All about external sharing for SharePoint, OneDrive, and Microsoft Teams presented at the M365 conference

1. FALL: Las Vegas, NV Dec 7–9, 2021 SPRING: Las Vegas, NV April 5–7, 2022
M365Conf.com
MICROSOFT 365 COLLABORATION CONFERENCE
Everything you need to know about external sharing in OneDrive, SharePoint, & Teams
Drew Madelung

3. 2021/2022
April 5 – 7, 2021
MGM Grand
Las Vegas, NV
Dec 7 – 9, 2021
MGM Grand
Las Vegas, NV
In-Person – December and April

4. M365Conf.com
FALL: Las Vegas, NV Dec 7–9, 2021 SPRING: Las Vegas, NV April 5–7, 2022
Who am I
Drew Madelu n g
 Milwaukee, Wisconsin
 Associate Director @ Protiviti
 @dmadelung

5. M365 architecture to support sharing
Sharing for files, groups, sites
Sharing management
Everything you need
to know about
external sharing in
OneDrive, SharePoint,
& Teams
#M365Conf

6. Do you allow
external sharing?
Do you have email
turned off?

7. Access and Share
all your files
through OneDrive
Collaborate,
communicate, and
share in one spot
in Teams
Share content,
data and portals in
SharePoint

8. Global economies require cross company
collaboration
Users need to be able to safely share content
across company boundaries
Companies need to keep sensitive content
secure in a complex environment

9. Need to
understand
Microsoft 365
architecture

10. File Collaboration across Microsoft 365
All files stored in SharePoint
File sharing settings shared
Every OneDrive site is a SharePoint Site
Collection
SharePoint
Online
SharePoint
Communication
Sites
Teams
OneDrive for
Business
SharePoint Team
Sites
Yammer
Communities

11. Teams Chat
Microsoft 365 Groups are a
group of people
Single identity across workloads
Azure AD objects
Share at the group level
Different sharing settings
Teams Chat
SharePoint Files
Planner Tasks
Exchange Email
Microsoft 365 Groups
SharePoint Sites
not M365 Group
backed
(Communication/
Classic)

12. Teams Chat
The configuration & management
for sharing files is different than the
Microsoft 365 group
Adding external users to the group
grants them access to solutions the
group is granting access too
Sharing files grants them access to
just that content
SharePoint Files
Microsoft 365 Groups

13. Teams Chat Planner Tasks
Exchange Email
Teams Chat
SharePoint Files
Microsoft 365 Groups
Teams Chat
Adding external users to the Team
adds them to the Microsoft 365
Group
File sharing the same as the
content is still based on SharePoint
sharing rules

15. Someone from outside your Microsoft 365 subscription who has been
granted access to a site, file, or folder
Authenticated with
Microsoft account
Anonymous
Spreads across workloads
Added to Azure AD as Guest
Groups, Teams, SharePoint, OneDrive, Yammer, etc
Can’t be shared sites
IP tracked

16. External access enables
communication (chat) or content
available without using guest
accounts
• Sharing a file anonymously
Sometimes used synonymously but there are differences
Guest access enables non directory
users into your environment as guest
accounts which can grant them
access to content
• Adding a user to a team

17. Share files and folders
Request files
Add guests to
Teams (M365 group)
Share files and
folders
Add guests to site
Add guests to
M365 group
Share files and
folders

18. There are different external sharing
settings for containers vs files
M365 Group
Files
M365 Group
Site
Files
Files

19. File & folder
sharing

20. Specific People
People with existing access
People in the organization
Anyone

21. A non-transferrable, revocable secret key, only grants
access to the specific recipient
Won’t work if forwarded to others
Existing users get access via their account
New external users prove email ownership
Internal users granted access directly with
inheritance broken

22. Send link without sharing
Does not change permissions
Users have access and receive a link via email
Gets direct link to file

23. A transferrable, revocable secret key, only grants access
to internal users
Can be forwarded to others
Access can be revoked anytime
Users need link to gain access
Requires sign-in to an account in my
organization
Members (non-guests) in Azure AD

24. A transferrable, revocable secret key
Can be forwarded to others
Access can be revoked anytime
Users need link to gain access
Guarantees users can open, anywhere,
without signing in

25. Modern sharing UI is unified across platforms
OneDrive Mobile App
Office Mac
File Explorer with OneDrive sync
Mac Finder
Microsoft Teams (TBD)
SharePoint
OneDrive
Office Online
Office Desktop
Outlook on the Web

26. SharePoint tenant
settings checked for
external sharing
SharePoint site
settings checked for
external sharing
User shares file that
creates a link
External user
accesses link
B2B invitation
processes if non
anonymous
External user
accesses file
Guest access
expiration begins

27. Demo!

28. Group
sharing

29. Tenant settings
checked if guest
access available
Group settings
checked if guest
access available
User adds guest
to a Group (Team)
B2B invitation
sent
Guest user
accepts invitation
Guest added to
group and has
access to content
External sharing
settings enforced
for files
This is not how shared
channels will work

