External Sharing in SharePoint Online
External sharing is one of the more useful collaboration features in SharePoint Online. Whether we’re working with a preferred vendor, client, or subsidiary company, there are a variety of situations where having a workspace with users outside of our Active Directory domain is a vital business need. With external sharing we can do exactly that.
It’s a little confusing though from the internal perspective. What do external users get? What’s the process like, especially if they don’t have any kind of Microsoft/Office 365 account? Are they going to have some random new account to keep up with?
I’ve going to walk you guys through what our external users see and the steps they must take to accept an external sharing invitation.
To do this I’m not using any type of Microsoft (Hotmail, Live, Outlook) or Office365 account. I’m using a really old Southwestern Bell email account. If this will work with this address, any email address will do! (Thanks to my fiancé Stewart for being my guinea pig and letting me use his email account for this blog!)
Let’s start at the beginning and look at the settings available to us and think about how and where we’ll enable external sharing in our tenant, before we jump into the invitation process.
External sharing settings are in the SharePoint Admin portal, in the aptly named Sharing section.
In the Sharing section in the Admin Portal we can choose how we share outside of our organization.
There are also settings for who can share with external users, how default sharing links work in SharePoint, and sharing notifications.
Once those important decisions have been made for the tenant, it’s time to think about how sharing externally will impact architecture.
Here’s why: After configuring your global settings, external sharing is enabled on a site collection by site collection basis. We don’t want a lot of granular permissions (objects with broken permissions) in our sites under normal circumstances so it makes sense that we wouldn’t want content that’s “internal only” living on a site where outsiders are going to have access. I highly recommend creating separate site collections for content that will be shared externally. This keeps permissions clean and protects our sensitive intellectual property. The global external sharing settings can be finetuned for our individual site collections in the Site Collections section of the Admin Portal.
Select the site collection you want to have externally shared, then click the Sharing icon in the ribbon.
A form will open allowing you to turn on sharing and customize the sharing settings for that particular site collection.
Once you've got that set click Save and the sharing setting be set for that site collection.
Note: There is an option under Sharing outside your company to "allow sharing with external users, and by using anonymous access links."
This means that anyone with a link you've shared can access the site, list/library, or item without the requirement of logging into your environment.
Now the fun stuff happens; we share.
I went to Site Permissions and picked the group I wanted to have my external user in. When I typed his address, SharePoint made sure I knew he wasn’t in my organization:
Once they’re invited they and you will receive an email with this message.
I didn’t write anything in the message area when I added them. For external users, it’s probably a good idea to give them a little info.
Now we wait. In the meantime, this is what they’re doing…
Accepting an External Invitation
Our external user gets an email, hopefully having been told ahead of time to expect it (hint hint, communicate with your users). After they click on the inviting ‘Go To” link they are met with the “Welcome to SharePoint Online” screen and a few options. This can be tricky!
Microsoft account = Hotmail, Live, or even an Xbox account but the key here is it’s a personal account that they more than likely set up for themselves.
Organizational account = Work (AUser@AwesomeCompany.com) or a school/university account that’s tied to Microsoft in some way.
Other= None of the above! Such as Gmail, Yahoo, sbcglobal… not associated with Microsoft or Office 365 in any way.
They’ll click that tiny blue link and be asked to provide their email address. In this case it was the sbcglobal.net address. Once they do and click Next a verification email will be sent to that account with a code that they’ll enter on the next screen.
Once they get the code they’ll came back and enter it here:
If multi-factor authentication is configured, they’ll be prompted to provide their phone number and will receive a code to use when logging in
After that, they’ll be taken to the sign-in screen.
The user can now access the site, just like any internal user. Granular permissions can be used to control access to lists and libraries in the site but, if you’re doing much of that you should rethink having that content in the site where external users are present.
As you can see below, the user can be seen in the group they were added to and removed if/when necessary.
Should you decide at some point to disable external son a site collection, simply go back to the SP Admin Portal >> Site Collections >> Select the site collection then click Sharing on the ribbon.
Choose the option “Don’t allow sharing outside your organization. You’ll get this notification:
External sharing is a powerful feature therefore it requires planning and consideration for your architecture and security. The controls are in place for this to be both flexible and secure for your organization and those on the outside with whom you collaborate.