If your
organization is sharing documents or collaborating directly with vendors,
clients, or customers, then you can use the external sharing features and guest
access in Office 365 to support this. Or, if this is not the case, you may want
to limit the use of external collaboration in your organization.
Note that
external sharing is turned on by default for your entire Office 365 environment.
Every user can invite external people to Groups, Teams and SharePoint sites and
can share content using OneDrive for Business. You may want to turn it off
globally until you know exactly how you want to use the feature.
Poorly there is no mater switch to turn external
sharing and inviting external user ON or OFF globally. We need to configure it per
service and there are also cross sites effects between the services.
Settings overview
External sharing overview
Content Level
When sharing
a SharePoint site with an authenticated external user, an invitation is sent to
them via email which contains a link to the site. During the login process they
are asked to log in using the username and password of their Microsoft account
or their work or school account. If the login is successful, the account is
added to the Azure AD associated to the Office 365 subscription. The account is
added with #EXT# in the user name.
An external
user did not need to have a license. To discontinue sharing with an
authenticated external user, remove the permissions from the site or delete the
user in the Azure AD.
If you share
a file or folder with an external user, this user gets an email with a link to
the file or folder. The user gets a time-sensitive code via email that he can
use to verify his identity. Once he proved his identity by using the code the user
is added as a external user in the Azure AD and he can access the file using his
account. Sharing a file or folder with a user that did not have a Microsoft
account or work or school account this user needs to use the code every time to
access the shared content.
To
discontinue sharing with an authenticated external user you can delete the
sharing link that was sent to him.
To share
with anonymous users, you can set several options:
- Edit,
view or upload to a folder
- Set
link to expire at a specified time
- Block
download
The (external)
user will receive a E-Mail with the link to the file or folder.
Anonymous users are not added to the Azure AD. To
discontinue sharing you need to delete the anonymous link.
Collaboration
Level
Guest
access on the collaboration level is included with all Office 365 Business
Premium, Office 365 Enterprise, and Office 365 Education subscriptions. No additional
licensing for the guest users is requirement. You can have up to 5 guests per
licensed user on your tenant. For more information about licensing, see Azure Active Directory B2B
collaboration licensing guidance.
Office 365 Groups
To
collaborate with external users in your Office 365 Group this feature must be activated
as showed in the table above. By default, guest access is turned on in Office
365. That means, that everyone in your organization can add external users to
an Office 365 Group. When an external user is invited to join a group, he receives
an invitation email. The external user will have access to the following Office
365 Group features:
- Conversations:
Externals did not get access to the conversation history, but they will become
part of the Office 365 Group distribution list.
- Notebook:
Externals get access to OneNote
- Calendar:
No access, but they receive calendar invitations
- SharePoint Team
Site: Externals get access to the SharePoint Team Site
- Planner: To access a plan, guests either need to
use a specific plan URL or go to https://tasks.office.com/%organizationdomainname%
Microsoft Teams
Because of
Microsoft Teams is using services like SharePoint Online etc. the external
access configuration belongs on the settings in you tenant.
Each level
controls the guest access as shown:
- Azure Active Directory: External access in Microsoft
Teams relies on Azure AD.
- Microsoft Teams: Controls external access in Microsoft
Teams.
- Office 365 Groups: Controls external access in
Office 365 Groups and Microsoft Teams.
- SharePoint Online and OneDrive for Business: Controls external access in SharePoint Online
and OneDrive for Business.
Advanced
Office 365 inter-tenant
collaboration
We have
several options to collaborate between two Office 365 tenants. Based on Azure
Active Directory B2B we can set up collaboration for nearly all Office 365
services. Details are described in this Microsoft article: Office
365 inter-tenant collaboration
Tenant restrictions
Tenant restrictions
enables you to control access to other Office 365 tenants. Tenant restrictions
gives organizations the ability to specify the list of tenants that their users
are permitted to access. Details, pre-requirements and limitations are
described in this Microsoft article: Use
Tenant Restrictions to manage access to SaaS cloud applications
Office 365 user vs. Windows Live ID
Anyone with a Microsoft work or school account
or a consumer email account, such as Outlook, Gmail, or others, can participate
as a guest in Office 365.
If a user has
an Office 365 hosted E-Mail address, he will automatically have a work or
school account created by his IT department. This account original exists in an
Azure AD.
If a user does not have a work or school account,
he can use a LiveID. To get one the user needs to go to the Microsoft account
sign-in page: https://account.microsoft.com/.
In the upper right corner select “Login” and then select “No account”. He needs
to fill out the form and create a password. Details see below in “Coaching your
(guest) users through the External Sharing Experience” The LiveID is original hosted
by Microsoft.
Coaching your (guest) users through the External Sharing Experience
Content Level
IF you are inviting
an external user to a SharePoint site or added him to a SharePoint group, he
will receive an invitation E-Mail:
The link in
the email will point the user to a website asking him what type of account he
has:
If the user
enters his email but did not have a Microsoft account, he will see the
following dialog:
Click “Create
One!” to register a new Microsoft account:
Set a
password:
Provide your
details:
Microsoft
will send a code to verify the email address:
If a file
or folder in SharePoint or OneDrive for Business is shared to an external user and
the user did not already exists in the Azure AD, he will also need to verify
his E-Mail address:
Sharing a
file or folder with a user that did not have a Microsoft work or school account
this user needs to use the code every time to access the shared content.
Collaboration Level
When an external
user is invited to a group, he receives an E-Mail:
When an external
user is invited to a group, he also receives an E-Mail with the details: