Sharing Folders with External Users spams Organization Login Prompts

Stephane Fagnan 51

I asked this question on the OneDrive dev forum a few weeks ago (link) but have not received any responses - apart from another user saying they are running into the same issue:

In OneDrive, I can create a sharing link for a folder and set the link so "Anyone with the link can edit". I assume this means that even users outside my organization can edit the folders and files within the shared folder.

If I test this with an external account, I'm able to edit the files and folders. However, I'm periodically prompted with a Microsoft login pop-up window. I can ignore/close the login prompt and continue editing the files. However, the login prompt keeps popping up periodically, including every time I refresh the screen. If I try to log in with the external user account, it gives me an error saying I'm not part of the tenant and I need to be added as an external user to the tenant. But then I can still close that and continue editing the files.

If I send the invite link for a folder via a graph API call, I'm forced to set the "requireSignIn" property to True in the body of the request. If I set it to False, I get an error:

RequireSignIn cannot be false for folders

I do not run into the same issue when sharing files. Whether I create the link in OneDrive UI or via the API, the external user does not get hit repeatedly with login prompts.

Am I doing something wrong or is this a bug? If sharing a folder is not allowed outside an organization, why does it allow me to create a sharing link where "Anyone with the link can edit"? And why is the external user still able to edit the files despite the repeated login prompts?

Zehui Yao_MSFT 5,831 Reputation points

2023-01-26T07:50:52.2566667+00:00

Hi @Stephane Fagnan we are currently doing research on this issue and will let you know as soon as possible.
Stephane Fagnan 51 Reputation points

2023-02-24T22:43:04.2266667+00:00

As an update on this issue, I reached out to Microsoft support as suggested by @Anonymous . A Microsoft rep was assigned to my ticket and asked me a series of questions - first to confirm that the issue I was seeing was not due to incorrect use of the sharing features / settings, and then further questions to gather more information about the bug.

We went back and forth for a couple of weeks, but the questions seemed to be getting less and less relevant. I was asked to test the issue on every different browser I had access to, as well as multiple browsers on a secondary computer and a mobile device. I felt that I had already helped confirm that this issue is in fact a bug, and provided more than enough details but I was spending much more of my time troubleshooting than I felt was necessary. I asked the representative to continue the troubleshooting on their end, as this is not a difficult issue to reproduce and I've received confirmation from multiple other people that they are experiencing the same issue.

I didn't hear back from that rep for another couple of weeks. Then a different rep reached out to me on the same ticket and seemed to not be aware of the previous conversations. I explained my previous communication and offered to forward that email thread for their troubleshooting purposes. I did not hear from that rep for a few days. Today I was contacted by yet another rep, who also seemed to not be aware of the prior communication. I requested that this ticket be handled by the original rep, as they are the one I had the most communication with and provided the most information to.

This has not been promising so far to say the least. It seems like I'm just being bounced back and forth between different Microsoft reps and no actual progress is being made on this issue. It would be nice to get some indication that this is actively being looked into. @Zehui Yao_MSFT - has any progress been made in your own investigation?
Stephane Fagnan 51 Reputation points

2023-11-10T19:47:49.1133333+00:00
I had previously given up on this issue as I was getting nowhere with MS support. However, many of my company's clients are getting frustrated with the confusion this is causing in their own sharing activities, so I have opened up another ticket with MS support. I had a call with a support rep, which I will summarize below:

Support rep explained that there are two reasons the login prompts appear when sharing OneDrive folders:

Link recipient has O365 credentials stored in their browser. When they access the shared folder, O365 tries to automatically log them in with their stored credentials. That doesn't work (because their account isn't part of the organization), so the pop-up appears prompting them to log in.

There are multiple different levels of access/permissions on the shared folder, which creates a conflict. O365 has trouble determining who is accessing the folder and what permissions they should have, so it prompts the user to log in.

The support rep explained that there are two "workarounds" to the problem

Always access shared folders in a private (incognito) browser session.

