Coaching your users through the External Sharing Experience

If your organization is sharing documents or collaborating directly with vendors, clients, or customers, then you can use the external sharing features and guest access in Office 365 to support this. Or, if this is not the case, you may want to limit the use of external collaboration in your organization.

Note that external sharing is turned on by default for your entire Office 365 environment. Every user can invite external people to Groups, Teams and SharePoint sites and can share content using OneDrive for Business. You may want to turn it off globally until you know exactly how you want to use the feature.

Poorly there is no mater switch to turn external sharing and inviting external user ON or OFF globally. We need to configure it per service and there are also cross sites effects between the services.

Settings overview

External sharing overview

Content Level

When sharing a SharePoint site with an authenticated external user, an invitation is sent to them via email which contains a link to the site. During the login process they are asked to log in using the username and password of their Microsoft account or their work or school account. If the login is successful, the account is added to the Azure AD associated to the Office 365 subscription. The account is added with #EXT# in the user name.

An external user did not need to have a license. To discontinue sharing with an authenticated external user, remove the permissions from the site or delete the user in the Azure AD.

If you share a file or folder with an external user, this user gets an email with a link to the file or folder. The user gets a time-sensitive code via email that he can use to verify his identity. Once he proved his identity by using the code the user is added as a external user in the Azure AD and he can access the file using his account. Sharing a file or folder with a user that did not have a Microsoft account or work or school account this user needs to use the code every time to access the shared content.

To discontinue sharing with an authenticated external user you can delete the sharing link that was sent to him.

To share with anonymous users, you can set several options:

• Edit, view or upload to a folder
• Set link to expire at a specified time
• Block download

The (external) user will receive a E-Mail with the link to the file or folder.

Anonymous users are not added to the Azure AD. To discontinue sharing you need to delete the anonymous link.

Collaboration Level

Guest access on the collaboration level is included with all Office 365 Business Premium, Office 365 Enterprise, and Office 365 Education subscriptions. No additional licensing for the guest users is requirement. You can have up to 5 guests per licensed user on your tenant. For more information about licensing, see Azure Active Directory B2B collaboration licensing guidance.

Office 365 Groups

To collaborate with external users in your Office 365 Group this feature must be activated as showed in the table above. By default, guest access is turned on in Office 365. That means, that everyone in your organization can add external users to an Office 365 Group. When an external user is invited to join a group, he receives an invitation email. The external user will have access to the following Office 365 Group features:

• Conversations: Externals did not get access to the conversation history, but they will become part of the Office 365 Group distribution list.
• Notebook: Externals get access to OneNote
• Calendar: No access, but they receive calendar invitations
• SharePoint Team Site: Externals get access to the SharePoint Team Site
• Planner: To access a plan, guests either need to use a specific plan URL or go to https://tasks.office.com/%organizationdomainname%

Microsoft Teams

Because of Microsoft Teams is using services like SharePoint Online etc. the external access configuration belongs on the settings in you tenant.

Each level controls the guest access as shown:

• Azure Active Directory: External access in Microsoft Teams relies on Azure AD.
• Microsoft Teams: Controls external access in Microsoft Teams.
• Office 365 Groups: Controls external access in Office 365 Groups and Microsoft Teams.
• SharePoint Online and OneDrive for Business: Controls external access in SharePoint Online and OneDrive for Business.

Advanced

Office 365 inter-tenant collaboration

We have several options to collaborate between two Office 365 tenants. Based on Azure Active Directory B2B we can set up collaboration for nearly all Office 365 services. Details are described in this Microsoft article: Office 365 inter-tenant collaboration

Tenant restrictions

Tenant restrictions enables you to control access to other Office 365 tenants. Tenant restrictions gives organizations the ability to specify the list of tenants that their users are permitted to access. Details, pre-requirements and limitations are described in this Microsoft article: Use Tenant Restrictions to manage access to SaaS cloud applications

Office 365 user vs. Windows Live ID

Anyone with a Microsoft work or school account or a consumer email account, such as Outlook, Gmail, or others, can participate as a guest in Office 365.

