Enabling External Sharing in Office 365, SharePoint and OneDrive
1. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
Power
Saturday
Enabling External Sharing in Office 365,
SharePoint and OneDrive
Chirag Patel @techChirag 14 et 15 juin 2019, Paris
6. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
Sharing & collaboration coverage
• From OneDrive for Business, share with “Anyone."
• From OneDrive for Business, if collaboration isn't to be ongoing,
share with “Specific people.”
• For ongoing collaboration, use a new or existing Team or team
site and add members (including external members).
• Use a new or existing Communications site.
• Grant “everyone except external guests” permissions to a site,
folder, or file in your team shared library or OneDrive for
Business.
• Share a file in OneDrive for Business (both for internal and
external sharing).
• Share a team/project file from a team site.
• Use a new or existing Team or team site and add members
(including external members).
• Save all team files into Teams document library or team site
• Share links to specific files from a team site.
• For ongoing collaboration, use a new or existing Team or team
site and add members (including external members), OR
• For specific content, grant access to a site or folder from your
team site shared library.
Share with no restrictions
Share externally
Share broadly with company
Share with my team + others
Share with my team
Share one-off file
7. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
End-user sharing experience
ANYONE
Easiest way to share files with anyone on the planet
Recipient has access if they have the link
Recipients decides who else gets access
PEOPLE in my COMPANY
Easiest way to share files within the company
Recipient has access if they have the link AND are in the company
Recipient decides who else in my company has access
PEOPLE with EXISTING ACCESS
Direct pointer, does not add permissions
Recipients who already have access via membership, or explicit
permission have access
Recipient cannot decide who else to share to
SPECIFIC PEOPLE
Sharer decides which specific people inside and outside have access
Only those people have access and prove their identity
8. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
Think about putting policies in place
Policy Examples
System will support external collaboration
Users cannot share content from OneDrive for Business Externally
Users can share content from SharePoint
External sharing should be disabled on sites by default
IT will restrict 3rd party / domains
Only users who have completed training are allowed to share content externally
External users are required to sign in
IT can enable / disable external sharing
Require external users to re-prove account ownership every 7 days
Prevent external users from sharing content they do not own
Only site owners can invite external users
External Sites should have naming convention
External access sites to be identifiable in sites list
IT can remove 3rd party access
9. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
Thinking about people and processes
External access
process with roles
and
responsibilities
Training -
including
compliance
requirements
Information
security policy
Information
classification
policy
Instructions for
3rd Parties –
Setup, access,
policies
Managing
external access
and removing
access
Sharing v Links v
Office 365 Groups
User
10. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
Managing external sharing
Control WHO can share
to external users
Everyone
Only specific people
No one
Control WHICH external
users can be shared with
Anyone
Only authenticated users
Only authenticated users except
specific domains
Only authenticated users in specific domains
No one
Control WHAT can be
shared externally
Anything
Only specific libraries
Only files without sensitive content
Control HOW externally
shareable links can be used
Default
Enabled, but not default
Mandatory expiration date
Block externally-shareable edit links
Disabled
11. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
External Sharing Governance
Support staff
Enable self service
creation
Use lifecycle
management
Detecting
valuable content
Use classification
for sites
Scan with data loss
prevention (DLP)
Protect content
Limit reach
Enforce policy
Use conditional
access
Use IRM
(Information Rights
Management)
Charge
Responsibility
Manage group /
site ownership
Review external
membership
Use IT services and
management
tooling
13. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
Look…I just want to share externally!
ExternalUser
(SharePoint/OneDrive)
• Someone from outside
your Office 365 tenant to
whom you have given
access to one or more
sites, files, or folders.
• 3 types of users
• Anonymous
• Authenticated without
MSA
• Authenticated with MSA
GuestUser
(Office365&AzureB2B)
• Also known as external
user that grants them
access to all apps within
O365 group (emails,
calendar, notes, files, and
plans)
• Foundation for Microsoft
Teams, Planner, PowerBI,
Dynamics CRM and other
Enterprise Apps
14. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
External Sharing Invitation Management
SharePoint (& OneDrive)
• Separate invitation manager to Azure
AD
• Adds users to SPO directory after users
have redeemed their invitations
• New invitations generated every time
you share
• Can pick external users from Azure AD
Azure AD B2B
• Users are added immediately on
invitation so that they show up
everywhere
• OneDrive/SharePoint Online invited users
also show up in Azure AD after they
redeem their invitations
• Guests in Office 365 Groups already uses
Azure AD B2B invitation APIs for sharing
15. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
Microsoft Accounts and Anonymous users
External User Type Sharing Behaviours
Authenticated user with
Microsoft account
(listed with #EXT# in their
username)
• Collaboration tasks aligned with site permission levels i.e. “Site
Member” – i.e. site libraries, subsites, etc.
