Going External – SharePoint Online

Paul Stork

0 comments

Collaboration doesn’t always take place inside an organization. Sometimes you need to share content with people outside the organization (such as partners, vendors, clients, or customers). And its so easy to do!

But wait! There are at least four different options for sharing each with different settings. This eBook will discuss each of the options and settings, and explain when each should be used.

Also covered is how Global and SharePoint Admins can disable or limit external sharing.

Collaboration doesn’t always take place inside an organization. Sometimes you need to share content with people outside your organization (such as partners, vendors, clients, or customers). SharePoint Online (and OneDrive for Business) makes this kind of sharing easy to do. Just hit the Share link on the folder or document and fill out the dialog. You can even share a whole site or document library if you want. But just because

SharePoint makes this easy doesn’t mean it can’t also be confusing. Knowing what options are available for each situation is critical if you want to be able to share with external people, but still, maintain the security and quality of your content.

In this eBook, we will cover the four different methods available when sharing a folder, a list item or a document. We’ll examine the different options available for protecting your content with each technique. We’ll also discuss how the process of sharing a library or site differs, especially when doing it from an O365 group site versus a legacy team site. Once we’ve explored all the options available, we’ll look at how to share maps to the security settings in SharePoint. Finally, we’ll examine how Global or SharePoint administrators can disable or limit external sharing for specific sites or the whole tenant.

When you finish reading this eBook, you should understand the concepts and possibilities available for external sharing in SharePoint Online. Specifically, you will know how to do the following:

  • Share Sites, Libraries, Folders, or Files with external users in a secure fashion
  • Manage the security changes made when sharing content externally
  • Explain why specific sharing options aren’t available in your tenant or site collection

Who are external users

The first thing we need to discuss when trying to understand external sharing in SharePoint Online is who are the external users that we wish to share content with. More importantly, what can those external users do with the content we share and what are the limitations imposed on external users?

According to Microsoft documentation, an external user is a partner, vendor, client, or customer who has been granted access to content in your SharePoint Online environment, but who is not a licensed user within your organization. External users, however, can not be people who are employees, contractors, or onsite agents for either you or your affiliates. External users cover a large group of individuals. We’ll look at how you can narrow down that definition to match your organization’s idea of external users in the How to Limit External Sharing section later in this eBook.

What Can External Users Do?

Now that we’ve established who external users are, let’s look at what they can do. First and foremost, what an external user can do depends on the permissions you assign to them and the external sharing settings in your tenant and site collections. We’ll cover these permissions and settings in later sections of this eBook. Normally external users can:

  • Add, Edit, Delete, or Download Content within the limits you’ve set based on

permissions

  • Access Items, Files, Folders, Lists, Libraries, or Whole SharePoint Site based on what you have shared with them
  • Set up Alerts, so they know when new content is added or changed
  • Share your SharePoint content with other external users unless you have locked this scenario down through settings

But there are limits to what external users can do since they are not licensed, users. Without a license, external users cannot have:

  • A OneDrive in your Tenant
  • A User Profile

Organizational Accounts vs. Microsoft Accounts

There is one last aspect of being an external user that requires clarification before we begin looking at exactly how to share content with external users. Most external users will need to authenticate themselves to access content, just like internal licensed users. But the login dialogs they get can be somewhat confusing if you don’t understand the terminology. For example, a new external user may be confronted with the dialog below when accepting an invitation to login to SharePoint as an external user.

To respond to this dialog (and accept the invitation), the external user needs to understand what the difference is between a Microsoft account and an Organizational account. This log-in process may be even more confusing because the same email could have been used for both a Microsoft and an Organizational account in the past. But even though those accounts share the same email they may have completely different passwords.

Another problem is that Organization accounts and Microsoft accounts are often referred to by other names in newer dialogs. For example, in Login dialogs, they are commonly referred to as Personal and Work or School accounts. Listed below is an explanation of these two different types of accounts.

