Purpose: This document provides detailed guidance for enabling and managing access to a Trusted Share using and SFTP client through the follwing 3 Topics:
Enabling Trusted Shares for SFTP File Transfer
To enable SFTP access to a Trusted Share, a user must first create a Trusted Share following these specific guidelines:
The share must be created via the eSHARE Cloud Web Portal (i.e., not using the SharePoint/Teams Action Menu or the M365 Trusted Sharing app).
The sharing policy for the created share must have Login Required enabled for share authentication.
The share should be created from a folder otherwise only the single file can be downloaded by share participants and no files can be uploaded.
If the share is intended to be accessed only via an SFTP client, it is recommended that “Activity notification” are disabled in the share’s sharing policy. This eliminates notifications which may be informative, but the included links will not be useful to the notification recipients.
.png)
Once the Trusted Share has been created, the owner/co-owner of the share will navigate to Manage Recipients and select the Enable SFTP Access entry in the action menu. The SFTP icon will appear next to the user’s name indicating they have been enabled. Additionally, in Manage Recipients there is an SFTP tab that shows only those recipients of the share for which SFTP access has been enabled.
After the recipient is enabled, the owner/co-owner will have the option to select Disable SFTP Access in the action menu to revoke SFTP access. The owner/co-owner will also have the option to manage Recipient Settings, allowing them to set a phone number or SSH public key on behalf of the user if the fields are empty.
A new column named SFTP Enabled has been added to your My Shares and Shared with Me pages. Shares for which there exist at least one recipient that is enabled for SFTP access will have a check mark (✔️) shown in this column.
Accessing Trusted Shares via SFTP File Transfer as a Recipient
After a recipient is enabled for SFTP access, they will receive an email notification that provides instructions and a link to 1) obtain a host name and their username and 2) set their password or SSH public key. These are used to access the share via their SFTP client. Upon selecting Open recipients will need to login to the Trusted Share, creating an account for this purpose if needed.
The SFTP settings for the recipient are accessed via the Account Settings page for the user. The menu to access this page can be found by clicking the user’s icon in the upper right hand corner of the guest page that is shown when the user authenticates as described in the step above. The SFTP settings include:
User Name – This is fixed and is the users email address. It can be copied to the clipboard using the copy icon.
Host Name – This is fixed. It can be copied to the clipboard using the copy icon.
Password and Confirm Password – A password can be optionally used within the SFTP client to access the share. These fields are not required.
SSH Public Key – The user can optionally authenticate to the share using SSH, for which their public key needs to be provided.
Any changes made by the user are applied when Save is selected.
Note that the host name and credentials are used to access all Trusted Shares from your organization for which the recipient has been enabled to access via an SFTP client.
The recipient uses the account information and credentials obtained or set in the step above to access the share via their SFTP client. Once connected, they will be able to see all Trusted Shares from your organization for which SFTP access has been enable.
Using an SFPT client, the recipient is able to perform any actions the share owner have authorized them to perform (download, upload, etc.).
General Information and Limitations for SFTP
As of Release 165, there are several limitations which are noted below.
On access, label-driven controls are not applied (i.e., all file controls are that of the Trusted Share, not those of the label associated with an accessed file).
File upload/download is limited to 5GB files.
During upload the file will not show up in the TS listing until the upload is completed.
File locking is not supported.
Shown below are the sharing policy options and how each may impact the experience of share recipients who access a share via an SFTP client.
Policy Option | User Experience in SFTP Client |
Permissions |
|
Allow shared files to be viewed | None, permission is ignored by SFTP server |
Allow shared files to be downloaded | Access Denied if download is disallowed |
Download with Approval | Access Denied if approval required |
Allow shared files to be deleted | Access Denied if deletion disallowed |
Allow shared files to be edited | None, permission is ignored by SFTP server |
Apply User watermarking | Access Denied if watermarking enabled |
Apply Branded watermarking | Access Denied if watermarking enabled |
Allow files to be uploaded to shared directories | Access Denied if uploading disallowed |
Control upload file types | Access Denied if file type disallowed |
Max upload file size | Access Denied if max file limit reached |
Collaboration |
|
Enable secure conversation | None |
Notify recipients on share updates | None |
Disable email notifications | None |
Make all internal recipients co-owners | None |
Include SharePoint members/owners as Trusted Share recipients and co-owners | None |
Recipients can invite others | None |
Auto approve recipient invitations to other recipients | None |
Recipients can view recipients list | None |
Allow/block lists | None |
Hide sensitivity labels from external recipients | None |
Allow recipients to request access to files | Access Denied if request access enabled |
Set default expiration for all shares | Access Denied if access is expired |
Convert native Microsoft links in email body and secure conversations to Trusted Share links | Access Denied (native links not supported) |
Secure message body | None |
Use policy for Secure Mail Gateway | None |
Authentication |
|
Require login and/or one-time password | Share access via SFTP only possible when login, and only login, is required |
Require login | |
Require One-time password | |
Require terms of use | Access Denied if TOU enabled |
Share Access TOU | Access Denied if TOU enabled |
File Access TOU | Access Denied if TOU enabled |
File download TOU | Access Denied if TOU enabled |
File download as ZIP with TOU cover page | Access Denied if TOU enabled |
FAQ
What is the purpose of this document?
The document provides detailed guidance for enabling and managing access to a Trusted Share using an SFTP client.
How can I enable SFTP access to a Trusted Share?
To enable SFTP access, you must create a Trusted Share via the eSHARE Cloud Web Portal and ensure that the sharing policy has Login Required enabled.
Should I create a SFTP enabled Trusted Share using an M365 App?
No, the share must be created via the eSHARE Cloud Web Portal. Support for Shares created using native M365 applications is coming soon.
What happens after a recipient is enabled for SFTP access?
The recipient will receive an email notification with instructions to obtain their host name, username, and to set their password or SSH public key.
Are there any limitations for SFTP access?
Yes, limitations include that internal users cannot access shares via SFTP, file uploads/downloads are limited to 5GB, and file locking is not supported.