Browse Category

Security

Mandatory Anonymous Link Expiration in Office 365

By Drew Madelung
/
Feb 01, 2016
/
Office 365, PowerShell, Release, Security

Microsoft recently released a new feature in Office 365 which allows a mandatory expiration length to be set at the tenant level. This will affect sharing documents through SharePoint Online and OneDrive for Business. This feature began rolling out mid-January to tenants and will start with First Release tenants.

This feature will allow better security for your organization. This feature will affect ALL anonymous links created in your tenant. End users will be required to created links that match or are shorter than the day value provided. This feature it administered using SharePoint Online Management Shell. On all current and new tenants there is no default value for anonymous link expiration. The new parameter is RequireAnonymousLinksExpireInDays. This is a parameter of the Set-SPOTenant cmdlet

As an example, this will set expiry for 30 days:
- Set-SPOTenant –RequireAnonymousLinksExpireInDays 30

The default experience will allow end users to set expiration values on a document when they use the “Get a link” option. By default, a document can be set to any day value and also never. It also includes a handy drop down with 1, 30, or 60 day options. Allowing a link never to expire can be a large security hole for you company. This is what the default experience looks like:

Steps to configure mandatory anonymous link expiration

Important Info:

The latest version of SharePoint Online Management Shell (16.9.4915.1200) is needed to use this parameter.
The value for –RequireAnonymousLinksExpireInDays must not be greater than 730 days (2 years)
To reset the parameter back to default, use the value of 0
If a link is already created, the mandatory expiration will not be applied to it

Connect to your SharePoint Online tenant using SharePoint Online Management Shell
Run the Set-SPOTenant command with the –RequireAnonymousLinksExpireInDay and the day value
Now when someone gets either a View or Edit link it will be defaulted with an expiration date
If a user tries to change the link expiration date they will receive an error stated “Your organization’s policy doesn’t allow links to stay active for more than XX days.”

Changes to Sharing in SharePoint Online

By Drew Madelung
/
Dec 07, 2015
/
Office 365, Security, SharePoint

There has been an update that I have seen in Office 365 in the options you get when trying to share content. Previously when sharing something, you had the option to select a permission level and put the user(s) into a specific SharePoint Group.

image_thumb

The sharing process has recently been updated. In newer tenants, mainly first release that I have seen, you will no longer see the select a permission level option when sharing from top right site share or the library level share.

In a support case with Microsoft it was stated that “the feature of displaying groups on the sharing options of a site is deprecated and will no longer be available for the tenants which are on the newer versions. The reason for the deprecating this feature being, it is complex to show different set of permission levels set on each of the site collections and subsites considering unique permissions set at each web level.”

However I was able to still find the option to pick a group when using the Grant Permissions option under Site settings -> Site permissions.

image_thumb2

When you click the show options section you will see the select permission level section. In that drop down select More options.

image_thumb3

You will then see the list of groups and permissions levels again.

image_thumb4

It is always interesting finding these unexpected changes. This wasn’t a huge deal as we found a work around to get users into groups but this did disrupt a client’s business process until a resolution was found.

Exporting SharePoint Group Members to Excel Without PowerShell

By Drew Madelung
/
Nov 02, 2015
/
Security, SharePoint

I was at a client recently and was not allowed to run any powershell commands but needed a list of accounts that existed in a SharePoint Group in a table format. I also was not allowed site collection administration permission. I tried a few different options in which trying to manipulate the list view of the group and using Excel data connections to get back to SharePoint but no option worked very cleanly.

What I ended up using was a REST call to get the users and then downloading the XML response and opening it with Excel. Use this link to learn about the available REST api’s for users & groups

Here are the steps….

1. Get a client that you can use to test REST calls

I use Advanced REST Client for Chrome.

2. Construct the REST call to get a list of users by group

The structure looks like this: https://siteurl/_api/web/sitegroups/getbyid(groupid)/users

To get the group ID simply navigate to the members page of your SharePoint Group and look at the number at the end of the URL Here is the URL of my “Product Members” group: https://concurrencyinc.sharepoint.com/sites/products/_layouts/15/people.aspx?MembershipGroupId=9

Here is my call: https://concurrencyinc.sharepoint.com/sites/products/_api/Web/SiteGroups/GetById(9)/Users

We will see the users returned in the entry area of the response.

ExportSPGroup1

3. Download the XML response

In the Advanced REST Client click Save as file and then Download in the response section.

ExportSPGroup2

4. Change the file type

The file will download as a .text-plain file type. Edit the filename and change it to a .xml file type.

ExportSPGroup3

5. Open with Excel!

In Excel browse and pick out the new .xml file you created and select open this file as an XML table.

ExportSPGroup8

Take a second and look at your pretty data.

ExportSPGroup4

6. Remove duplicates

The data comes across in a way that there are 2 rows for each user. We can clean that up by removing the duplicates based on the login name. First click anywhere in the imported table and under the Data tab click Remove Duplicates.

ExportSPGroup5

Click the Unselect All button then scroll down and check ns4:LoginName

ExportSPGroup6

That will remove your duplicate logins and you will have emails and logins that you can use whatever way you need.

ExportSPGroup7

Handy appendix?

I know this post is titled how to get a list without powershell but I wanted to just include this down here as this is an easier approach if you have the ability. Here are the commands to get a list of users in a SharePoint Group via powershell.

Get-SPSite http://server/sites/yoursite | Select -ExpandProperty RootWeb | Select -ExpandProperty Groups | Where {$_.Name -EQ “group name”} | Select -ExpandProperty Users | Select Name, Email| Export-Csv c:\scripts\users.txt

Here is the command to do it with SharePoint Online

Get-SPOUser -Site https://contoso.sharepoint.com/sites/finance -Group “group name”