• For files or folder: added as guests to Office 365 directory
• Can view and edit files in Office Online only
Authenticated user without
Microsoft account
• Can only share files and folders to email address with one-time access
code (email) for authentication each time they access
• Forwarded emails attempt will send one-time code to original recipient
• Can’t share sites
Anonymous User • Free link - shareable link to file or folder and can view/edit without log
in with a username or password
• Can be forwarded and valid until you disable link or expire
• Can’t access site, nor assign licenses, nor verify identity – only IP
address.
https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview (updated 06 May 2019)
16. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
SharePoint - Invitation Models
• This is the default for a new site collection and the recommended
model as it provides control to administrators and at the same time
flexibility of end users being able to collaborate with their new business
partner users without much intervention.
User-initiated guest
invitation model
• If you want more control than the default sharing model over who can
invite new users to a site, you can configure the site to only allow site
owners to invite new users. This prevents ad-hoc invitations from being
sent out by site users.
Site-owner-initiated
guest invitation
model
• In an admin-managed partner users model, the Office 365 you pre-
populate your organisation's directory with the guest users who you'll
be inviting to your site. This can be done by importing users from other
Office 365 or Azure AD.
Admin-managed
partner users model
27. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
Issues accessing files/folders, etc.
You give an external user access
to a Microsoft SharePoint
Online or Microsoft OneDrive
for Business resource.
The user accepts the invitation
but is signed in by using another
Microsoft account at the time.
The user browses to the shared
resource.
User receives one of the following
error messages:
• Access Denied
• Let us know why you need access
to this site.
• User is not found in the directory
• You need permission to access
this site.
https://support.microsoft.com/en-gb/help/3026478/error-message-when-an-external-user-accepts-a-sharepoint-online-invita
28. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
Authorise guest access (Microsoft Teams)
• Azure Active Directory:
Controls the guest
experience at the directory,
tenant, and application
level.
• Microsoft Teams: Controls
Microsoft Teams only.
• Office 365 Groups: Controls
the guest experience in
Office 365 Groups and
Microsoft Teams.
• SharePoint Online and
OneDrive for Business:
Controls the guest
experience in SharePoint
Online, OneDrive for
Business, Office 365
Groups, and Microsoft
Teams.
https://docs.microsoft.com/en-us/microsoftteams/teams-dependencies
41. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
Apps & Services and add-ins: Integrated Apps
• Read user profile details
• Edit or delete files
(OneDrive folder)
• Read items contained in
site collections
• Send email as that user
48. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
PowerApps Portals – Coming Soon!
• Build low-code, responsive websites – allowing
external users to interact with the data stored in the
Common Data Service
• App Types – Portal, more on the way!
• External Users – such as LinkedIn, Microsoft
Account, other commercial login providers
• Integrate with Power BI embed, Microsoft Flow,
Microsoft SharePoint, Azure Blob Storage, Azure AD
B2C and Azure Application Insights
• Merging capabilities offered by Dynamics 365
Customer Engagement portals
50. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
Secure Access: Keep it simple for everyone?
Device
Location
User
App
Tenant
Site
File
Conditional Access Different Scopes
Access and Sharing Policies
51. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
Limited browser-only access on unmanaged devices
Prevents leakage of data on unmanaged devices
Allows users to be productive on any device
Scopes:
Tenant and site
Specific users
Controls:
Edit vs. View
Download non-previewable files
56. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
NEW! Block downloads
• Keep your documents in the cloud
–Avoid out-of-date copies
–Maintain access control
• Available for view-only links
59. @ClubPowerBI @aosComm @GUSS_FRANCEPower Saturday 2019
The European SharePoint, Office 365 & Azure Conference
4 Days 2,500 Delegates 150+ Sessions 120 Speakers
Use code ESPC19SPSP for 10% discount on all tickets
www.sharepointeurope.com