If a user has an Office 365 hosted E-Mail address, he will automatically have a work or school account created by his IT department. This account original exists in an Azure AD.

If a user does not have a work or school account, he can use a LiveID. To get one the user needs to go to the Microsoft account sign-in page: https://account.microsoft.com/. In the upper right corner select “Login” and then select “No account”. He needs to fill out the form and create a password. Details see below in “Coaching your (guest) users through the External Sharing Experience” The LiveID is original hosted by Microsoft.

Coaching your (guest) users through the External Sharing Experience

Content Level

IF you are inviting an external user to a SharePoint site or added him to a SharePoint group, he will receive an invitation E-Mail:

The link in the email will point the user to a website asking him what type of account he has:

If the user enters his email but did not have a Microsoft account, he will see the following dialog:

Click “Create One!” to register a new Microsoft account:

Set a password:

Provide your details:

Microsoft will send a code to verify the email address:

If a file or folder in SharePoint or OneDrive for Business is shared to an external user and the user did not already exists in the Azure AD, he will also need to verify his E-Mail address:

Sharing a file or folder with a user that did not have a Microsoft work or school account this user needs to use the code every time to access the shared content.

Collaboration Level

When an external user is invited to a group, he receives an E-Mail:

External member's can join conversations through their inbox and receive calendar invitations.

When an external user is invited to a group, he also receives an E-Mail with the details:

Things to think about when moving from classic to modern SharePoint Site

Moving from classic SharePoint Online Sites or from SharePoint on-prem Sites to modern Sites sound easy but can get tricky. There are several pros and cons coming from classic Sites and now plan to use modern Sites. Also, some features that we know from classic sites are no longer available in modern Sites. In addition, some features we have in SharePoint on-prem are deprecated in SharePoint online. This is also a topic to think about when planning a migration.

The following to tables showing the pros and cons and the topics you have to think about when planning a migration:

Pros and Cons about modern Sites focusing a migration scenario

Mapping of deprecated / new features und functions

My Ignite 2017 notes

Using site classification for SharePoint Sites

Site classification is a must-have when we talk about Governance, Compliance and also topics around GDPR.

Beside 3^rd party solutions focusing on site and content classification we have also some out of the box options and developer opportunities in Office 365 and SharePoint on-prem. Depending on if we are talking about classic SharePoint Site Collections or if we talk about modem Team Sites, being part of an Office 365 Group, we have different szenarios.

To create a new SharePoint site in Office 365 we know two different ways.

1. We can create a SharePoint Online Site using the SharePoint Online Administration. This will create a SharePoint Site based on WebTemplate STS
2. We can go to SharePoint Home and click “create” in the upper left corner or we can go to Outlook Online and create a new Group. Both will create a SharePoint Site based on WebTemplate GROUP

To provide a site classification solution for classic Team Sites created by option 1 we need to implement the following: Implement a SharePoint site classification solution. This works also for SharePoint 2013 on-prem. The article describes a full solution including policies for site closing and deletion depending on the classification setting. As you can see the article describes some steps to do:

• Define and set site policies
• Insert a custom action
• Custom site classification
• Add a classification indicator to site page

Using the opportunities we have with Groups and Group Policies some of these things can be automatically put to a SharePoint Site based on WebTemplate GROUP.

This video by Vesa Juvonen is showing the steps and the final results:

As you can see we need to create the site bases on option 2.

(Dialogs already including policies)

SharePoint Home - Create:

Outlook Online -> Create Group:

Final result:

Step by Step

To enable this functionality in Office 365 we need to set up an “Settings Object” and a “Settings Template” in Azure AD. To do this we can use the Azure Active Directory cmdlets for configuring group settings.

