I have had a few instances where customers have blocked OneDrive in their Office 365 tenant. This is often the result of a looming Exchange 2010 support deadline and a lack of time to establish governance, security, compliance, and training around both Exchange and every other service in Office 365. Unfortunately, the methods used to block some of these services may have unexpected consequences.
In each of these instances, OneDrive was blocked by removing the user’s ability to create OneDrive storage in the tenant. SharePoint Online was also in its default out-of-the-box state with default permissions. In each case we ran into the following symptoms:
- Despite the OneDrive block, an Outlook Web App user could successfully select the option Save to OneDrive for their attachments
- The attachment would not save to OneDrive, but instead, the default SharePoint document library inside a folder named Attachments
In the next sections, we show how the OneDrive block was put in place and how SharePoint was configured to cause this perfect storm of incorrect attachment saving. We will then identify a workaround for the issue.
How OneDrive was blocked
The method described in this section is commonly found on the internet to block OneDrive access for users. In all cases, OneDrive was configured using this method.
The block is configured by navigating to the SharePoint Admin Center and selecting More Features. From the More Features window, click the Open button under the User Profiles section.
From the User Profiles screen, select Manage User Permissions. On the Permissions for User Profile dialog, select Everyone except external users. In the Permissions box, Create Personal Site was unchecked. When unchecked this removes the user’s ability to create a personal OneDrive site.
Note: This method does not affect users with existing OneDrive storage. To revoke access to existing storage, the site collection admin for each OneDrive personal store would need to be replaced.
How SharePoint Online was configured
In all cases, SharePoint Online was still in its default out-of-the-box state with default permissions. What this means is that all users were granted the edit permission for the default document library.
To verify these permissions open the default SharePoint site located at https://<domain>.sharepoint.com and select Documents.
In the top-right select the Settings button (gear icon) and click Site permissions.
From the Permission window, expand Site Members.
In the default configuration, the group Everyone except external users is granted the Edit permission.
In addition, all users were licensed for SharePoint Online.
Issue: Saving attachments in Outlook Web
If a user selects Save to OneDrive for an attachment in Outlook Web App the process would appear to complete successfully.
However, these attachments would then be saved to the default document library, located at https://<domain>.sharepoint.com, in a folder named Attachments.
In the example below, a user named Rory clicked Save to OneDrive for two attachments in Outlook Web App. With Rory’s access to OneDrive blocked, and the default permissions and licensing in place for SharePoint, both attachments saved to the Attachments folder located at https://<domain>.sharepoint.com.
Microsoft is working on this issue but there are no fixes announced as of yet. In the meantime, here is a workaround. This workaround has a significant drawback so implement wisely. For the best user experience keep OneDrive enabled for your users.
Workaround: Remove the Edit permission
In our example, SharePoint was in its default state and not ready to be served to users. With this in mind, we can modify those default permissions by removing the Everyone except external users entry (alternatively, we can also switch to the Read permission).
To change these permissions open the default SharePoint site located at https://<domain>.sharepoint.com and select Documents.
In the top-right select the Settings button (gear icon) and click Site permissions.
From the Permission window, expand Site Members.
In the drop-down below Everyone except external users select Remove (alternatively, you can choose the Read permission).
Now when our example user Rory tries to save an attachment in Outlook Web App he receives an error. Note, that Rory can still preview the attachment, or, download the attachment to his local machine.
Of course, the problem with this workaround is if we need to maintain (or later reintroduce) those edit permissions for the default SharePoint document library our issue will reoccur.
Conclusion: Don’t block OneDrive
The guidance for blocking OneDrive is not published on a Microsoft website but instead circulated on countless blogs from technology professionals. This means this information has not been endorsed, nor possibly tested, by Microsoft.
While the OneDrive block does work, it does require the prior workaround to be in place to prevent the OWA attachment issue. Unfortunately, the workaround comes with its own drawbacks.
While the quick fix could be to block OneDrive and use the previous workaround, this only resolves the issue identified in this article. There could be other unidentified issues as a result of the OneDrive block.
If resourcing is an issue it may be best to work with a Microsoft Partner or the FastTrack Center to accomplish your governance, security, and compliance goals and leave OneDrive enabled and accessible to your users.
Have you seen this issue before? What did you do to fix it? Drop a comment below or join the conversation on Twitter @SuperTekBoy
Leave a Reply