How the Request Files Feature Works in SharePoint Online

Similar but Different to Request Files in OneDrive for Business

In January 2020, I wrote about the feature that allows OneDrive for Business users to ask people to upload files to a folder. Time moves on and message center MC495329 (7 January 2023) announced the arrival of a similar feature for SharePoint Online document libraries. According to Microsoft 365 roadmap it 103625, rollout started in February. It’s taken a while for it to show up in my tenant, or maybe I just haven’t looked hard enough.

In any case, Microsoft says that the feature is “an easy and secure way to request and obtain files from anyone.” Essentially, you select a folder in a document library that you want to use as a target for uploads. You then create a request files link that you give to the people who have the information you want. For instance, these might be professional advisors working on some documents relating to a project. They use the link to upload the files to the target folder, which site members can then interact with as normal.

Any site member can generate a link by selecting the target folder and choosing the Request files option from the […] menu. SharePoint Online generates a link (Figure 1), which the user can share using whatever method they like.

People who upload files don’t have any visibility into site contents and can’t see the files once they upload them to the site. This is a one-way transmission.

Getting SharePoint Online Ready for Request Files

The support documentation for the Request Files feature is available online. I don’t intend to repeat it here. However, some points from the feature documentation deserve emphasis.

First, the Request Files feature depends on Anyone sharing links. If your tenant doesn’t allow people to create Anyone links, they won’t be able to request external people to upload files to a folder. The permissions allowed for the link must include upload rather than just view and edit.

Second, Microsoft checks if Anyone links are enabled in a tenant when they deploy the software update for the Request files feature. If the tenant allows Anyone links, Microsoft enables all sites to support the feature. Originally, my tenant blocked Anyone links, which meant that the default condition applied (disabled) for all sites. After enabling Anyone links, I had to explicitly enable Request files for sites to make the option available.

Other restrictions can interfere with the ability of users to create Request Files links. For example, if you apply the file download block policy to a site, the option to request a link is unavailable.

Apart from enabling Anyone links (through the SharePoint Online admin center), control over how the Request files work is via PowerShell. The Set-SPOTenant cmdlet enables or disables the feature across the entire tenant. This command makes sure that the feature is enabled for the tenant and sets the expiration for request files links to seven days:

Set-SPOTenant -CoreRequestFilesLinkEnabled $False -CoreRequestFilesLinkExpirationInDays 7

While this command disables the feature for a specific site:

$SiteURL = "https://office365itpros.sharepoint.com/sites/SecureSite"
Set-SPOSite -Identity $SiteURL -RequestFilesLinkEnabled $False 

To check the site settings, run:

Get-SPOSite -Identity $SiteURL -Detailed | Select-Object Request*

RequestFilesLinkEnabled RequestFilesLinkExpirationInDays
----------------------- --------------------------------
                  False                                7

Like any change to SharePoint Online settings, it can take up to a day before updates are effective.

By default, the site inherits the value for the link expiration setting from the tenant configuration, but you can define a more restrictive expiration period if you like. You can’t override the tenant configuration and define a less restrictive expiration period for a site. The link expiration period can be anything from 0 (zero) to 730 days (two years). Usually, the more secure the site, the lower the link expiration period.

OneDrive for Business Settings

As noted above, OneDrive for Business also supports the Request Files feature. The OneDriveRequestFilesLinkEnabled setting in the tenant configuration controls if the feature is available in OneDrive for Business accounts while the OneDriveRequestFilesLinkExpirationInDays sets the expiration period for the sharing links. You can’t prohibit Request Files for selected OneDrive for Business accounts. The feature is either enabled or disabled for all.

Set-SPOTenant -OneDriveRequestFilesLinkEnabled $True –OneDriveRequestFilesLinkExpirationInDays 7

Using Request Files

When someone uses a Request Files link, SharePoint redirects them to a special page where they can select files to upload together with some personal details (First and Last Name) to let the requestor know who uploaded files to the folder (Figure 2).

The person who created the request files link receives email from SharePoint when someone uses the link to successfully upload files to the document library (Figure 3).

Figure 4 shows a set of files uploaded to a folder in a document library. SharePoint Online doesn’t validate the details of a person who uploads a file, so the name recorded as a prefix for the filename could be incorrect or false. That’s not important because it’s assumed that the person who requests file uploads will process whatever comes in afterward to decide what’s useful (or not), rename files, and so on.

In terms of tracking the use of the Files Request feature, SharePoint Online captures when a link is used and a file is uploaded in the audit log. This PowerShell code finds the events for the last 14 days and reports them.

Connect-ExchangeOnline
[array]$Records = (Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-14) -EndDate (Get-Date) -Operations FileRequestUsed, FileUploaded -ResultSize 1000)
If (!($Records)) {Write-Host "No File upload records found - exiting" ; break}

$Report = [System.Collections.Generic.List[Object]]::new()
Write-Host "Processing" $Records.Count "audit records..."
ForEach ($Rec in $Records) {
  $AuditData = ConvertFrom-Json $Rec.Auditdata
  Switch ($AuditData.Operation) {
    "FileUploaded" {
       $FileName  = $AuditData.SourceFileName.SubString(7,($AuditData.SourceFileName.Length-7))
    }
    "FileRequestUsed" {
       $FileName = $Null 
    }
  } # End Switch
  $ReportLine = [PSCustomObject]@{
      TimeStamp    = Get-Date $AuditData.CreationTime -format g
      UploadedBy   = $AuditData.UserId
      Action       = $AuditData.Operation
      ClientIP     = $AuditData.ClientIP
      Folder       = $AuditData.SourceRelativeUrl.Split("/")[1] 
      FileName     = $FileName
      SiteURL      = $AuditData.SiteURL
      Site         = $AuditData.SiteURL.Split("/")[4]           }
  $Report.Add($ReportLine)
  
} #End Foreach Record

# Remove normal uploads
$Report = $Report | Where-Object {$_.UploadedBy -notlike "*@*"}
$Report | Select-Object Timestamp, Site, Folder, FileName  -Unique

Control Over Files Request

Some people might be cautious about using a feature that allows external people to upload files to SharePoint Online. It could, after all, be a vector that an attacker could abuse to upload infected files. On the other hand, is it any more dangerous than asking external people to email attachments to an internal user so that they can upload the files to SharePoint Online.

Control is available by

• Limiting the number of sites that support Files request.
• Limiting the validity of file request links.
• Training users to use the Files Request feature sparingly, and if they use it, they should take the responsibility of restricting access to the upload link and checking whatever files external people upload before making those files available more broadly within the tenant.

Like any new feature, it will take time for tenants to operationalize Files Request. Happy uploading!

---

Support the work of the Office 365 for IT Pros team by subscribing to the Office 365 for IT Pros eBook. Your support pays for the time we need to track, analyze, and document the changing world of Microsoft 365 and Office 365.