In this eBook you’ll learn how to make sure that your Organisation’s external sharing policies are suitable to your needs. You’ll discover the different use cases for Azure Active Directory compared to the traditional SharePoint model and how Microsoft 365 manages external sharing in SharePoint, OneDrive, Teams and 365 groups.
Microsoft 365 offers many ways to collaborate with external users or guests with your organization. While there are numerous benefits to such collaboration, it pays to have a clear idea of what’s at stake.
Furthermore, as Microsoft is starting to allow guest access to some products by default, it’s important that you have this discussion within your organization.
We’re going to examine two different ways of allowing external access:
- Azure Active Directory (AD) – guests in Teams
- SharePoint and OneDrive
This eBook does not cover setting up and managing external and anonymous meetings and chat in Teams.
Azure B2B Licensing
Microsoft will grant five guests per each single paid user license. For more information, please see https://azure.microsoft.com/en-us/pricing/details/active-directory/
- Every Microsoft 365 customer automatically gets a subscription to Azure AD
- Guests don’t get a mailbox or OneDrive, or other products
Your tenant and external users
Let’s start with the main focus of this eBook: Is opening up your Microsoft 365 tenant to external users a bad idea?
While end-users really like the idea as it makes their jobs easier, it’s a pain-point for security and compliance. However, locking your tenant down completely can lead users to sharing via (unregulated) email and/or their personal drives.
|THE FEAR||THE REALITY|
|By ‘letting them in’ you make it easy to overshare outside your organization||You are already sharing externally…via email|
|I don’t trust my users to be careful when sharing, especially externally!||Are you leaving it to your users to decide when and how?|
|My security team will never go for it||Once your data leaves your system, what control do you have?|
|Once an external person is in, how do I get them out?||Do you know what your external users are doing with your data?|
External collaboration – where do you start?
An issue with external sharing is the fact that OneDrive, SharePoint, and Teams all have their own Admin portals with their own settings. As this can make it hard to manage external sharing, it’s vital that we walk through each Admin portal and understand their differences and use cases.
This especially important as external access to SharePoint, 365 groups and Teams is on by default when new tenants are created. As an Admin, you must close external access as opposed to opening it.
Before you do anything, you must plan your strategy:
- Who do you want to collaborate with externally?
- What services and data should they have access to?
- How should external users be invited in?
- When should external users be re-assessed or removed?
The Who and the What
The below graphic shows two ways external collaboration happens in Microsoft 365.
- Teams and 365 groups are based on Azure Active Directory
- SharePoint and OneDrive are not
Each have their own settings and controls, and they while they overlap, they are independent.
The Azure AD Guest Model
The traditional way of external sharing was one whereby a company would create an AD user within their tenant and then grant them access to site content. Here are the problems with this approach:
- The account has to be created within AD by an administrator
- An end-user has to inform the third party of their account details such as username and password. Also, there may be support issues around logging in etc.
- If the third-party leaves their organization, your AD is not updated in any way – they can still access your information
With Azure Active Directory B2B:
- It does not create a full internal AD account, but a ‘guest’ account
- When the third party authenticates into your company, the first identification is back to their home domain; if that works, then the third party has access to your site
- If the third-party leaves their company, their guest profile cannot authenticate against their real profile and subsequently cannot access your site
The advantages of the Azure AD B2B include:
- The home domain authenticates the user, and when it cannot, the user will not have access to content
- The guest domain can leverage extra layers of security via conditional access policies. For example, you may want guests to agree to legal T&Cs before they enter your domain – which is great for legal and compliance departments
- A centralized list of guests within Azure AD from which you can report on guest behaviour and decide whether they should still have access or not
Azure Active Directory Admin Center
When you open up the Azure Active Directory Center, you will be presented with the following page but without any references to B2B.
Click on External Identities and then External Collaboration settings.
Below are the key External collaboration settings:
Guest user access
Let’s start with the first option when it comes to guest user access.:
In the above shot, the first option means that guests can read AD in the same way that members can, i.e. if they type in somebody’s name, they will see their email. As most people do not want this, the second option is typically selected:
This means that guests only have access to people that they are in the same group/team as and see their reference in the directory.
