This article explains a solution to a puzzling problem, where you might be the owner of a SharePoint site and have all the imaginable permissions on a Document Library, but still be unable to share a single item, let alone a folder with edit permissions to anyone.
Turns out this is a dumb-ish configuration quirk in SharePoint. Who would’ve thought, right? 😅
Anyway. What did the issue look like?
Problem
So about 2 years ago I created a SharePoint site. I’m known to occasionally do that, after all.
That made me an owner of said SharePoint site. I have no problems with that – actually, it’s pretty convenient, as I happened to need to tweak the settings and invite more people in.
And as one does, I gave everyone read -permissions, and saved the edit -permissions for a few special, close colleagues.
Additionally, I needed to occasionally share some folders with contributors from other teams. Nothing stopping me from doing that in SharePoint – it’s easy enough to “Share” a folder or a file with a bunch of people, after all.
So far, so good, right?
I know, I know – it’s a nightmarish mess of unique permissions. But it does the trick and worked just fine for about 1 year, 11 months and 29 days.
But then… One day, I wanted to share another folder with a colleague from another team, and this is what came up:
So now I can suddenly only share with view permissions? And there’s this ominous error, no – information message below the people picker:
You don't have permission to invite people to this item, but you can still add people and send an invite request to the file owner.
What gives? This just worked before, what’s changed?
The good news is that this wasn’t yet another of those frustrating, unique error messages that bring up zero results on Google.
The bad news is that I got one hit, and that one hit did not have a solution that worked for me.
Bummer.
Well – I guess we’re on our own, then. What now?
Reason
I started investigating. IT vehemently denied changing any organization/tenant-level sharing settings, and since I wasn’t even trying to share externally, I’m not sure which switch in Microsoft 365 admin even would affect this.
First of all, I decided to test if this happens in another Document Library. I had issues in a library called “Documentation”, so of course I’d navigate to any other library – in this, case “Other shared documents”.
Creative naming, I know.
The weird thing was… I couldn’t reproduce the issue in the other library. Everything just worked there.
This puzzled me even more, so I decided to dig into the permissions a little bit more. One way to do this is by navigating to Classic/Legacy permissions management UI in SharePoint Online. You can access it by selecting “Manage Access” from your folder’s context menu, navigating to “Advanced settings” and then trying to grant access to your selected colleague.
If you can’t see the option to “Grant Permissions” to this folder directly, you need to first stop inheriting permissions.
For me, after I clicked “Grant Permissions”, I encountered this error:
And in text mode:
Sharing folders is disabled
To enable sharing, disable the limited access lockdown mode feature on the Site Features page, or share individual files or the site instead.
Now THIS was a much more helpful error message! I know that feature name – although it’s not a “Site feature”, it’s a “Site Collection feature”. Something you just need to know, I guess 😉
What is “Limited-access user permission lockdown mode”, anyway?
The Limited-access user permission lockdown mode is a feature in SharePoint that serves to enhance security and control access to specific resources within a site. Let me break it down for you:
- Limited Access Permission Level:
- In SharePoint, when users are granted exclusive access (unique permission) only to specific resources (such as lists, libraries, or documents) within a site, they are automatically assigned the “Limited Access” permission level.
- However, this permission level does not grant direct access to the entire site itself.
- Purpose of Lockdown Mode:
- When you publish a SharePoint site to the Internet, it’s essential to effectively lock down the site to minimize the attack surface.
- The Limited-access user permission lockdown mode achieves this by restricting users with “limited access” roles from accessing application pages within the environment.
- How It Works:
- When this feature is enabled, users assigned to the Limited Access permission level will not have the ability to access pages within the environment.
- For example, the Intranet.SharePoint.com/_layouts/viewlsts.aspx page, which typically shows all content of the site, can be turned off using lockdown mode.
- Availability:
- The Limited-access user permission lockdown mode feature is available in both SharePoint Server and SharePoint Online.
- By using this feature, you can allow authenticated users to log on to a SharePoint site while still securing application pages.
- Enabling or Disabling Lockdown Mode:
- To enable or disable the feature, follow these steps:
- Go to Site Settings.
- Click on Site collection features.
- Activate or deactivate the “Limited-access user permission lockdown mode” feature to restrict or allow anonymous users’ access to application pages.
- To enable or disable the feature, follow these steps:
Solution
Armed with that knowledge, we should actually know what to do!
We’ll navigate to “Site Settings” (from the Gear menu), and under “Site Collection Administration” select “Site Collection Features”.
Somewhere down the long list of (mostly kind of legacy) features, you’ll find a feature called “Limited-access user permission lockdown mode”. In my case (and potentially, in your case as well) it’ll be Active. Like below.
You’ll want to click “Deactivate”, accept whatever warnings you get, and then proceed to try sharing again. And now it should work!
So, in short: When this feature is activated, you can apparently not share folders, but you should still be able to share individual files – or invite users to be members or visitors of your whole site. The latter is what SharePoint is trying to make happen, when someone shares a direct link to the file (since sharing didn’t work out), and the recipients can’t access the file and start requesting access 🙄
- “Performing cleanup” – Excel is stuck with an old, conflicted file and will never recover. - November 12, 2024
- How to add multiple app URIs for your Entra app registration? - November 5, 2024
- How to access Environment Secrets with GitHub Actions? - October 29, 2024