SharePoint Online External Sharing

One of my favorite topics in Office 365 is external sharing. Sharing and collaboration not only occur within your corporation, but it also involves external customers, clients, suppliers, or vendors. Sharing and collaboration can be achieved with the use of External Sharing in SharePoint Online.

By default, External Sharing for SharePoint Online is turned “On” for the entire environment, which includes all site collections. It is highly suggested to turn this “Off” globally until you have the permissions plan detailed and site collections organized and before users access the sites.

SharePoint Online has the capability for external sharing tenant-wide (global) and at site collection level. The global setting overrides any setting at the site collection level and affects OneDrive.

Types of External Users

An external user is outside of your corporation’s Office 365 subscription and with whom you are sharing content from one or more sites, files or folders. The two types of external users are:

Authenticated Users: these users have either a Microsoft account or they have a school or work account from another Office 365 subscription. Sites and documents are shared in the same manner as you would with internal users with permissions and groups working in the same manner as they would for internal users. However, collaboration tasks are limited to basic tasks as they do not have a license to your Office 365 subscription. The basic collaboration tasks for an authenticated external user include the performance of tasks on a site consistent with the permission level they are assigned, viewing and editing documents can be done in Office Online, and depending on the permissions they have been given, they will be able to see other types of content on sites. They will be able to navigate to subsites within the site collection and will be able to view site feeds

Anonymous Users: these are recipients who have received a shareable link to a folder or document but not sites. They can view or edit the document, be able to upload the folder (depending upon the type of link), and these are all specific to the link sent. This is done without having to log in with a username or password. The links are valid until they are disabled or have expired based on the expiration date. It is important to note that these links can be freely passed around between users.

Sharing Options

The following basic sharing options for tenant and site collection are:

No External Sharing: users with Office 365 subscription can internally share sites and documents

Sharing Only with External Users in Your Directory:  external users who are already in your Office 365 user directory will have access to sites, folders, and documents that are shared with them. These external users may include those users who have previously accepted an invitation, those who you have imported from another Office 365 subscription or a tenant from the Azure Active Directory

Sharing with Authenticated External Users:  sites can be shared with external users who have either a Microsoft account, a work or school account from another Office 365 subscription or an Azure Active Directory Subscription. A one-time code is sent to the user to verify their identity when folders or documents are shared, and they are not required to log in to a Microsoft, work or school account.

Sharing with Anonymous Users: documents and folders can be shared with an anonymous link. Anyone with the link will be able to view or the document and will be able to upload to the folder. Sites cannot be shared with anonymous users.

These options range from the most restrictive to the least restrictive settings. The restrictive setting can still be applied alongside those with fewer restrictions. For example, you can continue to share with authenticated external users, users already in your directory, and internal users while allowing anonymous sharing.

Managing Security Risks

Most corporations will have confidential information that is not to be externally shared. For this type of information, it should reside in one or two site collections with External Sharing turned “Off”. If additional confidential information site collections are required, then create a new site collection and ensure that External Sharing is turned “Off”.

Sharing a Site or Document – What happens?

What happens is dependent upon what type of External Sharing you are executing. There are three scenarios:

Sharing Sites with Authenticated External Users – an email invitation with a link to the site or document is sent to the external user. Clicking on the link will prompt them to log in to their Microsoft account or their work or school account. Once logged in, they are added to the users list in your Office 365 subscription and then given access to the site or document. In the users list, they are listed with #EXT# in their user name. They can now be granted access to additional sites or documents without being sent additional invitations. To discontinue sharing with this external user, you can either remove their permissions from the site or, you can remove them from the user list in Office 365.

Sharing Files and Folders with Authenticated External Users: an email is sent to the authenticated external user which contains a link to the site or file. Each time the file or site is accessed, they are emailed a time-sensitive code that is used to verify their identity. The code must be entered to gain access to the folder or file. To discontinue sharing with them, simply delete the link that was sent to them.

Sharing with Anonymous Users: anonymous users can be granted permission to edit, view, or upload a document to a folder. Links to view and edit are created separately, and each can be disabled with a time expiration. Anonymous user links can be reused and passed around, allowing anyone with this link access to the document or folder.

External Business Partners – How to Collaborate with Them

A SharePoint Online extranet site is a site that is a dedicated site collection for business to business collaboration with a vendor or partner. This site can be locked down so that only site owners can invite external users and only external users from specific domains can be invited. These are quick to set up and are more cost-efficient than on-prem extranet sites.  

External Sharing with SharePoint Online is not only easy and functional, but the ability to create extranet sites for external partners is a flexibility that provides feasibility with the least impact on budgets while ensuring external users have access to content that they require to fulfill their parts of the project.