SharePoint Online makes sharing your content externally easy. But the tricky part is, ensuring you have the proper level of security and setup for external users.
There are multiple authentication options for sharing your site externally.
You can choose the best option for your organization at the tenant/admin level. Then, you can change site collections individually to allow for different levels of sharing per site collection. Note, at the site collection level, you can only change the site collection sharing option to be less permissive and not more permissive than the tenant-level settings. Therefore, you want to set the tenant-level options to be the most permissive level you are willing to allow in any part of your environment. Then you can apply a stricter external sharing policy per site collection.
As a rule of thumb, internal content should be stored in one site collection. At the same time, external content should be stored in a separate site collection. Thereby reducing the internal content's risk of exposure to external users. In addition, internal site collections can have external sharing turned off, while external sites will have external sharing turned on. This will effectively block external users from accidentally accessing content they shouldn't.
How do you check or change your organization's external sharing settings?
Options for External sharing in SharePoint Online
Below are the options for external sharing, listed from least to most permissive.
Only people in your organization:
This option blocks external sharing for your entire organization. Using this option will block all external sharing! Instead, use a more open policy at the tenant level, and then you can adjust each site collection's settings to be more restrictive.
In Active Directory (AD), you can add external users as guest users. This gives IT more control and easy visibility of the external users being allowed access to the organization.
A guest user account can be set up using any email address.
- For O365 accounts, the users will log in with their company's username and password.
- For other email accounts (such as Gmail), users will need to set up a password.
In addition, the guest user account must be added to an appropriate SharePoint permission group to access the content.
New and existing guests
Site members/owners can grant access to users not in the organization's Active Directory. The site's members/owners can decide to who they will grant access.
Authentication is required. External users must log in with their email and authenticate with their credentials.
For O365 accounts, users will log in with their company's username and password.
For other email accounts, users will need to set up a password.
External users can access the content without authentication. A login is not required. Internal users can share a link to any content. External users can potentially share and forward the link to anyone outside the organization. Therefore, you will not know who is accessing the shared data.
You can specify additional settings for the anonymous access links by setting an expiration date and the level of access the link can provide.
Note: If an external user accesses a word/excel file and does not have a word/excel application, they can view and edit the file via the web browser.
Additional External Sharing Settings
- You can limit external sharing to specific domains. For example, this limits the pool of potential external users to specific 3rd party companies.
- Keep external sharing more controlled by requiring the user to access content with the account that it was shared with.
- Guests with the right level of access (Edit, Full Control) can share content just like any other internal user. However, you can limit their sharing rights by deselecting the tick box that allows them to share content they don't own.
Changing Site Collection Level External Sharing Settings
Once external sharing is set at the tenant level, you can change your organization's site collections settings. Ideally, external users will only be allowed access to a separate site collection.
How can we change a site collection's external sharing options?
- Navigate to the SharePoint Admin center and select active sites from the left navigation.
- Select the site collection for which you want to change the settings, then select Sharing from the ribbon.
- A settings pane will display on the left side of the screen. Adjust the settings as needed.
Guest User Experience
Before granting access to Guest users with required authentication, you will want to know what that looks like on their side before rolling it out.
If your organization requires external users to be listed in Active Directory, an AD Admin user must set up the guest user account. Then, once the user is added in AD, they will get an email that looks like this:
When they select the Get Started button, one of the following will happen:
- Users who already have an O365 account will be prompted to sign in using their existing O365 account.
- Users who do not have an O365 account, they will be asked to set up a password and verify their email.
If your organization does not require the external user to be in Active Directory, but authentication is required (option #3 in the external sharing options listed above), the users must sign in or create a password from the shared email below. They will follow the same setup screens as the registered guest user above.
Happy External Sharing!
Do you want to learn more about SharePoint? Then, join a SharePoint Learning Tree course!
This piece was originally posted on July 31, 2019, and has been refreshed with updated styling.