Managing OneDrive for Business File Upload Requests

User Features Are Great Until They Need to be Managed

If you read my article about the new Request files feature in OneDrive for Business, your first reaction might be “what a great feature” before quickly passing to “how can I control it?” Conceptually, asking someone to upload files to OneDrive is like accepting attachments in email. Both need some control to ensure that tenants don’t expose themselves to risk through data coming from outside.

For example, the kind of controls you might consider desirable include the ability to disable the feature or restrict uploads to specific domains. Or limit the feature so that only some users can generate requests. Or only allow certain file types (like Office files and PDFs) to be uploaded. Or require those who upload to authenticate themselves with an Azure Active Directory, Microsoft, or Google account.

No Specific Controls for Request Files

The bad news is that neither the SharePoint Online Admin Center nor the OneDrive for Business Admin Center includes any controls specific to Request files. However, because the feature uses a special form of anonymous sharing link, the standard controls for Anyone links set in the Sharing section of the SharePoint Admin Center (Figure 1). If the tenant disables Anyone links, users cannot request file uploads.

Sharing options for Anyone links in the SharePoint Admin Center
Figure 1: Sharing options for Anyone links in the SharePoint Admin Center (image credit: Tony Redmond)

Sharing links for Request Files only work if the recipient has the permission to upload files to a target folder, so the permission allowed for folders must be set to “view, edit, and upload” as it is in Figure 1. If you change this to “view,” users will not be able to request files and will see the error shown in Figure 2. The first time I saw this, it took a moment to figure out what the error message meant.

Error when requesting files
Figure 2: Error when requesting files (image credit: Tony Redmond)

In effect, a tenant can block Request Files by limiting the permissions given in sharing links for folders. It’s a kludge of a workaround, but better than nothing.

Expiring Anyone Links

The sharing links generated to allow people to upload files are anonymous. Anyone who has the link can use it until the link expires. The expiration limit for Anyone links can be set by the tenant in the Sharing section of the SharePoint Admin Center (the suggested default is 30 days). If the tenant doesn’t set an expiration period for Anyone links, users can edit links to set an expiration limit (Figure 3).

Amending the expiration period for a sharing link
Figure 3: Amending the expiration period for a sharing link (image credit: Tony Redmond)

If you allow Request Files, it’s probably best to set a default expiration limit for Anyone sharing links. Thirty days might be too long; fourteen days sounds better on the basis that if someone doesn’t respond and upload files within two weeks, they’re probably not going to do it at all.

Uploading Files

When someone receives an invitation to upload files, they can respond with whatever files they like. A quick test shows how easy it is to upload executables, DLLs, HTML files and other types where problems might lurk (Figure 4). Advanced Threat Protection for OneDrive for Business (if you license it) can scan files to detect malware, but the scan isn’t immediate and newly uploaded files can be shared before the scan happens.Email attachments can also introduce malware into a tenant, but anti-malware engines scan messages before delivery to user mailboxes, not afterwards, which is the direct analogy here.

Some not-so-desirable file types uploaded to OneDrive for Business
Figure 4: Some not-so-desirable file types uploaded to OneDrive for Business (image credit: Tony Redmond)

You can block the OneDrive sync client from synchronizing specific file types to workstations. In this case, the executable was blocked, but I was still able to download and run the executable from OneDrive, which could be a quick way to infect my PC. After all, no one I request files from would ever upload something dangerous…

It would be much better if OneDrive extended its settings to stop people uploading file types that aren’t supported for sync.

Knowing About Uploads

OneDrive sends email notifications to requestors when files are uploaded to target folders to tell them that new files are available. OneDrive account owners can run an external sharing report to discover the sharing activities in their account (requests have a permission of Submit files), but tenant admins have no idea who is requesting files. For all we know, the feature might never be used because no report or other indication is available in the OneDrive admin center.

The Office 365 audit log holds some clues because it records when anonymous (Anyone) links are created and permissions set. However, these activities don’t necessarily belong to requests, but the FileRequestUsed activity does. Office 365 records this action when someone uses a sharing link to upload files to OneDrive.

You can’t use the Audit log search in the Security and Compliance Center to filter for FileRequestUsed events, so we must search with PowerShell. This code looks for instances in the last 90 days and reports the user who uploads file (anonymous in most cases unless the uploader is signed in), the target folder, and the owner of the target OneDrive account.

$Records = (Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date).AddDAys(+1) -Operations FileRequestUsed -ResultSize 1000)
If ($Records.Count -eq 0) {
   Write-Host "No group creation records found." }
 Else {
   Write-Host "Processing" $Records.Count "audit records..."
   $Report = [System.Collections.Generic.List[Object]]::new()
   ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.Auditdata
      $ReportLine = [PSCustomObject]@{
           TimeStamp    = Get-Date $AuditData.CreationTime -format g
           UploadedBy   = $AuditData.UserId
           Action       = $AuditData.Operation
           ClientIP     = $AuditData.ClientIP
           TargetFolder = $AuditData.SourceRelativeUrl.Split("/")[1] 
           OneDrive     = $AuditData.SiteURL
           OneDriveUser = $AuditData.SiteURL.Split("/")[4] 
           }
      $Report.Add($ReportLine)  }}
If ($Records.Count -eq 0) {
   Write-Host "No group creation records found." }
 Else {
   Write-Host "Processing" $Records.Count "audit records..."
   $Report = [System.Collections.Generic.List[Object]]::new()
   ForEach ($Rec in $Records) {
      $AuditData = ConvertFrom-Json $Rec.Auditdata
      $ReportLine = [PSCustomObject]@{
           TimeStamp    = Get-Date $AuditData.CreationTime -format g
           UploadedBy   = $AuditData.UserId
           Action       = $AuditData.Operation
           ClientIP     = $AuditData.ClientIP
           Target       = $AuditData.SourceRelativeUrl.Split("/")[1] 
           OneDrive     = $AuditData.SiteURL
           OneDriveUser = $AuditData.SiteURL.Split("/")[4] 
           }
      $Report.Add($ReportLine)  }}
$Report | Select Timestamp, OneDriveUser, UploadedBy, Target -Unique

imeStamp         OneDriveUser                     UploadedBy                      Target
---------         ------------                     ----------                     --------
20 Jan 2020 08:40 tony_redmond_office365itpros_com [email protected]  Uploads  
20 Jan 2020 08:39 tony_redmond_office365itpros_com anonymous                      Documents
20 Jan 2020 08:37 tony_redmond_office365itpros_com anonymous                      Documents.
19 Jan 2020 19:10 jack_smith_office365itpros_com   anonymous                      Files...
18 Jan 2020 00:14 jane_austen_office365itpros_com  anonymous                      Working

Unfortunately, audit records don’t capture anything apart from the IP address about who uploads files, but at least you can establish if the feature is in use and who is using it.

Scaling Challenges

Apart from mastering the technology, when you scale up in tenants that have tens of thousands of OneDrive accounts, things get even more interesting. The standard tools built into Office 365 are not great when dealing with thousands of objects and automation of management processes becomes more and more important. This issue is accentuated when a new feature is introduced into an app without suitable admin controls, such as this example.

Lack of Admin Controls Mars Feature

Regrettably, it’s not uncommon for new user-centric features to appear without admin controls. It’s a pity that the usefulness of Request Files is reduced because it is not supported by the kind of controls that would make enterprise tenants happier. Extension of the existing settings for Anyone links and synchronization to control upload requests would go some of the way to making the feature safer and more attractive to Office 365 tenants.At least it would be a start.

Related Article: