Everything you need to know about external sharing in OneDrive, SharePoint, and Teams
1. FALL: Las Vegas, NV Dec 7–9, 2021 SPRING: Las Vegas, NV April 5–7, 2022
M365Conf.com
MICROSOFT 365 COLLABORATION CONFERENCE
Everything you need to know about external sharing in OneDrive, SharePoint, & Teams
Drew Madelung
2.
3. 2021/2022
April 5 – 7, 2021
MGM Grand
Las Vegas, NV
Dec 7 – 9, 2021
MGM Grand
Las Vegas, NV
In-Person – December and April
4. M365Conf.com
FALL: Las Vegas, NV Dec 7–9, 2021 SPRING: Las Vegas, NV April 5–7, 2022
Who am I
Drew Madelu n g
Milwaukee, Wisconsin
Associate Director @ Protiviti
@dmadelung
5. M365 architecture to support sharing
Sharing for files, groups, sites
Sharing management
Everything you need
to know about
external sharing in
OneDrive, SharePoint,
& Teams
#M365Conf
7. Access and Share
all your files
through OneDrive
Collaborate,
communicate, and
share in one spot
in Teams
Share content,
data and portals in
SharePoint
8. Global economies require cross company
collaboration
Users need to be able to safely share content
across company boundaries
Companies need to keep sensitive content
secure in a complex environment
10. File Collaboration across Microsoft 365
All files stored in SharePoint
File sharing settings shared
Every OneDrive site is a SharePoint Site
Collection
SharePoint
Online
SharePoint
Communication
Sites
Teams
OneDrive for
Business
SharePoint Team
Sites
Yammer
Communities
11. Teams Chat
Microsoft 365 Groups are a
group of people
Single identity across workloads
Azure AD objects
Share at the group level
Different sharing settings
Teams Chat
SharePoint Files
Planner Tasks
Exchange Email
Microsoft 365 Groups
SharePoint Sites
not M365 Group
backed
(Communication/
Classic)
12. Teams Chat
The configuration & management
for sharing files is different than the
Microsoft 365 group
Adding external users to the group
grants them access to solutions the
group is granting access too
Sharing files grants them access to
just that content
SharePoint Files
Microsoft 365 Groups
13. Teams Chat Planner Tasks
Exchange Email
Teams Chat
SharePoint Files
Microsoft 365 Groups
Teams Chat
Adding external users to the Team
adds them to the Microsoft 365
Group
File sharing the same as the
content is still based on SharePoint
sharing rules
14.
15. Someone from outside your Microsoft 365 subscription who has been
granted access to a site, file, or folder
Authenticated with
Microsoft account
Anonymous
Spreads across workloads
Added to Azure AD as Guest
Groups, Teams, SharePoint, OneDrive, Yammer, etc
Can’t be shared sites
IP tracked
16. External access enables
communication (chat) or content
available without using guest
accounts
• Sharing a file anonymously
Sometimes used synonymously but there are differences
Guest access enables non directory
users into your environment as guest
accounts which can grant them
access to content
• Adding a user to a team
17. Share files and folders
Request files
Add guests to
Teams (M365 group)
Share files and
folders
Add guests to site
Add guests to
M365 group
Share files and
folders
18. There are different external sharing
settings for containers vs files
M365 Group
Files
M365 Group
Site
Files
Files
21. A non-transferrable, revocable secret key, only grants
access to the specific recipient
Won’t work if forwarded to others
Existing users get access via their account
New external users prove email ownership
Internal users granted access directly with
inheritance broken
22. Send link without sharing
Does not change permissions
Users have access and receive a link via email
Gets direct link to file
23. A transferrable, revocable secret key, only grants access
to internal users
Can be forwarded to others
Access can be revoked anytime
Users need link to gain access
Requires sign-in to an account in my
organization
Members (non-guests) in Azure AD
24. A transferrable, revocable secret key
Can be forwarded to others
Access can be revoked anytime
Users need link to gain access
Guarantees users can open, anywhere,
without signing in
25. Modern sharing UI is unified across platforms
OneDrive Mobile App
Office Mac
File Explorer with OneDrive sync
Mac Finder
Microsoft Teams (TBD)
SharePoint
OneDrive
Office Online
Office Desktop
Outlook on the Web
26. SharePoint tenant
settings checked for
external sharing
SharePoint site
settings checked for
external sharing
User shares file that
creates a link
External user
accesses link
B2B invitation
processes if non
anonymous
External user
accesses file
Guest access
expiration begins
29. Tenant settings