  • Organizational Account – Also known as a Work or School Account – Used by employees for signing into Office 365 and other Microsoft Services
  • Microsoft Account – Also known as a Personal Account – Used by individuals for signing into Microsoft Services like OneDrive consumer

But the confusion doesn’t end there. Later in this eBook, we will find that you can limit sharing with external users by specifying that external users must already exist in our Azure Active Directory (AD) before they can access content shared by you. There are two ways that we can add users to our Azure AD whose authentication system is external to our tenant. The process for adding these users will be described in the Managing Business to Business (B2B) users section later in this eBook. These users are described below, but only one of them can be used as an external user in Office 365.

  • Business to business (B2B) user – These are either Organizational or Microsoft accounts that have been added to your Azure AD by an admin. Since they are based on Organizational or Microsoft accounts B2B accounts can be used to authenticate external users.
  • Business to Consumer (B2C) user – These are primarily for developers that create customer-facing apps. B2C Azure AD accounts provide a full-featured identity system for their application while letting customers sign in with an identity they already have established in another external system like Facebook or Gmail. These accounts are not currently supported for use as external users in Office 365.

Four Types of Sharing

The most common and recognizable form of external sharing in SharePoint online deals with sharing individual folders, list items, or documents. Sharing sites, subsites, lists, and libraries will be covered in the next significant section of this eBook, entitled Sharing Sites, Lists, and Libraries. To share a folder, list item, or document select it in a List or Document Library and click on Share from either the top menu or the context menu as displayed in the screenshot below. Selecting Share from one of these locations will open a Send Link dialog box that you can use to share the selected folder, list item or document with either internal or external users.

There are four different variations available for the Send Link dialog. To change the sharing link that will be generated click on the entry that lists the default sharing type. This will take you to a new dialog box displaying these four different types of sharing links:

  • Anyone with the link
  • People in your organization with the link
  • People with existing access
  • Specific people

Each of these types of sharing link provides different options for sharing. Choosing the correct type of link is critical if you wish to share your content securely.

Anyone (Anonymous)

Anyone links are the most permissive type of sharing available in SharePoint online and are often called Anonymous Guest Links. Anyone links don’t require authentication; they can be used by anyone who has the link. If the external user that you send the link to forward’s it on to someone else, then that person can also access the folder or document being shared.

Since the links can be used by anyone, these links have the most control options available of any sharing link. You can see the different options available in the screenshot below. Anonymous links have the following available controls and limitations:

  • Can only be used with folders and files, not list items.
  • Can be set automatically to stop working after a given time
  • Can be secured with an optional password
  • Can be revoked at any time by the owner of the file or an administrator
  • Editing can be enabled or disabled

Another optional feature when files are shared is that if editing is disabled, users download of the files can be blocked. If the download is blocked, users can be forced to interact with files using Office Online applications. In this case, printing is also disabled. Using this feature will ensure that the files remain in the cloud and keep external users from forwarding on copies of downloaded files. This feature is only available when the file being shared is an Office document like Word, Excel, or PowerPoint.

People in the Organization

The second type of sharing link is entitled, People in <Your Tenant Organization>, which limits sharing to internal users only. If you enter the address of an external user, even one who is already in your tenant’s Azure AD, you will see an error message in the dialog like the screenshot below.

Users will be required to log in to verify their identity to use this link. But the link can be forwarded to any internal user and it will continue to work even if they don’t normally have access to the File or Folder. This type of sharing link has some, but not all, of the same limitations and optional settings as the anyone link. Those limitations and settings include:

  • Can only be used with folders and files, not list items
  • Can be revoked at any time by the owner of the file or an administrator
  • Editing can be enabled or disabled

Like the Anyone link, if editing is disabled, the download of the files can be blocked. If the download is blocked, users can be forced to interact with files using Office Online applications. In this case, printing is also disabled. Using this feature will ensure that the files remain in the cloud and keep external users from forwarding on copies of downloaded files. This feature is only available when the file being shared is an Office

document like Word, Excel, or PowerPoint. The full sharing dialog for the People in

<Your Tenant Organization> consists of the two dialog boxes in the screenshot below.

People with Existing Access

The People with Existing Access sharing link is unique among the sharing links since it doesn’t alter any permissions. Although it can be generated for either internal or external users, they must already have permission for the folder, list item, or file represented by the link. Since the user must already have permission to the file that is being shared, this kind of link can also be forwarded to anyone else who has access. Since this link doesn’t change permissions on the item being shared it has the most limited set of limitations and settings:

  • Can be used with folders list items, and files
  • Can be revoked at any time by the owner of the file or an administrator
  • Editing cannot be enabled or disabled
  • Cannot be used as the default link in the sharing dialogue.

The sharing dialogs for the People with Existing Access link are displayed in the screenshot below.

Specific People

Specific People links are the most common and least permissive kind of sharing link. Both internal and external users will be required to verify either their identity or their possession of the mailbox where the link was originally sent. If they have an Organizational or Microsoft account, they will be prompted to login. If not, they will be prompted to enter a verification code that will be sent to the same mailbox where the sharing link was originally sent. If the link was forwarded to someone else, the new recipient won’t be able to verify the link since they won’t have access to the mailbox to get the code. Verification codes are only valid for 15 minutes, so forwarding the link and the verification code won’t provide any lasting access to the folder, list item or document that was shared. You can see a sample of the verification dialogs in the screenshot below:

Specific People sharing links do incorporate some of the limits and settings available for the other links. These limits and settings include:

  • Can be used with folders list items, and files
  • Can be revoked at any time by the owner of the file or an administrator
  • Editing can be enabled or disabled

Like the Anyone link, if editing is disabled, the download of the files can be blocked. If the download is blocked users can be forced to interact with files using Office Online applications. In this case, printing is also disabled. Using this feature will ensure that the files remain in the cloud and keep external users from forwarding on copies of downloaded files. This feature is only available when the file being shared is an Office document like Word, Excel, or PowerPoint.

The full dialog for the Specific People sharing link consists of the two dialog boxes in the screenshot below.

Sharing Sites, Lists, and Libraries

In the last section, we looked at four common ways to share content with external and internal users. All four of these methods are limited to folders, list items, and files. The experience for sharing full sites, sub-sites, lists, and libraries is very different from the sharing links discussed above.

But the user experience when sharing a site or a subsite also varies depending on whether the site you are sharing is a modern Office 365 group site, a regular modern site, or a classic site built from a legacy template. In this section, we’ll examine how users can share each of these sites and how the user experience differs.

When it comes to lists and libraries the experience changes yet again. Lists and document libraries have no specific capability to share the content. But we will see that we can still share content with external users at that level by modifying the permission settings of the list or library.

Sharing a Modern Site

Modern sites that are created using an Office 365 group don’t have a Share link on the page like non-Office 365 group sites. The screenshot below compares the upper righthand corner of an Office 365 Group based Team site with a Communication site (no Office 365 group) and a Classic Team site. A Share link is clearly visible in the Communication and Classic Team site, but not on the Office 365 Group site.

Office 365 Group site

Communication site

Classic Team site

Since O365 Groups control access to more resources than just a site collection, sharing them is not handled through the regular sharing dialog. Usually, to share an Office 365 group site, the owner of the group will add a guest user as a member of the group using either Outlook or the Office 365 admin center. This will provide the external user with access to both the SharePoint site and other Office 365 group resources, like the shared calendar. But if you don’t want to give external users access to all the group based resources or, you just want to manage it from inside SharePoint there is a way!

If you select Site Permissions from the “gear” menu in the top bar you will see the dialog pictured in the screenshot below. Clicking on the Invite people button will offer two choices. You can add members to the Office 365 group, which will give them access to all the group resources or you can just share the SharePoint site. Please note that you

can’t add external users using the Add members to group option. It will still direct you to do that through Outlook. But you can share the site with external users if you choose Share site only. An Advanced permissions link that will take you to the Site Permissions page in Site Settings is also provided.

Adding an external user’s email address in the Share site dialog will add that user to a list displayed between the textbox and the Add/Cancel buttons (see the screenshot below). A dropdown will be provided for each user where you can select to give them Edit, Full Control, or Read access to the site. Selecting one of these entries will place the external user in the SharePoint group on the site which has that permission level. Please note, custom SharePoint groups with other permission levels will not be reflected in the dropdown.

