SharePoint Online makes sharing your content externally easy. But the tricky part is, ensuring you have the proper level of security and set up for external users.
There are multiple authentication options for sharing your site externally.
You can choose the best option for your organization at tenant/admin level. Then, you can change site collections individually to allow for different levels of sharing per site collection. Note, at site collection level, you can only change the site collection sharing option to be less permissive and not more permissive then the tenant level settings. Therefore, you want to set the tenant level options to be the most permissive level you are willing to allow in any part of your environment. Then you can apply a stricter external sharing policy per site collection.
As a rule of thumb, internal content should be stored in one site collection. While external content should be stored in a separate site collection. There by, reducing the internal content’s risk of exposure to external users. Internal site collections can have external sharing turned off while external sites will have external sharing turned on. This will effectively block external users from accidentally accessing content they shouldn’t.
Navigate to the SharePoint admin center and then select Sharing from the left navigation.
Below are the options for external sharing, listed from least to most permissive.
In addition, the guest user account needs to be added to an appropriate SharePoint permission group in order to access content.
Note: If an external user accesses a word/excel file and does not have word/excel application, they can view and edit the file via the web browser.
Once external sharing is set at the tenant level, you can change the settings for the site collections in your organization. Ideally, external users will only be allowed access on a separate site collection.
How can we change a site collection’s external sharing options?
Before granting access to Guest users with required authentication, you will want to know what that looks like on their side before rolling it out.
If your organization is requiring external users to be listing in Active Directory, an AD Admin user will need to set up the guest user account. Then, once the user is added in AD, they will get an email that looks like this:
When they select the Get Started button one of the following will happen:
External User will receive the standard SharePoint “share” email when they are given access to a site or file in SharePoint.
If your organization does not require external user to be in Active Directory but authentication is required (option #3 in the external sharing options listed above), the users will need to sign in or created a password from the share email below. They will follow the same set up screens as the registered guest user above.
Happy External Sharing!
Do you want to learn more about SharePoint? Join a SharePoint Learning Tree course!