File access: Share links vs. Direct access

In today's Microsoft in Minutes, we're going to look at the two ways that you can grant someone permission to edit or view a file in Microsoft 365: Share links and Direct access.

NOTE: In this article, any reference to Microsoft Teams includes both the Microsoft Teams Files application as well as the Files tab within a channel in a particular team.

Share link vs. Direct access

There are two distinct ways to grant permission to an object in Microsoft 365, Share links and Direct access. A Share link is a hyperlink that grants a certain group of individuals the ability to use the hyperlink to access a particular file or folder. Direct access grants a certain group of individuals the ability to access the resource without a hyperlink. Both methods can grant access to a file, but there are some significant differences between the two, specifically with how an individual navigates to the shared resource.

Let's imagine a locked door with two different methods to enter: a magnetic key card and a biometric fingerprint scanner. Let's avoid debating the merits of each of these methods of security for this example and simply focus on the fact that one method requires you to present something you have to open the door (the key card) and one method relies on something that you are (your fingerprint) to gain the same access. Both can be revoked and granted to any individual at any time: the magnetic key card by giving someone a key card that grants them access, the biometric scanner by entering someone's fingerprint into the security system.

In this example, a Share link is analogous to giving someone a magnetic key card to open the door and Direct access is entering someone's fingerprint into the security system. One grants access via something a user has (the Share link), and the other grants access based on who the user is (Direct access).

Microsoft 365 has made the distinction between these two even more blurry than in other file sharing systems to simplify granting permission to a resource; however, the differences remain. What this means for users in Microsoft 365 is that to access a resource for which they've been given a Share link, they must either retain the Share link and use it to access the file, or search for that file using the Microsoft 365 omni search bar to locate the file. When you grant someone permission to a resource via Direct access, you allow them to access the resource via the same methods as with a Share link, but they can also find the file or folder in their OneDrive or Microsoft 365 app by going to the Shared view.

One way is not more secure than the other, the main difference is in how the recipient can access the file or folder after they've received permission to use the file. In general, Share links are ideal for short-term collaborations or one-off document review since the files are slightly more difficult to locate after discarding the initial message that contained the Share link. Direct access is a better choice for an ongoing collaboration where users may have to return to a document to use it over an extended period simply because they can access the file via their OneDrive or Microsoft 365 application Shared view without having to retain a hyperlink.

Granting permission via a Share link

In Microsoft 365, Share links are managed when you click on the Share icon. There are some exceptions to this that we'll look at later in the article, but for now, let's focus on the Share icon. The Share icon is the icon that appears when you point to a file or folder within OneDrive, Teams, SharePoint, or the Microsoft 365 application that looks like a small box with an arrow that goes from inside to outside of the box. It's highlighted by the crimson rectangle and arrow in the following image:

the Share this item with other people icon in Microsoft 365

NOTE: This article is looking at the Share link and Direct access options available in Microsoft 365 through the lens of OneDrive My Files. Keep in mind that all storage in Microsoft 365 is SharePoint storage. Therefore, all the options that we will explore today are also available via Microsoft Teams and SharePoint. The only difference is that files in OneDrive My Files begin with permission assigned only to the owner of the file whereas files stored in Microsoft Teams and SharePoint default to being available to the groups that control access to the Microsoft Teams team and SharePoint Site.

When you click on this icon, in OneDrive, Teams, and SharePoint, you will see the Share dialog by default:

The Share dialog in Microsoft 365.

This dialog box will generate a Share link. This method has a few options. First, you can grant specific users' permission to use the hyperlink by adding their email addresses in the "Add a name, group, or email" field (highlighted with the crimson rectangle in the following image). This is also where you select "Can view" or "Can edit" permission for the link (highlighted by the crimson arrow in the following screenshot):

The Share dialog in Microsoft 365 with the Add users or groups highlighted with a crimson rectangle and the permission level indicated with a crimson arrow.

If the permission level is set to "Can edit," anyone you specify can use the Share link to edit the file and the icon looks like a pencil. If the permission level is set to "Can view," anyone you specify can use the Share link to simply view the file and the icon looks like a pencil with a stroke, or line, through it indicating "no editing."

Once you've decided who can use the Share link, you can either copy the link to send via a chat or email, or you can include a custom message in the "Add a message" field and send an invitation email from Microsoft 365 to the specific users.

