External Access Management
Using Request Files in Microsoft 365
What is the Request Files Feature?
Request Files is a really handy feature available in Microsoft SharePoint and OneDrive for gathering files from external organisations (or, indeed, or colleagues within your own).
To get a better idea of how ‘Request Files’ can be of benefit, here are some practical use cases:
- Gathering presentation decks: Collect all presentation decks from contributors to an event.
- Collecting partner logos: Get partner organisations to upload their most recent logos.
- Receiving proposals: Pulling together proposals from potential suppliers.
- You have a job posting: You can collect CVs.
If you frequently deal with these types of scenario, you’ll quickly see that it’s a huge time-saver and much more efficient than sending and tracking emails and file attachments.
How Request files Works:
In a nutshell, the Request Files feature lets you create a ‘descriptive’ link that can be shared with one or more recipients in order for them to upload files to you.
- You can send this link to your intended recipients in whatever way you like, including email.
- The upload link is associated with a folder, and all uploads are collected into that folder.
- Those people uploading files cannot see the contents of this folder – as far as they’re concerned, it’s a black ‘drop’ box!
Features that help the person that’s gathering the files are:
- All uploaded files are prefixed with the name of the person that uploaded them.
- You can keep track of when files have been uploaded.
- If two files are uploaded with the same name, a version number is automatically added.
Step by step guide to using Request files
From OneDrive or a documents area in SharePoint, create a folder you want to use as your collection point.
Right click, and you should see a Request Files option.
The Request Files option will prompt you to provide a brief description of the files you are requesting.
You will also have the option to add more instructions in a email.
The next step will provide you with a shareable link. You can in theory share this link how you want: on a text message, using WhatsApp – although a more ‘trackable’ route is preferable!
Alternatively you can send an email with the link to the recipients you wish, along with further information, such as “Get these files to me before the end of the month”.
HELP – I can’t see see the ‘Request Files’ option!
If you can’t see ‘Request Files’ option when you right click on a folder in OneDrive or SharePoint, then one of the following situations may be applicable:
- The Request file feature isn’t enabled for your Microsoft 365 tenant or the SharePoint site you are on – you will need to get in touch with your IT department
- You don’t have the relevant access rights in the SharePoint documents area you’re working from
- If you’re in SharePoint, make sure you’re viewing the documents area directly, and not via a SharePoint page that uses Documents Library ‘viewer’ web part.
What do Request Files end users see when using they receive a Request Files link?
Recipients of a Request File ‘request’ will receive a link they can use to upload files, along with any information you supplied along with it.
They can then upload the files they wish. This is done one by one, and it’s not possible to access or look at the files they’ve uploaded.
They will be prompted for their first and last name as part of this process and receive this notification after each successful upload.
What do requestors see when files are uploaded?
The person that requested the files will get an email notification that a file has been uploaded.
They can also see all the uploaded files in the shared folder. Note that all files are prefixed with the contributor’s name and the (modified) date it was uploaded.
How is Request Files Configured in Microsoft 365?
Enabling the Request File feature involves first configuring the SharePoint External sharing setting to ‘Anyone’.
You can read the steps involved in doing this on Microsoft’s own site article: Setting up external sharing options for SharePoint and OneDrive in Microsoft 365.
Here are some tips and observations, however:
If your tenant doesn’t allow people to create Anyone links, then the Request files option is a non-starter. The same applies if you’ve previously applied the file download block policy to a site.
You will note from the diagram below that enabling Request files involves ‘highly permissive’ sharing settings, especially for SharePoint.
So, it’s important to plan how you’re going to set Request files up and how you’re going to manage its use.
For example, once you’ve enabled external sharing to ‘Anyone’, you can work with the SharePoint Online Management Shell or PnP commands to add restrictions to both OneDrive and SharePoint.
If required, you can only enable Request files to be enabled in OneDrive (and not SharePoint).
This can be done by switching off any SharePoint-based Request file activity by running the following PnP command:
set-pnpsite -Identity siteURL -RequestFilesLinkEnabled $False
Other steps you can take to add a layer of security include setting a blanket expiration of any Request file links (e.g. to 30 days).
What are the disadvantages of the Request Files feature?
Poor(ish) end user experience: The person uploading the files can’t see what’s in the folder. This limitation is intentional to maintain privacy, as files from multiple users/sources may be in the same folder. But when there’s multiple files to be uploaded, it can be frustrating for the end user as they can’t check what they’ve already uploaded, ensure they’ve sent the latest version of a file or delete/overwrite a file that’s been uploaded in error.
Potential security risks: There’s a lack of granularity and visibility when configuring Request Files which could be a source of concern:
- The Request files function requires the most permissive setting at the tenant level for SharePoint, i.e., External sharing set to Anyone
- By default, this setting applies to the entire organisation, but each site has its own sharing settings that you can set independently
- You can explicitly disallow the Request file feature for the SharePoint sites that you want to block from external sharing (e.g. using PnP commands that set RequestFilesLinkEnabled $false on the relevant sites)
- The link could be shared beyond the original people it was intended for, and used maliciously to upload risky files, although your default Microsoft security and encryption precautions will be in place to protect you from upload of certain file types such as a .exe
- The only way you know who the file is from relies on correct information being supplied by the person uploading. By default the ‘Modified by’ column will only feature the ‘name’ Guest Contributor.
File requestors have certain responsibilities: They can manage their ‘collection folders’ and, for example, set deadlines to prevent further uploads after a specific date.
However, like any system relying on user actions, there’s a risk that the shared folder may be forgotten, which is why the ability for administrators to set a blanket link expiry is handy (see previous section).
Conclusion
The Microsoft Request files feature is without question a handy one, and is arguably a lot safer than inviting external users to upload files using a regular shared folder link.
Even though it involves potentially risky security settings on the tenant, Microsoft recommends that organisations provisioning ‘frictionless’ ways of sharing. This approach simplifies the sharing process and helps avoid users turning to uncontrolled, unsecured alternatives like Dropbox, WeTransfer, WhatsApp, Google Docs, and the many other options that fall outside your IT department’s oversight.
Like the idea of request files but want something that’s more secure and offers more functionality?
Get in touch to see an alternative that includes all the benefits of your Microsoft security stack, with the granularity and ease of use you ideally want.