[:en]SharePoint Online makes sharing your content externally easy. But the tricky part is, ensuring you have the proper level of security and set up for external users.
There are multiple authentication options for sharing your site externally.
You can choose the best option for your organization at tenant/admin level. Then, you can change site collections individually to allow for different levels of sharing per site collection. Note, at site collection level, you can only change the site collection sharing option to be less permissive and not more permissive then the tenant level settings. Therefore, you want to set the tenant level options to be the most permissive level you are willing to allow in any part of your environment. Then you can apply a stricter external sharing policy per site collection.
As a rule of thumb, internal content should be stored in one site collection. While external content should be stored in a separate site collection. There by, reducing the internal content's risk of exposure to external users. Internal site collections can have external sharing turned off while external sites will have external sharing turned on. This will effectively block external users from accidentally accessing content they shouldn't.
How do you check or change your organization's external sharing settings?
Options for External sharing in SharePoint Online
Below are the options for external sharing, listed from least to most permissive.
Only people in your organization:
- This option blocks external sharing for your entire organization. Using this option will block any and all external sharing! Rather use a more open policy at tenant level and then you can adjust each site collection's settings to be more restrictive.
- In Active Directory (AD), you can add external users as guest users. This gives IT more control and easy visibility on the external users being allowed access in the organization.
- A guest user account can be set up using any email address.
- For O365 accounts, the users will log in with their company's username and password.
- For other email accounts (such as gmail), users will need to set up a password.
In addition, the guest user account needs to be added to an appropriate SharePoint permission group in order to access content.
New and existing guests
- Site members/owners can grant access to users that are not in organization's Active Directory. The site's members/owners are free to decide who they will grant access to.
- Authentication is required. External users need to log in with their email and authenticate with their own credentials.
- For O365 accounts, users will log in with their company's username and password.
- For other email accounts, users will need to set up a password.
- External users can access the content without authentication. Login is not required. Internal users can simply share a link to any content. Meaning, external users can potentially share and forward the link with anyone outside of the organization. Therefore, you will not know who is accessing the shared data.
Note: If an external user accesses a word/excel file and does not have word/excel application, they can view and edit the file via the web browser.
- You can limit external sharing to specific domains. This limits the pool of potential external users to specific 3rd party companies.
- Keep external sharing more controlled by requiring the user to access content with the account that it was shared with.
[sidebar_cta header="Maximize Your Office365 Investment with These Helpful Tips" color="blue" icon="" btn_href="https://www.learningtree.com/resources-library/webinars/office-365-key-tools-for-personal-productivity-and-collaboration/" btn_href_en="https://www.learningtree.com/resources-library/webinars/office-365-key-tools-for-personal-productivity-and-collaboration/" btn_href_ca="https://www.learningtree.ca/resources-library/webinars/office-365-key-tools-for-personal-productivity-and-collaboration/" btn_href_uk="https://www.learningtree.co.uk/resources-library/webinars/office-365-key-tools-for-personal-productivity-and-collaboration/" btn_href_se="https://blog.learningtree.com/external-sharing-easy-sharepoint-online/" btn_text="Watch On-Demand Webinar"]
Changing Site Collection Level External Sharing Settings
Once external sharing is set at the tenant level, you can change the settings for the site collections in your organization. Ideally, external users will only be allowed access on a separate site collection.
How can we change a site collection's external sharing options?
Guest User Experience
Before granting access to Guest users with required authentication, you will want to know what that looks like on their side before rolling it out.
If your organization is requiring external users to be listing in Active Directory, an AD Admin user will need to set up the guest user account. Then, once the user is added in AD, they will get an email that looks like this:
When they select the Get Started button one of the following will happen:
- For users who already have an O365 account, they will be prompted to sign in using their existing O365 account.
The user will not have access to any content until they are added to the appropriate SharePoint permission group.
External User will receive the standard SharePoint "share" email when they are given access to a site or file in SharePoint.
If your organization does not require external user to be in Active Directory but authentication is required (option #3 in the external sharing options listed above), the users will need to sign in or created a password from the share email below. They will follow the same set up screens as the registered guest user above.
Happy External Sharing!
Do you want to learn more about SharePoint? Join a SharePoint Learning Tree course![:]