30. Demo!

31. Site
sharing

32. Tenant settings
checked if guest
access available
User adds guest to a
SharePoint site
B2B invitation sent
Guest user accepts
invitation
Guest added to
SharePoint site and
has access to
content
External sharing
settings enforced for
files

33. Demo!

34. Guest &
Sharing
Management

35. Members
Owners
Unauth’d
guests
Auth’d
guests
Admin
Inside Outside
Control
External sharing

36. Least Restrictive
Most Restrictive

37. Microsoft 365 admin center > Settings > Security &
Privacy

38. Turn on/off external sharing
 Tenant, per group, per user
Turn on/off per workload
 Teams, Power BI, SharePoint
Allow guests to invite
Access reviews
Powered by Azure B2B
Guest inviter role (no Teams)
Domain allow/block
 Different than SPO & OneDrive
 Configured in Azure AD
Terms of use
(some have extended licensing)

39. Allow OR Block, not both
One policy per organization
Works independently from SPO
Does not apply to already added
guest members
Powered by Azure B2B
https://go.microsoft.com/fwlink/p/?linkid=857710

40. Powered by Azure B2B
Microsoft 365 admin center > Settings
> Services & add-ins
> Microsoft 365 Groups
https://aka.ms/o365-groups-guests

41. • Azure Active Directory: Guest access in Microsoft Teams relies on the Azure AD
business-to-business (B2B) platform. Controls the guest experience at the directory,
tenant, and application level.
• Microsoft Teams: Controls Microsoft Teams only.
• Microsoft 365 Groups: Controls the guest experience in Microsoft 365 Groups,
Teams, Outlook, and more
• SharePoint Online and OneDrive for Business: Controls the guest experience in
SharePoint Online, OneDrive for Business, Microsoft 365 Groups, and Microsoft
Teams. Anywhere there are files.
https://aka.ms/teams-dependencies

42. Microsoft Teams > Org-wide settings > Guest access
https://aka.ms/teams-manage-guests

43.  Configure force privacy (public private)
 Manage ability to add new guests
 Configure external file sharing
 Control access from unmanaged devices or other CA

44. Demo!

45. Control WHO can share
to external users
• Everyone
• Only specific people
• No one
Control WHICH external users can
be shared with
• Anyone
• Only authenticated users
• Only authenticated users except specific domains
• Only authenticated users in specific domains
• No one
Control WHAT can be
shared externally
• Anything
• Only specific sites
• Only files without sensitive content
Control HOW externally shareable
links can be used
• Default
• Enabled, but not default
• Mandatory expiration date
• Block externally-shareable edit links
• Disabled

46.  Sharing for OneDrive can be MORE restrictive but not LESS restrictive than SharePoint
 If sharing turned off globally in SharePoint any shared links will stop working
Sharing Options
 No external sharing
 Only existing external users (sign-in required)
 New and existing external users (sign-in required)
 Anyone, including anonymous users (on by default)
Your SharePoint Online sharing
settings determine which OneDrive
sharing settings are available
Files hosted in Teams use these
permissions

47. Only effects files & sites
Can be set per site
Only for new shares after expiration put
in place

48. Demo!

49. Reporting

50. Usage logs
Audit log
Sharing reports
Data governance reports

51. OneDrive external sharing reports per OneDrive
Data governance reports for sharing links in tenant

52. Advice &
Examples
Copyright: DanielGlenn.com

53. Utilize specific SharePoint sites or Teams as extranet(s) and only allow external sharing there
• Only specific users can share to external users
• External users cannot share
• Only specific domains can be shared to
Allow anonymous by request for specific OneDrive sites
• Configure expiration policy
• Pull audit events out and retain for all anonymous shares
Allow external for all SharePoint sites and Teams
• External users cannot share
• Enable DLP to restrict access of sensitive info if shared
• Empower sensitivity labels for regulated users
• Enable monthly access reviews for external users
• Have external users accept terms of use
• Build sharing reports

55. Work with the business to understand sharing requirements, don’t just lock down
Utilize MFA for guests using conditional access
Setup DLP to remove guest access to sensitive content
Utilize terms of use for guests through Azure AD & conditional access
Use guest access reviews in Azure AD
Force web only access for guests using conditional access and sensitivity labels
Utilize sensitivity labels for sites, groups, & Teams to control external guest and file sharing

56. Questions?
Email: drew.madelung@protiviti.com
Twitter: @dmadelung
Website: drewmadelung.com
Slides: http://bit.ly/DrewSlides

57. M365Conf.com
FALL: Las Vegas, NV Dec 7–9, 2021 SPRING: Las Vegas, NV April 5–7, 2022
MICROSOFT 365 COLLABORATION CONFERENCE
Everything you need to know about external sharing in OneDrive, SharePoint, & Teams