And below, this option means that guests are restricted to themselves and cannot see any people in AD.
Guest invite settings
Let’s look at guest invite settings.
The options are self-explanatory. However, if you shut down guest access completely, existing guests still have access.
If required, you can allow invitations to be sent to any domain.
Or you can deny invitations:
And lastly, you can specify the exact domains:
Please note, that there is literally a ‘character’ limit on the Target domains.
To find out what guest users you have, select users:
Then, filter to the user type and apply guest:
You can also add a new user by selecting + New user. However, if you have restricted a domain and then try to add a user from that domain, they will not be allowed as that restriction even applies to Admins.
Guests in Teams
The best way to imagine external sharing settings is like peeling an onion. The aforementioned settings in Azure are the top layer, and then there are further layers depending on whether you are in OneDrive, SharePoint or Teams.
- Azure Active Directory settings
- Microsoft 365 Security and Privacy settings
- On/off switch allowing owners to invite guests
- Group settings
- Guest access to file content
- Owners can add guests to Teams, or only admins
- SharePoint settings
- Teams settings
Please note that some settings work immediately, while others can take up to 24 hours.
Microsoft 365 Tenant Wide – Owners inviting new guests
Navigate to the main Admin portal. Select Settings → Org settings → Sharing.
When Let users add new guests to the organization is selected it allows non-admins to invite guests (which is the 365 equivalent of members being allowed to invite in the Azure Active Directory portal. Incidentally, there are two setting as Azure goes beyond just servicing 365).
Furthermore, you will be subject to the same restrictions established in Azure regarding permitted domains.
The two options here are:
- Let group owners add people outside your organization to Microsoft 365 groups as guests
- Let guest group members access group content
These settings will affect Teams too.
It is possible – though not through the user interface – to say that some groups and teams should not allow owners to add guests, but other teams and groups, should not.
For more information about this, see https://support.microsoft.com/en-us/topic/adding-guests-to-microsoft-365-groups
Please bear in mind:
- Microsoft 365 Group settings for guests affect Teams
- Guest access for groups/teams need to be on globally for guest access to any team
- Have a plan to disable per team as needed
Sensitivity Labels for groups and Teams (Azure AD P-Licence only)
If you have a P-Licence for Azure, then Sensitivity Labels offer further security. Please note:
- Use Microsoft Information Protection labels which define access settings
- User selects appropriate label when creating a group/team
- Still reliant on the user to select the correct label
- Any owner can change the label at any time
- Anyone can become an owner
- Does not impact associated SharePoint sites as it will take on the default external sharing policy
For more on Sensitivity Labels, see https://docs.microsoft.com/en-us/microsoft-365/compliance/sensitivity-labels
Teams Admin portal
Teams has one toggle for guest access – once turned on, additional settings apply. By default it is set to on.
- Everything that we do in Teams or affects groups because Teams are, at their heart, Office 365 groups
Also, be careful with your guest and external terminology!
- External access is old-school Skype for Business federation; users can only participate in one-on-one federated chat
- Guest access gives access to files etc.
Configuring Teams and groups for guest access
- To allow owners to invite guests across Microsoft 365 (non-admin invites):
- Microsoft 365 admin center → Settings → Organization settings → Security and privacy → Sharing
- If this is unchecked, only Admins can add guests within Microsoft 365
- To allow owners to add guests to Microsoft 365 groups/Teams
- Microsoft 365 admin center → Settings → Organization settings → Services → Microsoft 365 groups
- The first checkbox allows group owners to add guests to groups
- The second checkbox allows guest group members access to content
- To allow owners to add guests to Teams
- Microsoft 365 admin center → Teams Admin → Org-wide settings → Services → Guest access
- The first checkbox allows guest access in Teams
- Once selected, you can further fine-tune your options on this page
With those settings in place, when you add a guest to a team, they will get an email inviting them to participate in the team. They will also be listed as a guest in the actual team.