First of all we need to install the preview of Azure Active Directory V2 PowerShell Module:

Install-Module -Name AzureADPreview

To set up the site classification options and configure properties like ClassificationList and ClassificationDescriptions etc follow these steps also shown in Vesas video:

#Connect

Connect-AzureAD

Get-AzureADDirectorySettingTemplate

#Create

$Template = Get-AzureADDirectorySettingTemplate -Id 62375ab9-6b52-47ed-826b-58e47e0e304b

$Setting = $template.CreateDirectorySetting()

$setting["UsageGuidelinesUrl"] = "http://sharepointtalk.com"

$setting["ClassificationList"] = "Public, Internal, TopSecret"

$setting["DefaultClassification"] = "TopSecret"

$setting["ClassificationDescriptions"] = "Public:no restrictions,Internal:all internal users can access,TopSecret:only special users can access"

$setting["GuestUsageGuidelinesUrl"] = "http://sharepointtalk.net"

New-AzureADDirectorySetting -DirectorySetting $setting

#Check

Get-AzureADDirectorySetting -All $True

(Get-AzureADDirectorySetting -Id %%YOUR ID%%).values

As described in the video we can now use the CLASSIFICATION property to assign a site policy or any other custom action. Details about site policies are part of Implement a SharePoint site classification solution.

Here the script taken from the video to get the CLASSIFICATION property:

#Get PnP PowerShellOnline

Install-Module SharePointPnPPowerShellOnline

#Get Site classfication value

Connect-PnPOnline https://%YOUR TENANT%.sharepoint.com/sites/%YOUR SITE%

Get-PnPSite

$Site.Classification

Get-PnPProperty -ClientObject $Site -Property Classification

Overview of shared with Externals and shared Anonymous in Office 365

The GDPR highlights the need for protection of personal data held by organizations. To be able to do this Microsoft inverted a lot in new features and functions like the Office 365 Security & Compliance Center or the GDPR Assessment.

One of the backend systems helping to fulfill those regulations is the SharePoint Online Search Service. In the SharePoint Online Search schema, we can find two managed properties focusing on sharing and access from outside of your organization.

ViewableByExternalUsers and ViewableByAnonymousUsers

Both had the same setting: Query, Retrieve, Refine and Sort. So we can use them to create some reports based on search queries.

Personal overview

Office 365 let every user search in his SharePoint Online sites, OneDrive for Business files and also in Emails for content. In this scenario Email is of topic. But using this search function at the landing page of Office 365 a user can create a personal overview of content he shared to externals or anonymous.

To do this a user needs to fill in the following query in the search box at the Office 365 landing page:

ViewableByAnonymousUsers=true

In this example, I search for documents located in SharePoint Online sites or in my personal OneDrive for Business which are shared based on an anonymous guest link.

Using the query ViewableByExternalUsers=true shows me the files shared with external users through a sharing link that requires them to log in before they can view the file.

This gives a user an overview of documents he has shared from his OneDrive for Business with externals or anonymous. Because the URL is generic you can use this link for all your users and every user get his person overview: https://www.office.com/search?auth=2&home=1&q=ViewableByAnonymousUsers%3Dtrue

Also you can use this link to create a tile in the Office 365 App Launcher as described in the article: Add custom tiles to the app launcher

The result may look like this:

Team Site overview

Microsoft integrated a new out the box reporting capability in every Team Site. The article: View usage data for your SharePoint Online site is showing all details you need to know. There is also a new tab called “Shared externally”.

The article says: List of files you have access to that have been shared with users outside your organization through a sharing link that requires them to log in before they can view the file. Files shared with anonymous users or files available to users with guest permissions are not included.

To get a list of files shared anonymous in this Team Site we can again use the query: ViewableByAnonymousUsers=true followed by a path filter like for example: path:https:\\yourTeamSiteName.sharepoint.com.

Using Search Center to get an overview

As an administrator, you can also use the search center to get an overview of anonymous shared content or about data and also SharePoint Online Sites them self, shared to externals. The queries are basically the same and you can extend them with additional keyword queries properties.