This is simply the default behavior for this dialog. You can change the method the Share link uses to grant access to the file or folder by clicking the "People you specify can edit." link or the settings gear in the upper right of the share dialog. This allows us to choose from different access granting methods, each with their own implications:

The share dialog box showing all the different access methods available in Microsoft 365. Descriptions follow.

The following list will describe what each of these methods do (except for "People you choose" since we just discussed that in-depth).

Anyone–Anyone in the world who happens to find the hyperlink can access the file with the permission the Share link grants and allows individuals to find the file or folder via the Microsoft 365 omni search with the assigned permission level. This method does not require authentication to Microsoft 365 to access the file.
People in Indiana University–This allows anyone with an IU login to be able to use the Share link access the file or folder and find the file or folder via the Microsoft 365 omni search with the assigned permission level.
People with existing access–This limits the use of the Share link to individuals who already have access to the file or folder via Direct access granted either via membership in the Microsoft Teams team that owns the file or via individually specified access.

Let's look at these options in a little more depth, starting with the Anyone permission.

Anyone Share links

Anyone who happens to either find the hyperlink or discover it via other means will be able to use it to access the file or folder at the designated permission level via the Share link. When you select the Anyone method, be certain that the contents of the file can be viewed or edited by any human currently or yet to be living. This permission level is disabled in Microsoft Teams sites by default but is available for any file stored in an individual's OneDrive My Files/SharePoint MySite.

When you select the Anyone method, you have a few additional options available to you: A link expiration date and a password to use the link. It is strongly recommended that when you use the Anyone method that you set BOTH an expiration date for the Share link and a password. Both options are straightforward: setting an expiration date will make the hyperlink non-functional after the expiration date and setting a password will require that anyone who discovers or is given the Share link must also be given the password to access the file or folder.

The share dialog box with the Anyone permission method selected.

Let's say this together: Only use the Anyone method for a file that any human currently or yet to be alive can view or can edit.

Use this access granting method sparingly.

People in Indiana University Share links

Links with this permission can be used by anyone with an IU login. Specifically, anyone who is eligible for a Microsoft 365 license at Indiana University:

Screenshot from https://kb.iu.edu/d/auia indicating that Enrolled undergraduate students, enrolled graduate students, faculty, staff, part-time employees, academic (non-paid) accounts, affiliate accounts, group accounts, department accounts, IU Guest accounts, IU Library guest accounts, retired faculty, and retired staff have access to Microsoft 365 at IU.

See the IU Knowledge Base document IU account types and eligibility for more detailed information. The previous image is a screenshot of the information relevant to this article from that document.

This permission level does restrict access to a limited number of people, but that limitation is for anyone eligible for a license at IU. This means that anyone at IU can discover your file or folder simply by searching for a relevant word or phrase from the document in the Microsoft 365 omni search.

The share dialog with the Anyone at IU method selected.

If you would like to see the implications of this access method, simply search for a common phrase like "resume," "assignment," "meeting minutes," "syllabus," or "homework" in Microsoft 365 and be amazed by what files and folders other users at IU have allowed you to access.

NOTE: If you encounter files or folders that contain sensitive data during your searches, instead of opening the files, you should send the names of the files to the file owners if you can figure out who owns the file to let them know that you have access to a file that you shouldn't. If you can't figure out who owns the file or folder, you can open an IT Incident. For more information, see If you locate unsecured files with sensitive data at IU.

People with existing access Share links

This is the most restrictive option by default, but it also has the most limited use cases. This permission level will only allow people with existing access to use the link based on the access level that they already have to the file or folder.

The share dialog with the Existing Access method selected

This is useful if you need to refer to a particular file or folder in an email to or a chat with the folks who already have access to an asset within Microsoft 365. For example, if you would like to call attention to a specific file or folder in a meeting agenda for a team meeting, you can use the "People with existing access" permission to generate a link to that file or folder and include it in the meeting agenda or meeting invite.

Other access options available to all access methods

If you set the access level to "Can view," you can also prevent users from downloading the file for all permission granting methods except for the "People with existing access" method. This is because that link generating method applies the permission the user already has to the asset as we discussed above.

The share dialog showing the more settings options, described below.

Microsoft Word documents have a permission level in addition to "Can edit" and "Can view" called "Can review." The "Can review" permission level allows users to use the commenting and track changes features of Microsoft Word to provide feedback to the document without making changes to the document itself. You can set this permission level for any Microsoft Word document using any of the permission granting methods except "People with existing access" for reasons we've already discussed.

The share dialog showing the word document can review permission level.