Now, let’s suppose that you listed a domain (in Azure AD) that was not allowed and then you tried to add a person from that domain. When you attempt, you’ll get the following warning – it’s not exactly clear, but we know that this domain is on the deny list:
If you have a PowerShell script running that denies guests on a team-by-team basis, and then you try to add a guest, this is the warning:
|Home domain authenticates the user||Must switch tenants to access Teams as a guest|
|Guest domain can leverage Azure AD conditional access policies||No way to restrict your users from being guests in other tenants|
|Centralized identity in guest means centralized reporting or memberships||Potential for two MFA prompts because of authentication flow|
Accessing Teams as a guest
One of the big issues people have when they access a team as a guest is that they have to switch organization. You will just see the team that you are a part of – that’s all.
When in the Teams app, you must select Accounts and orgs, and then select the guest team:
Collaborating without Azure B2B in Microsoft 365
There are two models of external collaboration within Microsoft 365 – Azure B2B and SharePoint. Here are some key differences with the SharePoint model of collaboration:
- It is not built on Azure AD B2B at all. SharePoint had external sharing before Azure B2B existed. Therefore, there is no concept of a guest
- The model is decentralized at the site collection level, so there is no register of external users
- Many of the settings are similar to Azure AD, but SharePoint is independent of it
- You can force more centralization if it suits your case by tying sharing to existing users in the directory
To access SharePoint settings:
- Microsoft 365 admin center → Settings → Org-wide settings → Services → SharePoint
- Select one of five global sharing settings for SharePoint and OneDrive
Now, if you select no external sharing allowed – but you have external sharing allowed in Microsoft 365 groups, then the guests will receive an error if they try to access the SharePoint content associated with their group:
Remember – external sharing is turned on by default for your entire SharePoint environment.
Once you have picked your settings, go to the SharePoint admin center → Policies → Sharing.
Here you can control how permissive you want SharePoint and OneDrive to be. However, OneDrive cannot be more permissive than SharePoint. Also, while you can have different sharing settings per SharePoint site, they cannot be more permissive than what is set here in the SharePoint admin center.
However, there are settings above, such as New and existing guests, which makes guests sign in or provide a verification code, which actually adds them to Azure.
And yes – you are seeing double as in Azure AD there are restrictions per domain sharing just like SharePoint; however, this is because SharePoint does not use Azure.
SharePoint sites’ individual settings
Peeling away the onion-like levels of security takes us to SharePoint admin center → Sites → Active sites → External sharing (column) → Policies → External sharing → Edit
While you can have external sharing switched on in the SharePoint Admin for New and existing guests, on the below SharePoint site, it is restricted for Existing guests only.
This means that at the local level, it’s more restrictive than at the global level.
Reporting in SharePoint
If Azure AD is not reporting on guest access for SharePoint, how do you know who has access or not to your ShareP oint site?
- Go to the individual SharePoint site
- Select Settings → Site Usage
- Select Run report. An Excel file is saved to your SharePoint site which details the guest users.
Forcing SharePoint and OneDrive to use the Azure Guest Model
If required, you can force SharePoint/OneDrive to use the Azure AD guest model.
|THE GOOD||THE BAD|
|Only one place to manage domain restrictions|
Coming soon…Teams Connect
While Teams Connect is still in private preview, there’s a lot of expectation about the rollout of this feature.
The benefits of it are:
- You can add a guest to an existing Teams channel, and that guest does not have to switch organizations
- Inbound and outbound restrictions for people within your organization
- You can give guest access to only one channel and not the team
- When you add people this way, they will not be added to Azure B2B as guests
However, this decentralized method of external sharing may lead to oversight issues in terms of reporting on who has access etc. And it’s certainly confusing to have both the Azure AD version of sharing and this version. For example, if you want to share the entire team, you use Azure AD; if you want to share just the channel, you don’t.
The next steps
Here’s some great resources to get you started.
Microsoft 365 external sharing and Azure Active Directory (Azure AD) B2B collaboration – https://docs.microsoft.com/en-us/azure/active-directory/external-identities/o365-external-user
SharePoint external sharing overview – https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview
Manage external access in Microsoft Teams – https://docs.microsoft.com/en-us/microsoftteams/manage-external-access
Manage guest access in Microsoft 365 groups –https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-guest-access-in-groups.