Modern Non-O365 Group sites, like Communication sites, operate just like Office 365 group sites if you picked the Share site only option. When you click on the Share link in a Communication site it will take you directly to the Share site dialog pictured in the screenshot above. Entering an external user email and selecting a permission level will add the user to the appropriate SharePoint group just as it does in an Office 365 group site.

Sharing a Classic Site

Clicking the Share link on a site built from one of the legacy templates brings up a Share dialog where you can enter names or email addresses of internal or external users. Once you’ve entered the names or emails, you can choose to add a personal message to the email that is sent by default to the user. You also have the option to select a SharePoint group from the site to add the user to or assign a specific permission level directly to the user. The dialog for adding external users to a “Classic” site is displayed in the screenshot below.

Sharing at the sub-site level uses a similar dialog. The only difference is that you can only add the user to existing groups rather than assigning a permission level directly. Assigning permissions directly to a user can only be done at the root level site or after breaking security inheritance in a sub-site. The dialog for sharing a typical sub-site is displayed in the screenshot below.

If the user sharing the classic site doesn’t have a permission level that includes Manage Permissions permission, then the dialog results in an Access-Request that must be approved by an administrator before the email is sent and the site is shared. We’ll see more about how Access Requests work in both classic and modern sites in the section entitled How Access Request Work.

Sharing a List or Library

A sharing option is not available at List/Library level or a site. The Share link that is displayed on the page that displays the list or library is actually the Share link for the site that contains the list or library. But, we can share a list or library with an external user by directly editing the permission settings for the list or library. These options can be accessed as displayed in the screenshot below.

Once you have accessed the permissions page for the list or library, complete the following steps to share it.

  1. Stop Inheriting Permissions from the site containing the list or library
  2. Grant Permissions to an external user

Note: External Users will need at least View Only access to the site including the list or library to access the list or library. So, the site itself must be shared with at least minimal permissions as described above.

How Sharing Affects Permissions

Now that we’ve reviewed all the different ways that a site, list, library, folder, file or a list item can be shared with external users we need to discuss how making these changes affects the underlying permission structure in SharePoint. To understand the security changes that are made when sharing, we should first review some security fundamentals for SharePoint Online.

Security Fundamentals

What a user is able to do in SharePoint, is governed by their Authorization and dependent on the intersection of three things.

  • A Securable Object – these are the level at which the user is trying to access the content. It might be a site, a list or library, a folder, or a list item or an individual document. How to share content for each of these levels has already been discussed in this eBook.
  • A User or Group identity – This is the Organization account or Microsoft account of the user. It might also be SharePoint, Office 365 or security group that they are a member of.
  • Permission Level – This is the named collection of permissions that are granted to the user.

The combination of these three things determines what a user can do with a particular piece of content in SharePoint. A visualization of this intersection is displayed below.

There are some other factors that must also be considered when looking at SharePoint security. Failure to take these into account can lead to unanticipated results. Those factors are listed below:

  • SharePoint permissions are established in the root site of the site collection. By default, they are then inherited to each securable object in the hierarchy below the root site.
  • Permission inheritance can be broken at any level in the hierarchy of securable objects. If inheritance is broken and permissions are changed then securable objects below that level will inherit the new permissions.
  • SharePoint Online permissions are always additive. If you are given permissions through multiple assignments, you will get the sum total of the permissions you are granted for that securable object.
  • SharePoint Group Membership is stored in the Site Collection root site no matter where the group was created. Adding a user to a group in a sub-site will give them permissions wherever that group has permissions in the site collection.

Changes Made by Sharing

Depending on the securable object that is being shared, security inheritance may be broken by the sharing process. This breaking of security inheritance is important because it may affect the security settings of securable objects below it in the hierarchy. It may also prevent changes at higher levels of the hierarchy from being applied when changes are made later. The chart below records how sharing at each level affects the security inheritance settings of the securable object and whether permissions are applied by adding the external user to an existing group or assigning them directly.

