SHAREPOINT: SECURE FILE UPLOADS

2 hours ago
6 min read

#Microsoft365 #SharePoint #Powershell #Purview

Author: Jonathan Stuckey

Audience: SharePoint solution designer, Project manager, Operations.

This article presents a solution for a single use-case of: secure upload of files by customer (i.e. an untrusted party) to a specific location, without enabling B2B or Guest access. This is different to Secure External Sharing and Collaboration scenarios, like Project collaboration or Supplier sites, but the fundamentals of a multi-layered protective model for the solution is the same.

THIS DESIGN APPROACH SHOULD BE CONSIDERED AS ONE OPTION IN A SUITE ADDRESSING SECURE EXTERNAL INTERACTION. IT SHOULD NOT BE DEPLOYED IN ISOLATION WITHOUT SECURITY AND PRIVACY REVIEW.

Business Objective: Secure File Upload

This solution has one goal: to enable Customers to upload files without the need for Guest registration and complex login processes with a high-maintenance overhead. Typical examples of use-case might be:

A monkey in glasses and a red sweater mails a letter in a red postbox secured by bars — Anyone can post securely

claimant is requested to upload photos of the damaged item to support claim
patient is required to provide copy of authorisation to proceed with treatment
witness requested to provide evidentiary copies of files/photos to incident
new membership requirement for upload of proof-of-identity for approval
etc

Solution

The solution is based on using "Enable File Request Feature", which released in 2019 and became available in Q1 2023 on SharePoint Online. In addition to this feature, other supporting configuration has been recommended to help mitigate the risks associated with enabling this feature, specifically to:

Reduce scope for enabled feature to specific site (or site type)
Assign Site classification controls for all sites in your tenancy (using Purview information protection)

Process

Activating this feature in a tenancy requires careful consideration to minimize the risk of accidental information exposure by the 'Guest' once it becomes available. The steps outlined below demonstrate the specific sequence needed to mitigate this risk:

Infographic showing icons on a curved, gray road. Icons in colored markers: person, screen, document, and gear, symbolizing progress. — Steps on the road to secure file-upload

Recommended - If you have the option available, setup Purview Information Protection labels for site Classification before undertaking the configuration.

Steps

Target site

Using a designated specific SharePoint site for the customer or 3rd party to use for uploading items to.

This is done to minimise the footprint of exposure for the organisation. Limiting risk to 1-site, which we can later apply automation to as required.

The recommended approach is clearly identifying the internal site(s) using an obvious naming convention. In the example we have used 2-letter prefix + name

i.e. <xx>-<sitename>

Tenancy and site settings

Important: This service feature is disabled by default and has to be enabled via PowerShell.

The recommended approach to minimise the risk of exposure from enabling this feature, is to make enabled this feature only for specific sites. I.e. sites only used as designated upload (secured, clearly identified, tight access control etc)

Connect to the environment

# requires SharePoint module or SharePoint Online Management Shell 

#setup environment variable
$adminUrl = "https://<tenancy>-admin.sharepoint.com"
$siteUrl = "https://<tenancy>.sharepoint.com/sites/<site_name>"

#Connect to SharePoint as admin
Connect-SPOService -Url $adminUrl
#...authenticate with role that has SharePoint Administrator privileges

Connect-SPOService -Url $siteUrl

Check current states of the tenancy...

# if default should show as disabled
Get-SPOTenant | Select CoreRequestFilesLinkEnabled

CoreRequestFilesLinkEnabled
---------------------------
                      False

and site:

Get-SPOSite -Identity $siteUrl| Select RequestFilesLinkEnabled

RequestFilesLinkEnabled
---------------------------
                      False

Update settings on the site

# set the specific site to enable the use of 'Request Files' feature.
Set-SPOSite -Identity $siteUrl -RequestFilesLinkEnabled $True

SharePoint Service settings

Important: The following service configuration changes the default access model creating significant risks that need other controls applied for mitigation

Updating the SharePoint Service configuration should be reviewed and/or approved by business or service owner in the organisation. The following options physically change the Security Posture and Risk profile of the tenancy.

This set of configuration updates enable the 'Request Files' feature visible to the roles identified for Sharing externally on the site e.g. Site Owner, specific Security Group, or use of Service Principle.

The settings below walk you through, opening-up options to enable sharing to non-guest users.