Create a guest account on your tenant for each user that you share the folder with. This requires sending an invitation by email to the person you're sharing with, and having them accept the invitation. I believe they are required to have their own O365 account. Once the guest account is created, you must re-share the folder with the user's guest account. Now, if the guest uses the new sharing link, they will not receive the login prompt.

I explained that these workarounds are not sufficient for our purposes and do not address what I see as a significant bug in the OneDrive sharing model. Microsoft is advertising these sharing links as being able to share with "anyone", and yet the login prompts make it appear as though you need to be part of the folder owner's organization in order to access the folder at all. This is creating confusion and a sense of unprofessionalism with many of my company's clients, who are considering going with a different storage service altogether. When you are sharing OneDrive folders regularly with many different people - as our clients are - it is not reasonable to coordinate these workarounds with each link recipient. It should be Microsoft's responsibility to provide a solution to this issue.

The Microsoft support rep said he would discuss with his dev team again. I asked him to keep me updated.

Furthermore, after the support call I was able to reproduce the issue in a manner that refutes the supposed causes of the bug: I shared a folder with an anonymous link and there are no other access permissions or links on that folder. I accessed the folder via the anonymous link in a private browser session. I still got the login prompt, even though there should not have been any permissions conflicts and there were no O365 credentials stored in the browser since I was using incognito mode.
Stephane Fagnan 51 Reputation points

2024-01-17T18:08:52.6166667+00:00
I finally made some progress in getting this issue addressed by Microsoft. I've been working with a new support ticket for a couple months now. They've resolved most of the issues and there's just one remaining edge case I'm trying to get resolved.

How it works now:

If you have no O365 profile info saved in your browser (or you're in private browsing), you are not prompted to log in anymore.

If you do have O365 profile info saved in your browser, you are prompted to log in with your O365 account. However, now it doesn't throw an error if you log in with an account that is not part of the organization that owns the shared resource. Once you've logged in, it does not ask you to log in again.

The last issue I'm trying to get resolved:

If you access a sharing link that was shared with your specific email, and your email is not an O365 account - you still get the login prompt every time you view a PDF file within the shared folder. There is no way to get the prompts to stop, since you do not have an O365 account to log in with. Hopefully this one will be resolved soon as well!

3 answers

CharanyaB-MSFT 1,421 Reputation points Microsoft Vendor

2023-01-26T09:54:08.63+00:00

Hello @Stephane Fagnan,

As the sharing link for a OneDrive folder is set to "Anyone with the link can edit", the recipients won't need to sign in to access the content.

It shouldn't ask for a login prompt for the given access, as anyone with the link can edit the contents of the folder. This looks like a bug, as login prompt is not expected.

Since, this seems to be a bug, I would recommend you raise a support case with Microsoft, a dedicated Support Engineer will be able to assist you better. You can raise support ticket from http://aad.portal.azure.com or https://admin.microsoft.com/#/support/requests.

Hope this helps.

If the reply is helpful, please click "Accept Answer" and kindly upvote it. If you have additional questions about this answer, please click "Comment".
Please sign in to rate this answer.

0 comments No comments
Sign in to comment
TomaszKawka 0 Reputation points

2023-03-01T00:15:42.7133333+00:00

Hi there,

Were you able to resolve this issue? We are having the same problem with external users being prompted for a login and password. Sharing individual files works as expected, user gets a verification code and is not asked for a login or password!

Best Regards,

Tomasz
Please sign in to rate this answer.
Stephane Fagnan 51 Reputation points

2023-03-01T18:42:06.2466667+00:00

Hi Tomasz,

See my comment above on my original post for details. I've been trying to communicate with Microsoft to resolve the issue and confirm that it's being worked on but haven't had much luck so far. The original representative I was working with was supposed to be re-assigned to the case and reach out to me on Monday, but I haven't heard from them.
Sign in to comment
ExternalUser007 0 Reputation points

2023-05-31T12:52:31.7366667+00:00

We are now also experiencing this same issue. All we are doing is sharing folders and new sign-in tabs keep appearing. Support was completely not helpful with the first try.

Any updates? @Anonymous @Zehui Yao_MSFT
Please sign in to rate this answer.

0 comments No comments
Sign in to comment