Change default permissions when attaching a OneDrive file to Outlook 2016 email
When emailing an 'attachment' from OneDrive to a recipient that does not currently have permissions as a default it it changes the permissions to everyone in the org can edit. This is very insecure. People will not then correct it to just the recipient. The default should be the recipient can view. It should default to the most secure setting and then the sender can adjust if necessary.
Please vote in the Outlook forum instead:
@admin Not sure why do we have to post now again to Outlook forum. OneDrive should not allow that kind of Edit permission to begin with no matter what application user uses to attach. Plus should not OneDrive team be working with the Outlook team to resolve this rather than we post the same there ..
I do agree. This is a terrible misstake. It should honour the settings in OneDrive admin so if you set default sharing to "selected people" and read it shoul not only change the GUI in webbrowser but also in Outlook, OWA and mobile apps.
Dennis Ruddigkeit commented
The issue is even worse!
Even if the end user notices that file permission is set to "anyone can edit" and he changes it to e.g. recipients can view, the anonymous link remains as file permission.
I.e. potentially all files being in Outlook 2016 as OneDrive attachment are shared anonymously.
Although, the recipients do not have access to this link (at least I have not found a way to get it), it is available - this is a huge security risk!
Has this already been addressed at the product group?
Saif Khalid commented
Either you change the default permission while sharing from Outlook to "View", or give us an option to do it org wide.
Edit permission by default, is against the best practice of least privilege.
Has this been addressed? Has Microsoft acknowledged that this an issue or at the very least that this needs to be a setting that the customer needs to control globally?
This is not a discussion on what is the best default setting, but a simple request for allowing the customer to control the configuration for their environment.
This is a stupid idea to have the default sharing option to share org wide with the edit permission. Permission should be based on least privilege option. By the way this behaviour now exists in Outlook Desktop App (Outlook 2016).
However, in Outlook Web, it appears it takes the setting from SPO Admin center to set the permission to View by default when attaching file from OneDrive. So this same behaviour need to exist when attaching file in Outlook Desktop App when attaching file from OneDrive or SPO. Hope this gets fixed as some org has 1000s of users and the impact is huge.
Allison Koch commented
I am speechless that this has not been resolved. I don't understand why if you are attaching a OneDrive shareable link - why Outlook wouldn't respect the defaults configured for a OneDrive Shareable link? What makes it even worse is I have people on the exact same version in the exact same channel and one gets "organization can edit" as the default - and the other gets "recipients can edit" as the default. Don't get me wrong - recipients can edit is still not great - but "organization can edit" is terrifying! How could microsoft have ever created a default setting like that? Plus I can't get anyone to answer me as to what is controlling that default? It's been a long time since I've done any coding - but generally when you click on something - the code dictates what happens next. Microsoft should be able to tell me what is dictating what the user is experiencing. They can't. FIX THIS!!!!!!!!!!!!!!!!!
The default sharing link permission in the admin portal - https://admin.onedrive.com/?v=SharingSettings only affects Online apps not the desktop ones.
Ilan Lanz commented
You can control the default sharing link permission in the admin portal - https://admin.onedrive.com/?v=SharingSettings
I think that should satisfy the request.
Phil Robinson commented
Can someone keep all SSE employees in the loop on this please. I am a Change Leader and if this type of issue goes un-actioned, we will quickly lose users of O365.
Has this been fixed in Outlook?
This is a major security issue and a flaw in how this product was designed to integrate with Outlook. Please have an executive look at this and raise the priority to correct this. The default permissions should be read only not edit, so it aligns with sharing a file from SP or OD4B.
Marcus G commented
This is a time consuming and potentially costly problem in our implementation. It's one simple feature that essentially breaks onedrive for us.
I'm going to have to roll back usage of onedrive until this is fixed.
Portal changes have been made, thank you. We need to be able to change the default share permission on the Outlook client as well. Thank you.
Totally agree, this is so important for us, to be successful in the rollout of OneDrive. Without this, we will probably postpone OneDrive rollout.
I think this is a very big issue .As most users dont check the permissions
1. this make the sharing experience across the applications different
2. most users are not aware of this -> security issue
3. makes user feel unsecure with the whole O365 solution and reduces the drive to use it
Luis Gil commented
I completely agree with the user community regarding this issue. How can we explain to our companies leadership that the IT staff cannot change the default settings for the attachments? How do we explain to our executives that every time they send confidential or classified information they have to remember and change the setting to view and not edit? How should we explain this issue to an auditor?
Matt Wright commented
Sharing with modern attachments should honor the settings in the sharepoint/onedrive management console. We just got done going through the process of configuring all sharing settings in our tenant in coordination with our security team, and selected direct links as the default sharing link. We had specific reason for selecting that policy. Modern attachments should read and honor that policy just like the web client.
To my opinion the setting "Organization can edit" is ridiculous! Many users did not even realize that they share a file instead of attach it. And now anyone in the organization can edit this file... Just think about confidential information. I don't know what the reason behind this setting is... but I can't think of any which makes sense.