Elevate to role with SharePoint Administrator privileges
Navigate to your tenancy SP Admin Center
Click on 'Policies', and select Sharing
Adjust SharePoint 'External Sharing' slide to Most Permissive

The following steps, introduce other controls to mitigate opening up tenancy for "Anyone" access to upload:

Open 'More external sharing settings' toggle
- Tick box for 'Allow only users in specific security groups to share externally'
- Add [sharing_security_group] in the dialogue and press save
Change the options under 'Choose expiration and permissions options for Anyone links'
- Tick the box for 'These links must expire within this many days' and set to 5
- Files - View and edit
- Folders - View, edit and upload
Click 'Save'
Extended Sharing Settings in SharePoint Admin

Other changes also worth consideration at this level of the setup include restricting delegation of 'Sharing' capability to a specific Group trusted to manage updating site setup for External sharing i.e. people with appropriate training and knowledge to understand the whole impact from applying change.

SharePoint Site specific settings

After service general settings we apply site-specific configuration(s) to the specific site(s) designated for use as externally accessible document upload:

In the SharePoint Admin, navigate to 'Active Sites' tab
Search for target site for external file requests to be loaded to (e.g. PW-FilesUpload)

SharePoint admin panel displaying "PW - Files Upload" site details, including email, site address, and storage. Options for editing visible.

Select 'Settings' tab, and click on 'Sharing'
Update
- Default Sharing Link type
  - Check 'Anyone with the link' is selected
  - Expiration of Anyone links - set 'Expiry within this many days' to short window e.g. 5-days
  - Update 'Default link permissions' to Edit

Sharing settings interface showing options for external sharing, link expiration, and permissions. "Anyone" and "Edit" are selected. — Site specific sharing configuration

Save to apply changes

Recommended: if adopting this approach Spoke recommend ensuring all non-external facing sites have the 'External file sharing' setting lowered from the new Service default. See next section on Site Classification.

Apply Site Classification

Recommended: If you have these services available, the following is highly-recommended as additional controls to limit possibility of over-sharing from other sites

An additional layer of support and control offered by Microsoft 365 is Microsoft Purview Information Protection. This layer of control is a two-part system.

Assuming your organisation have the licenses and access to Purview, and can create Information Protection Sensitivity Labels, create two types of label specifically for 'Site, UnifiedGroup' only. E.g.:

Internal site label which explicitly blocks external sharing options - even for admins, Owners etc
External site label which explicitly permits external sharing - but with additional conditions

Both labels should be made available and published, but the Internal label is made default for all new sites and Microsoft Teams/Groups. The External label is reserved for updating sites specifically for external sharing (relaxing related controls)

Site classification labels - External vs. Internal controls

Steps

as SharePoint administrator (and member of distribution for Sensitivity label use)

navigate to SharePoint Admin
Open 'Active Sites'
Search and Select required <site_name>
Select 'Settings' tab
Update 'Sensitivity label' to External label

SharePoint admin center screen with a site settings window open. Privacy set to Private. Sensitivity label options shown. — Choosing Sensitivity label to enable external sharing options

'Save' to commit changes and enable site access for 'Request Files' feature.

If you require details about setup, configuration and deployment of site classification using Purview Sensitivity Labels (Information Protection), please contact us on details below (hi@timewespoke.com)

Resources

Microsoft reference article:

Enable File Requests in SharePoint or OneDrive - SharePoint in Microsoft 365 | Microsoft Learn

Manage sharing settings for SharePoint and OneDrive in Microsoft 365 | Microsoft Learn

Restrict SharePoint site access with security groups| Microsoft Learn

Some very good step-by-step articles from community:

SharePoint Diary | How to use the "Request Files" feature in SharePoint Online?

Office3565 IT Pros | How the SharePoint Online Request Files Feature Works

Close

If you have questions and want to understand more about enabling Secure External Sharing in SharePoint and Microsoft 365 - give us a call: hi@timewespoke.com

Disclaimer

Generative AI was used in the creation of the title image for this this article, and first-pass quality review only. All subject content was created by author, based on released information from Microsoft. Screenshots and configuration capture was created based on available settings and options for customers on Business Premium or E-plan licenses only. Any errors or issues with the content in this article are entirely the authors responsibility.

About the author: Jonathan Stuckey

Recent Posts