SECURABLE OBJECTINHERITANCE REMAINSINHERITANCE BROKENPERMISSIONS ASSIGNED
SiteX Add to an Existing Group
Library XAssign Permission Level
Folder/Item/Document XAssign Permission Level

How Access Requests Work

As we can see from the chart above, sharing folders, list items, or documents will break security inheritance and assign a permission level. In the section on Sharing a Classic Site, it was noted that users must have the Manager Permissions permission to break inheritance. For classic sites, this results in the creation of an Access request because the normal permission level for those users of Edit or Contribute doesn’t contain that permission. But if that is the case for classic sites then why doesn’t it also happen when sharing a folder, list item or document. The answer can be found in a little-known dialog in the Site Permissions page in Site Settings called Access Request Settings. You can see this dialog in the screenshot below:

This dialog contains two checkboxes that control how sharing is implemented in a site and are jointly referred to as the “Members can share” settings. The first checkbox controls whether users who are in the Members SharePoint group of a site can share

individual folders, list items, and files or not. If this is unchecked, only administrators and owners will be able to share content with external users. Non-administrators who try to share content will see the popup message below. They can still share content, but only if an administrator approves the pending Access-Request.

If only the first checkbox is checked then users who belong to the Members SharePoint group of the site will be able to share folders, files and list items without needing

approval from administrators, but sharing of a site will create an Access-Request as described in the section of this eBook.

If both checkboxes are checked, Members will be able to share at all levels, including sites, folders, files, and list items without an access request being created. They still won’t see a dropdown list of groups in the sharing dialog like administrators do because they will automatically add any external user to the SharePoint Members group for the site.

The table below summarizes the checkbox settings and what non-administrators can do for each setting.

MEMBERS SHAREMEMBERS INVITERESULT
CheckedCheckedShare Anything Directly
CheckedShare Folders, Files/Items Only
Site sharing creates Access Request
Folders/Files/Items can’t be shared
CheckedCombination Not Allowed

How to Limit External Sharing

Now that you understand how to share content with external users in SharePoint Online, it’s time to talk about putting realistic limits on that sharing. There are some sites with sensitive information where external sharing should be disabled entirely. Or you may

want to limit how permissive your sharing policies are in your tenant. Or you might want to apply other controls and limitations to external sharing.

We’ve already reviewed how the Access Request Settings in an individual site can allow external sharing, but still, require approval from administrative users on that site. In this section, we’ll review all the other settings that are available for fine-tuning the amount of external sharing allowed in your organization. These controls are spread across several

different levels of Office 365. We’ll discuss settings available in the following locations:

  • Microsoft 365 admin center (tenant-level settings)
  • SharePoint admin center (tenant-level settings)
  • SharePoint admin center (site collection level settings)
  • Classic SharePoint admin center (legacy sharing settings)

Tenant-Level Settings

The first place you can set limits on external sharing is at the tenant level. These settings take precedence over any other settings and cannot be overridden. Also, since they are in the Microsoft 365 admin center, they can only be applied by global tenant administrators. There are two areas where there are settings that can affect external sharing in SharePoint Online. Both can be found in Settings under Services & add-ins.

The first is SharePoint and the second is Office 365 Groups.

SharePoint Tenant Settings

The SharePoint settings provide four options for limiting the external sharing of folders, files, and list items across the entire tenant. They are arranged in order from most restrictive to most permissive, but they don’t reflect the four different sharing types listed in the sharing dialog. By default, they are left at the most generous setting of Anyone, which will leave all external sharing options available. The four options are:

  • Only people in your organization – This will effectively disable the ability to share external content from anywhere in your Office 365 tenant
  • Existing guests only – This setting will let your users share with external users, but only if they already have accounts registered in your Azure AD (See https://docs.microsoft.com/en-us/azure/active-directory/b2b/add-users- administrator for more information about managing B2B users in your tenant)
  • New and existing guests – This will allow sharing with any authenticated user or verified link (See the Sharing Link – All Site Collections section below under SharePoint Admin Center Settings for ways to limit this further)
  • Anyone – This setting is required if you wish to create anonymous guest links as discussed earlier.