Summary of Share links

That's the entirety of what can be done with a Share link. Remember, Share links work best for temporary collaborations or for broadcasting a file to a large group of people. If you're expecting long-term or ongoing collaboration on a file or folder, you should consider using Direct access instead of creating a Share link.

Granting permission via Direct access

Like we discussed in the introduction, the other access granting method within Microsoft 365 is Direct access. This method is available to any file or folder stored within Microsoft 365 via Microsoft Teams, SharePoint, or OneDrive My Files.

NOTE: You cannot grant permission via Direct access using the Home view of OneDrive.

To grant someone permission to a file using Direct access, start by clicking the "More actions for this item" three-dot menu that appears when you point to a file or folder in Microsoft Teams, SharePoint, or OneDrive My Files.

The More options three dot button highlighted

From the popup menu, select "Manage access."

The more settings menu with the manage access option highlighted

The Manage Access dialog appears:

the manage access dialog box

Since we're viewing this file via OneDrive My Files, you can see that the file hasn't been shared with anyone yet and the Manage Access window prompts me to start sharing the file. Selecting this option will open the Share link dialog that we discussed previously. That's not what we're here to do. Instead, we're interested in the "Grant access" option at the top right of the dialog box:

the manage access dialog with the grant access button highlighted

When you click the "Grant access" button, you're presented with the Grant access dialog box.

the grant access dialog box

This dialog is a simplified version of the Share link dialog in that your only options are to grant someone access by typing in their email address and selecting the level of access they will have to the file or folder: "Can edit" or "Can view."

The only options you have other than that are to notify users and whether to include a message when Microsoft 365 notifies them that you have granted them access to a file or folder.

Summary of Direct access

Remember, any user who has direct access to a file or folder can access that file via the hyperlink in the email that notifies them they have access (if you choose to notify users), via the Microsoft 365 omni search, and via their OneDrive Shared view.

Granting permission in the Microsoft 365 application

The Microsoft 365 application has a simplified sharing mechanism that allows you to share a file or folder via email, by copying a link, or via Microsoft Teams. If you choose to share an item via the Microsoft 365 application by email or by copying a link, you are generating a Share link using the same methods described in the "Granting permission via a Share link" section of this document.

If you choose to share an item from the Microsoft 365 application to Microsoft Teams, you get to choose whether to share with a channel or a person via Teams or to create an assignment in Microsoft Teams. The Share to Microsoft Teams web page will open in a new browser tab:

The share via teams web page

We won't talk about the "Create an assignment" option in this article.

To share to a particular channel or person, you can either select a recently used channel from the "Recent locations" suggestions or type the name of a channel or person in the "Type the name of a person, group, or channel" field above the "Recent locations" suggestions.

If you choose a person or group, the link will be shared with those individuals via a chat. If you choose a channel within a team, the link will be shared with the team via a new conversation in that channel. Once you select the destination, you have the option to include a message with the link to start the conversation. Once you're ready to share, click "Share," and the link and message will be shared via the chat or channel you selected and will have its permissions adjusted to allow the individuals who can see that channel or chat to be able to access the file.

Since this is a file shared via Microsoft Teams, like all files accessible to team or chat members, people who use the hyperlink to access the file will be accessing the file with "Can edit" permissions.

Managing access in Microsoft 365

Once you've generated a Share link or granted direct access, you can use the "Manage access" option to modify those link parameters or change who has direct access.

the manage access dialog box with more collaborators and links shown

This file has been shared with two people and has one generated link. To manage the access for an individual with Direct access, click on the person's name. This will open the user's Access summary:

the access summary for one of the users who has access to the file

To change the user's access, expand the Direct access fold and click the dropdown that describes their level of access ("Can edit" or "Can view").

the access summary for a particular user with the modify access options expanded

From here, you can change their access level or remove their access completely.

If you'd like to manage a Share link, you can do that from the Links tab in the Manage Access dialog:

The manage access dialog showing the links for a document and how to modify them.

From here, you can copy the existing Share link to share it again or change the permission level the Share link grants by clicking on the "More options" settings gear or completely remove the share link by clicking the "Remove link" trash can.

You can also disable all Share links and Direct access permission by clicking the "Stop sharing" link at the upper right of the Manage Access dialog:

the manage access dialog with the stop sharing option highlighted

Hopefully, today's Microsoft in Minutes article will help you understand all the ways that you can allow people and groups to access your files within Microsoft 365 at IU. As always, if you have issues sharing or controlling access, viewing files, or any other technical issue, Contact your campus IT Support Center.