What are File Requests in SharePoint Online?
File Requests enable users to request files from other users, either internal or external to your organization. This simplifies the process of getting content from users who may not have direct access to the SharePoint site the request is coming from.
In this article we will cover the following aspects of File Requests:
- What is required for File Requests to be enabled for your organization?
- How to enable File Requests
- What are Anyone links?
- Security and Governance considerations when implementing File Requests
1 - What is required for File Requests to be enabled for your organization?
- M365 Business or Enterprise License – Any Microsoft Business or Enterprise license that includes SharePoint P1 or P2.
Apps & Modules
- PowerShell – There are several versions and ways to access PowerShell, in our guide we will use PowerShell ISE.
- SharePoint Online Management Shell – This will enable us to access and update the Request File feature for the tenant.
- SharePoint Administrator – Enables the configuration of the Sharing Policies in the SharePoint admin center.
2 - How to enable File Requests
To be able to use File Requests in SharePoint, you will need to ensure that:
- ‘Anyone’ links are enabled at a tenant level for SharePoint.
- Folder permissions are set to ‘View, edit, and upload’.
- The ‘CoreRequestFilesLinkEnabled’ feature on tenant level or the ‘RequestFilesLinkEnabled’ feature per site is set to ‘True’.
For instructions on how to do this, please read Microsoft’s documentation: Enable File Requests in SharePoint or OneDrive - SharePoint in Microsoft 365 | Microsoft Learn.
In addition, here is the Microsoft Support documentation on how a File Request works from a user perspective: Create a file request - Microsoft Support.
3 - What are Anyone links?
An Anyone link is a link to a resource (such as a file or a folder and the content contained therein its contents) which allows anyone to access it without first authenticating themselves. This link can be shared with others without the creator needing to update the link’s permission setting first.
Any actions, such as editing, deleting, or viewing, performed by an unauthenticated/anonymous user that has gained access via an Anyone link is marked against ‘Guest Contributor’.
What Anyone links don’t do
Whilst anonymous users can click on an Anyone link to access the resource that was shared with them, it’s important to note that Anyone links do not automatically grant and extend access to other resources within your tenant. They are narrowly limited to where they were configured.
4 - Security & Governance considerations when implementing File Requests
Enabling Anyone links and File Requests for your tenant comes with some very obvious security and governance concerns for most organizations. Here is a list of the top 9 concerns:
- Accidental/Over Sharing – Users may unknowingly share sensitive information or share more information than intended.
- Data Breaches – Increased risk of unauthorized access to sensitive organizational data stored in SharePoint.
- Unauthorized content uploads – Anonymous users may upload malicious files or inappropriate content to your sites.
- Data loss – There is a high risk of data loss due to malicious or accidental modifications/deletion of content by anonymous users.
- Compliance violations – Many regulatory requirements across industries (POPIA, GDPR, HIPAA) involve data privacy and minimum-security standards.
- Lack of accountability – Auditing of actions within your environment becomes challenging when anonymous actors work in your environment, making accountability difficult to implement.
- Insider threats – Malicious actors inside your organization (who would be directly aware of which areas of content are anonymously accessible) can more easily target and exploit this content.
- Intellectual Property (IP) Risks – Unauthorized access to IP and proprietary information within your environment, leading to theft or misuse.
- Security and governance complexity – By allowing anonymous access, security and governance become more complex and prone to misconfiguration.
It’s important to note that enabling anonymous links does not automatically grant anonymous users access to your SharePoint environment. Instead, it enables users to generate links to resources that don’t require authentication.
How do we use Anyone links & File Request safely?
Microsoft provides best practices for unauthenticated sharing that covers the following:
- Set an expiration date for Anyone links.
- Set link permissions.
- Set the default link type to a link that only works for people in your organization.
- Use permissions to control who has access to content to start off with.
- Implement protection against malicious files.
- Add copyright information to your files.
In addition to these sharing best practices, we recommend:
- Monitoring – Active monitoring of your environment can reduce the risk of security breaches.
- Auditing – Regular auditing can help unearth any inconsistencies with environment.
- User Education – Educating your users should always be high on your priority list when it comes to governance and security.
- Authentication – Utilizing features such as Conditional Access, Multi-Factor Authentication, and Information Rights Management can further enhance your security and compliance posture.
The File Requests feature offers an intuitive way for users to quickly receive the documentation that they need from others without the hassle of cumbersome back and forth emailing with multiple parties.
Before implementing File Requests, it’s worth considering if this feature is a core part of how your organization needs to work, or if it’s something that will happen only occasionally. If it’s core, you need to ensure you do the necessary planning and implementation of security and governance measures. If not, the extra security and governance and complexity required to implement File Requests securely may not be worthwhile.
If you need to ensure that certain Teams and SharePoint sites are 100% secure and excluded from external access, you can use the external lockdown functionality in SProbot to govern them. Locking down sites this way overrides Anyone links.