As you can see from the screenshot above the controls at this level provide little granularity. Care should be taken with these settings since they apply to the entire tenant. The same settings are available in the SharePoint admin center split between SharePoint and OneDrive or scoped for an individual site collection. The Manage additional settings link provides a shortcut to these settings in the SharePoint admin center

Office 365 Groups

There are also settings that control guest access in Office 365 groups. When sharing Office 365 group sites, one of the ways to share with external users was to add them as guests to the Office 365 groups In Outlook or the Microsoft 365 admin center. By default, both checkboxes in the screenshot below are enabled. The first controls whether Office 365 groups can have external users as guests. If disabled, you will still be able to share the site, but not other Office 365 group resources. The second checkbox controls whether guests must be added by an Office 365 global admin or can be added by regular users who are owners of the Office 365 group.

SharePoint Admin Center Settings

There are two locations where external sharing can be controlled in the SharePoint admin center. The first is the Sharing link in the left-hand navigation panel. This is where most of the controls are located. But there are also some settings that are specific to an individual site collection. We’ll cover both locations but let’s start with the settings available in the Sharing link on the main console.

Sharing Link – All Site Collections

The Sharing link provides a much more extensive set of controls than those provided at the tenant level. In addition to the increased granularity, these controls can be managed by SharePoint administrators instead of global administrators.

The first set of controls available on the Sharing link is very similar to the sharing controls at the tenant level. But as the screenshot below demonstrates they are now divided between SharePoint and OneDrive. They are also listed in reverse order from Most permissive to Lease permissive. The defaults set at the tenant level will apply so you may not be able to set the slider all the way to the top if more restrictive settings were picked by a global admin.

Below these two sliders are a variety of other controls that can be implemented. They can be divided into three different sets of controls: Advanced settings, File and Folder links, and Other settings.

The Advanced settings section provides three selectable limits to external sharing. They include:

  • Limit external sharing by Domain – Selecting this checkbox will provide you with an opportunity to create a list of email domains that can be used to filter external users. The list can either be used to only allow certain email domains or prohibit specific email domains.
  • Guests must sign in using the same account – When external sharing invitations are extended to users that may choose to register as a Microsoft account with a different email than the one where they received the invite. Checking this box will prohibit that practice.
  • Allow guests to share – As we discovered in the How Access Requests Work section, often Members of a site are pre-approved to share content with external users. External users are often made included in that Members SharePoint group. Disabling this checkbox will prevent external users from sharing content that has been shared with them.

The File and folder links section of the panel lets you set the default link that is presented when entering the Send Link dialog. You can set the default to three out of

four of the possible sharing types. The only sharing type you can’t use as a default is the People with the existing access link. Since that one doesn’t change permissions it probably shouldn’t be the default link type anyway.

In addition to picking the default link, you can also specify the default settings that are used when creating Anyone links that expire or the default permissions when sharing files or folders.

The final section of the page contains one checkbox and some links to other external sharing settings in the Classic SharePoint admin center. The checkbox enables/disables the display of the user’s names in the activity section of the details panel associated with each file.

The final two links on the page take you to different sections of the Classic SharePoint admin center where many of the settings here are duplicated. We will deal with these settings in the Classic SharePoint admin center section below.

Sharing Link – Specific Site Collections

The same restrictions on external sharing that can be applied to the entire tenant are also available for each individual site collection. If you select an individual site collection from the list of active site collections in the SharePoint admin center you will see a Sharing button on the toolbar at the top of the page. Selecting this button will open a sharing panel with the same options that are available at the tenant level. You will be able to pick any setting that is more restrictive than the ones set at the tenant level or in the Sharing link of the SharePoint admin center. These settings will apply to just the selected site collection.

Classic SharePoint admin center

The classic SharePoint admin center also had some controls that related to external sharing. Most of these have been reproduced on the new admin center Sharing link as discussed above. One set of controls is still only available in the classic SharePoint admin center. Using the settings displayed below you can limit who can share with external users to members of specific security groups. If anonymous guest links are enabled (Anyone) you can use the second list of groups to limit who can share anonymously with external users.

Conclusion

That brings our discussion of external sharing in SharePoint online to a close. External sharing can be a potent tool for collaboration in most organizations. But the options are often confusing. I hope this review of all the options available will make it easier for you to work with your organization to use external sharing securely and successfully.

0000-00-00 00:00:00


Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}