checked if guest
access available
Group settings
checked if guest
access available
User adds guest
to a Group (Team)
B2B invitation
sent
Guest user
accepts invitation
Guest added to
group and has
access to content
External sharing
settings enforced
for files
This is not how shared
channels will work
32. Tenant settings
checked if guest
access available
User adds guest to a
SharePoint site
B2B invitation sent
Guest user accepts
invitation
Guest added to
SharePoint site and
has access to
content
External sharing
settings enforced for
files
38. Turn on/off external sharing
Tenant, per group, per user
Turn on/off per workload
Teams, Power BI, SharePoint
Allow guests to invite
Access reviews
Powered by Azure B2B
Guest inviter role (no Teams)
Domain allow/block
Different than SPO & OneDrive
Configured in Azure AD
Terms of use
(some have extended licensing)
39. Allow OR Block, not both
One policy per organization
Works independently from SPO
Does not apply to already added
guest members
Powered by Azure B2B
https://go.microsoft.com/fwlink/p/?linkid=857710
40. Powered by Azure B2B
Microsoft 365 admin center > Settings
> Services & add-ins
> Microsoft 365 Groups
https://aka.ms/o365-groups-guests
41. • Azure Active Directory: Guest access in Microsoft Teams relies on the Azure AD
business-to-business (B2B) platform. Controls the guest experience at the directory,
tenant, and application level.
• Microsoft Teams: Controls Microsoft Teams only.
• Microsoft 365 Groups: Controls the guest experience in Microsoft 365 Groups,
Teams, Outlook, and more
• SharePoint Online and OneDrive for Business: Controls the guest experience in
SharePoint Online, OneDrive for Business, Microsoft 365 Groups, and Microsoft
Teams. Anywhere there are files.
https://aka.ms/teams-dependencies
42. Microsoft Teams > Org-wide settings > Guest access
https://aka.ms/teams-manage-guests
43. Configure force privacy (public private)
Manage ability to add new guests
Configure external file sharing
Control access from unmanaged devices or other CA
45. Control WHO can share
to external users
• Everyone
• Only specific people
• No one
Control WHICH external users can
be shared with
• Anyone
• Only authenticated users
• Only authenticated users except specific domains
• Only authenticated users in specific domains
• No one
Control WHAT can be
shared externally
• Anything
• Only specific sites
• Only files without sensitive content
Control HOW externally shareable
links can be used
• Default
• Enabled, but not default
• Mandatory expiration date
• Block externally-shareable edit links
• Disabled
46. Sharing for OneDrive can be MORE restrictive but not LESS restrictive than SharePoint
If sharing turned off globally in SharePoint any shared links will stop working
Sharing Options
No external sharing
Only existing external users (sign-in required)
New and existing external users (sign-in required)
Anyone, including anonymous users (on by default)
Your SharePoint Online sharing
settings determine which OneDrive
sharing settings are available
Files hosted in Teams use these
permissions
47. Only effects files & sites
Can be set per site
Only for new shares after expiration put
in place
53. Utilize specific SharePoint sites or Teams as extranet(s) and only allow external sharing there
• Only specific users can share to external users
• External users cannot share
• Only specific domains can be shared to
Allow anonymous by request for specific OneDrive sites
• Configure expiration policy
• Pull audit events out and retain for all anonymous shares
Allow external for all SharePoint sites and Teams
• External users cannot share
• Enable DLP to restrict access of sensitive info if shared
• Empower sensitivity labels for regulated users
• Enable monthly access reviews for external users
• Have external users accept terms of use
• Build sharing reports
54.
55. Work with the business to understand sharing requirements, don’t just lock down
Utilize MFA for guests using conditional access
Setup DLP to remove guest access to sensitive content
Utilize terms of use for guests through Azure AD & conditional access
Use guest access reviews in Azure AD
Force web only access for guests using conditional access and sensitivity labels
Utilize sensitivity labels for sites, groups, & Teams to control external guest and file sharing
57. M365Conf.com
FALL: Las Vegas, NV Dec 7–9, 2021 SPRING: Las Vegas, NV April 5–7, 2022
MICROSOFT 365 COLLABORATION CONFERENCE
Everything you need to know about external sharing in OneDrive, SharePoint, & Teams