Feedback by UserVoice

How can we improve compliance or protect your users better in Office 365?

Change default permissions when attaching a OneDrive file to Outlook 2016 email

When emailing an 'attachment' from OneDrive to a recipient that does not currently have permissions as a default it it changes the permissions to everyone in the org can edit. This is very insecure. People will not then correct it to just the recipient. The default should be the recipient can view. It should default to the most secure setting and then the sender can adjust if necessary.

446 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Janice Gatchell shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    25 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • Kristoffer Strom commented  ·   ·  Flag as inappropriate

        It really is ridiculous that there is no way to change the default behavior. Although I perfectly understand the reason why it's set to this as default, I cannot understand why there is no way to change it!?

      • mk commented  ·   ·  Flag as inappropriate

        @admin Not sure why do we have to post now again to Outlook forum. OneDrive should not allow that kind of Edit permission to begin with no matter what application user uses to attach. Plus should not OneDrive team be working with the Outlook team to resolve this rather than we post the same there ..

      • Anonymous commented  ·   ·  Flag as inappropriate

        I do agree. This is a terrible misstake. It should honour the settings in OneDrive admin so if you set default sharing to "selected people" and read it shoul not only change the GUI in webbrowser but also in Outlook, OWA and mobile apps.

      • Dennis Ruddigkeit commented  ·   ·  Flag as inappropriate

        The issue is even worse!

        Even if the end user notices that file permission is set to "anyone can edit" and he changes it to e.g. recipients can view, the anonymous link remains as file permission.
        I.e. potentially all files being in Outlook 2016 as OneDrive attachment are shared anonymously.
        Although, the recipients do not have access to this link (at least I have not found a way to get it), it is available - this is a huge security risk!

        Has this already been addressed at the product group?

      • Saif Khalid commented  ·   ·  Flag as inappropriate

        Either you change the default permission while sharing from Outlook to "View", or give us an option to do it org wide.

        Edit permission by default, is against the best practice of least privilege.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Has this been addressed? Has Microsoft acknowledged that this an issue or at the very least that this needs to be a setting that the customer needs to control globally?

        This is not a discussion on what is the best default setting, but a simple request for allowing the customer to control the configuration for their environment.

      • Monir commented  ·   ·  Flag as inappropriate

        This is a stupid idea to have the default sharing option to share org wide with the edit permission. Permission should be based on least privilege option. By the way this behaviour now exists in Outlook Desktop App (Outlook 2016).

        However, in Outlook Web, it appears it takes the setting from SPO Admin center to set the permission to View by default when attaching file from OneDrive. So this same behaviour need to exist when attaching file in Outlook Desktop App when attaching file from OneDrive or SPO. Hope this gets fixed as some org has 1000s of users and the impact is huge.

      • Allison Koch commented  ·   ·  Flag as inappropriate

        I am speechless that this has not been resolved. I don't understand why if you are attaching a OneDrive shareable link - why Outlook wouldn't respect the defaults configured for a OneDrive Shareable link? What makes it even worse is I have people on the exact same version in the exact same channel and one gets "organization can edit" as the default - and the other gets "recipients can edit" as the default. Don't get me wrong - recipients can edit is still not great - but "organization can edit" is terrifying! How could microsoft have ever created a default setting like that? Plus I can't get anyone to answer me as to what is controlling that default? It's been a long time since I've done any coding - but generally when you click on something - the code dictates what happens next. Microsoft should be able to tell me what is dictating what the user is experiencing. They can't. FIX THIS!!!!!!!!!!!!!!!!!

      • Phil Robinson commented  ·   ·  Flag as inappropriate

        Can someone keep all SSE employees in the loop on this please. I am a Change Leader and if this type of issue goes un-actioned, we will quickly lose users of O365.

      • Anonymous commented  ·   ·  Flag as inappropriate

        This is a major security issue and a flaw in how this product was designed to integrate with Outlook. Please have an executive look at this and raise the priority to correct this. The default permissions should be read only not edit, so it aligns with sharing a file from SP or OD4B.

      • Marcus G commented  ·   ·  Flag as inappropriate

        This is a time consuming and potentially costly problem in our implementation. It's one simple feature that essentially breaks onedrive for us.

        I'm going to have to roll back usage of onedrive until this is fixed.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Portal changes have been made, thank you. We need to be able to change the default share permission on the Outlook client as well. Thank you.

      • Dennis commented  ·   ·  Flag as inappropriate

        Totally agree, this is so important for us, to be successful in the rollout of OneDrive. Without this, we will probably postpone OneDrive rollout.

      • Naga commented  ·   ·  Flag as inappropriate

        I think this is a very big issue .As most users dont check the permissions

      • Anonymous commented  ·   ·  Flag as inappropriate

        100% agree
        1. this make the sharing experience across the applications different
        2. most users are not aware of this -> security issue
        3. makes user feel unsecure with the whole O365 solution and reduces the drive to use it

      • Luis Gil commented  ·   ·  Flag as inappropriate

        I completely agree with the user community regarding this issue. How can we explain to our companies leadership that the IT staff cannot change the default settings for the attachments? How do we explain to our executives that every time they send confidential or classified information they have to remember and change the setting to view and not edit? How should we explain this issue to an auditor?

      ← Previous 1

      Feedback and Knowledge Base