.
Matti Järvinen commented
What is missing is the option Recipient needs matching Microsoft Account email, option has existed previously.
Grant Permission to Recipients
Click the blue “Recipients can only view” link that is found directly under the quick note space. OneDrive Share Folder3
Click the down arrow to the right of the first line (Recipients can only view) and change to “Recipients can edit” to grant them permission to view and edit the files.
Click the down arrow to the right of the second line (Recipients don’t need a Microsoft account) and change to Recipients need to sign in with a Microsoft account (if you want to restrict access to the folder or files only to recipients of the Microsoft Accounts whose email addresses you referenced in the To: Field. If you want to allow your folders or documents to be freely available to anyone by just clicking a link, you can leave the permission at “Recipients don’t need a Microsoft account.
Matti Järvinen commented
I almost moved everything from Google Drive to OneDrive, but this... is just a deal breaker for me.
I want to securely share personal & business files, not share them with everyone who happens to get the link.
Luckily me & my wife have a shared folder which is set up before this idiotic change so we can ( or can we?) share files without any possibility of anyone snooping around.
I might even go as far as setup secure filesystem mapped s3 storage for family use if this situation doesn't improve.