External Sharing is EASY with SharePoint Online

jul 31, 2019

SharePoint Online makes sharing your content externally easy. But the tricky part is, ensuring you have the proper level of security and set up for external users.

There are multiple authentication options for sharing your site externally.

You can choose the best option for your organization at tenant/admin level. Then, you can change site collections individually to allow for different levels of sharing per site collection. Note, at site collection level, you can only change the site collection sharing option to be less permissive and not more permissive then the tenant level settings. Therefore, you want to set the tenant level options to be the most permissive level you are willing to allow in any part of your environment. Then you can apply a stricter external sharing policy per site collection.

As a rule of thumb, internal content should be stored in one site collection. While external content should be stored in a separate site collection. There by, reducing the internal content’s risk of exposure to external users. Internal site collections can have external sharing turned off while external sites will have external sharing turned on. This will effectively block external users from accidentally accessing content they shouldn’t.

How do you check or change your organization’s external sharing settings?

Navigate to the SharePoint admin center and then select Sharing from the left navigation.

Options for External sharing in SharePoint Online

Below are the options for external sharing, listed from least to most permissive.

Only people in your organization:
- This option blocks external sharing for your entire organization. Using this option will block any and all external sharing! Rather use a more open policy at tenant level and then you can adjust each site collection’s settings to be more restrictive.

Existing Guests:
- In Active Directory (AD), you can add external users as guest users. This gives IT more control and easy visibility on the external users being allowed access in the organization.
- To set up an external user in AD, select Add Guest User.
- A guest user account can be set up using any email address.
  - For O365 accounts, the users will log in with their company’s username and password.
  - For other email accounts (such as gmail), users will need to set up a password.

In addition, the guest user account needs to be added to an appropriate SharePoint permission group in order to access content.

New and existing guests

Site members/owners can grant access to users that are not in organization’s Active Directory. The site’s members/owners are free to decide who they will grant access to.
Authentication is required. External users need to log in with their email and authenticate with their own credentials.

For O365 accounts, users will log in with their company’s username and password.
For other email accounts, users will need to set up a password.

Anyone

External users can access the content without authentication. Login is not required. Internal users can simply share a link to any content. Meaning, external users can potentially share and forward the link with anyone outside of the organization. Therefore, you will not know who is accessing the shared data.
You can specify additional settings for the anonymous access links by setting an expiration date and the level of access the link can provide.

Note: If an external user accesses a word/excel file and does not have word/excel application, they can view and edit the file via the web browser.

Additional Settings

You can limit external sharing to specific domains. This limits the pool of potential external users to specific 3^rd party companies.
Keep external sharing more controlled by requiring the user to access content with the account that it was shared with.
Guests, with the right level of access (Edit, Full Control), can share content just like any other internal user. You can limit their sharing rights, by deselecting the tick box that allows them to share content they don’t own.

Changing Site Collection Level External Sharing Settings

Once external sharing is set at the tenant level, you can change the settings for the site collections in your organization. Ideally, external users will only be allowed access on a separate site collection.

How can we change a site collection’s external sharing options?

Navigate to the SharePoint Admin center and select active sites from the left navigation.
Select the site collection you want to change the settings for, then select Sharing from the ribbon.
A settings pane will display on the left side of the screen, adjust the settings as needed.

Guest User Experience

Before granting access to Guest users with required authentication, you will want to know what that looks like on their side before rolling it out.

If your organization is requiring external users to be listing in Active Directory, an AD Admin user will need to set up the guest user account. Then, once the user is added in AD, they will get an email that looks like this:

When they select the Get Started button one of the following will happen:

For users who already have an O365 account, they will be prompted to sign in using their existing O365 account.
For users who do not have an O365 account, they will be asked to set up a password and verify their email.

The user will not have access to any content until they are added to the appropriate SharePoint permission group.

External User will receive the standard SharePoint ”share” email when they are given access to a site or file in SharePoint.

If your organization does not require external user to be in Active Directory but authentication is required (option #3 in the external sharing options listed above), the users will need to sign in or created a password from the share email below. They will follow the same set up screens as the registered guest user above.

Happy External Sharing!

Do you want to learn more about SharePoint? Join a SharePoint Learning Tree course!

Microsoft Office, Sharepoint

External Sharing, O365, Sharepoint, SharePoint Online