For example, search all Office 366 Groups external users can access:

ViewableByExternalUsers=true contentclass:sts_site WebTemplate:GROUP

(Because of security trimming in SharePoint Search the user who runs the query needs access to all Team Sites to gets an complete report.)

Of cause there are also options archiving this using PowerShell for Office 365 Groups or using Reports in the Office 365 Security & Compliance Center. Using the SharePoint Online search gives you the power and flexibility to integrate all managed properties as metadata in you report like for example ViewsLifeTime, LastModifiedTime, CreatedBy or ModifiedBy. In addition you can easily scope your report to only show documents using the IsDocument=true query parameter or to focus to special Site Templates like WebTemplate:GROUP to only show Office 365 Groups Team Sites etc.

Using PowerShell to get the report

Using PowerShell to get results from SharePoint Online Search also offers the option to save the report as an *.csv file. To call SharePoint Online Search API using PowerShell and save the result to an *.csv file you can follow the steps explained by Prasham Sabadra in his article Office 365/Sharepoint Online - PowerShell Script To Call Search API And Get The Result.

This example is based on his description. The report is showing all external shared content and sites in an Office 365 Tenant and is saving the result to C:\Temp\ViewableByExternalUsers.csv

# add references to SharePoint client assemblies and authenticate to Office 365 site - required for CSOM   

Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"   

Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"   

Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Search.dll"

#Specify tenant admin and URL 

$User = "Admin@yourTenant.onmicrosoft.com"   

#Configure Site URL and User 

$SiteURL = "https://yourTenant.sharepoint.com"  

#Password 

$Password ="yourPassword"   

$securePassword = ConvertTo-SecureString -String $Password -AsPlainText –Force  

$Creds = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($User,$securePassword)

#client context object and setting the credentials  

$Context = New-Object Microsoft.SharePoint.Client.ClientContext($SiteURL) 

$Context.Credentials = $Creds

#Calling Search API - Create the instance of KeywordQuery and set the properties 

$keywordQuery = New-Object Microsoft.SharePoint.Client.Search.Query.KeywordQuery($Context)  

#Sample Query - To get the last year result 

$queryText="ViewableByExternalUsers=true" 

$keywordQuery.QueryText = $queryText 

$keywordQuery.TrimDuplicates=$false 

$keywordQuery.SelectProperties.Add("LastModifiedTime") 

$keywordQuery.SelectProperties.Add("ViewsLifeTime") 

$keywordQuery.SelectProperties.Add("ModifiedBy") 

$keywordQuery.SelectProperties.Add("ViewsLifeTimeUniqueUsers") 

$keywordQuery.SelectProperties.Add("Created") 

$keywordQuery.SelectProperties.Add("CreatedBy") 

$keywordQuery.SortList.Add("ViewsLifeTime","Asc")

#Search API - Create the instance of SearchExecutor and get the result 

$searchExecutor = New-Object Microsoft.SharePoint.Client.Search.Query.SearchExecutor($Context) 

$results = $searchExecutor.ExecuteQuery($keywordQuery) 

$Context.ExecuteQuery() 

#Result Count 

Write-Host $results.Value[0].ResultRows.Count

#CSV file location, to store the result 

$exportlocation = "C:\Temp\ViewableByExternalUsers.csv" 

foreach($result in $results.Value[0].ResultRows) 

{ 

$outputline='"'+$result["Title"]+'"'+","+'"'+$result["Path"]+'"'+","+$result["ViewsLifeTime"]+","+$result["ViewsLifeTimeUniqueUsers"]+","+$result["CreatedBy"]+","+$result["Created"]+","+$result["ModifiedBy"]+","+$result["LastModifiedTime"] 

Add-Content $exportlocation $outputline  

}

The Mobile and Intelligent Intranet

Post is based on video „The Mobile and Intelligent Intranet: SharePoint sites and PowerApps” from Microsoft Mechanics @ YouTube: https://youtu.be/x8tgKBXmmPg

Microsoft SharePoint team plans to transform intranets into a mobile and intelligence powered experience. That means to combines the productivity of SharePoint team sites, the broadcast reach of publishing sites and portals, and the seamless integration of business apps. The goal is to find and access content from everywhere and on any device.

Learn about the new features and functions in this blogpost:

Overview

•                    New mobile App

•                    New SharePoint home in the App Launcher

•                    New TeamSite UI powered by the Office Graph

•                    Groups getting the full power of TeamSites

•                    Updates to DocLibs and List

•                    New Page creation with fluid and responsive authoring experience

•                    PowerApps and Flow

Watch the Overview video:

SharePoint mobile App

•                    Home Tab

o   Focused on News

o   Build on the Office Graph

o   Containing News from TeamSites, Blogs, etc.

•                    Links Tab

o   Important Links like in „SharePoint“ tab in the App Launcher

•                    Sites Tab

o   Build on the Office Graph

o   Frequently Tab

§  List of sites a user is using most often

o   Following Tab

§  My followed sites

o   Open a TeamSite from the mobile App

§  Focusing on NEWS (published by TeamSite owner) and ACTIVITY (build on the Office Graph)

§  Access the navigation / content of the sites

•                    People Tab

o   Build on the Office Graph

o   Search for people

o   „Work With“ & „Work on“ information per person

Watch the SharePoint mobile App video:

SharePoint home

•                    Card based design with preview of the sites

•                    List of sites you follow

•                    Frequent

o   Same sites as you see in the mobile App

•                    Suggested

o   Based on the Office Graph

•                    Links

o   Same sites as you see in the mobile App

•                    Create a new site

o   New dialog based process

§  TeamSite = content centric place for teams with DocBibs, List and Libraries

§  Publishing = for publish and broadcast content

•                    Answering some simple questions

•                    A Group is also created for the TeamSite to store conversations, using Planer etc.

•                    Set policies and compliance rules

•                    Set members for the new TeamSite

Watch the SharePoint home video:

The new TeamSite experience

•                    UI can be fully customized

•                    Every TeamSite is connected to an O365 Group

•                    Group Member are shown directly on the landing page

•                    „Go to Outlook“ link to see the Group conversations

•                    News (same as on mobile App)

o   Can be configured by TeamSite members

•                    Activity (same as on mobile App)

o   Build on the Office Graph

Watch the new TeamSite experience video:

Next generation Document Library

•                    New UX

•                    Basic actions like NEW, UPLOAD, SHARE direct on top

•                    New visualization

•                    Search box on top left corner

•                    New LINK function to direct link videos or recent documents into a library

•                    New for Power User

o   Content types and templates still available

o   Easy add news columns

o   New INFORMATION PANNEL to see and edit metadata

•                    New filter, slice & dice UX

•                    New pinning function

•                    MOVE and COPY function

•                    Custom toolbar actions still available

•                    Document library can still be added as a Webpart to sites

Watch the next gen. Doc Lib video:

Modern pages and authoring experience

•                    New page editing canvas which is ootb responsive

•                    Background images are automatically formatted

•                    Rich text editor for text

•                    Embed documents based on WebApps

•                    New Webparts based on PowerBI & the Office Graph

•                    Group conversation Webpart

•                    Can direct be used in the SharePoint mobile App

Watch the page and authoring video:

New SharePoint List experience

•                    UX is similar to Document library

•                    Flow

o   integrated in SharePoint Lists and also in Document libraries

o   Connect external content and information to SharePoint

o   Build workflows & business processes in SharePoint

•                    PowerApps

o   integrated in SharePoint Lists and also in Document libraries

o   Can be used in a list as a view or as a Webpart on a page

o   Integrated with SharePoint mobile App

Watch the SharePoint Lists experience video:

>