Externally Sharing Series:
It is possible to share content from your SharePoint environment to external users. These users are not part of your tenant. They might have their own tenant within their company, or they might just be a person with a personal email address, such as a live.com or gmail.com.
There are few setup steps within your tenant to allow/disallow external Sharing.
SharePoint Admin center
By navigating to your SharePoint Admin Center, https://<tenant>-admin.sharepoint.com on the left hand side of the screen, there is a sharing navigation link. This takes you to the ExternalSharing.aspx page.
Sharing outside your organization
This part of the page you are able to disable externally sharing completely, or open it up granular.
Don’t allow sharing outside your organization
- This disables externally sharing
Allow sharing only with the external users that already exist in your organization’s directory
- If you have previous shared in the past (especially before Microsoft changed how the External Sharing worked – Dec 2017), or shared a entire site with an external person, their account get’s put into your Organisation as a guest account. Having this option on, will continue to allow sharing with those people, but prevent new external users to be shared with.
Allow users to invite and share with authenticated external users
- This option, allows users to externally share, but prevent them sending anonymous links. New external users can be invited. (Personally, I feel this option is also missing an expired option, where a link only exists for x number of days for external users, hopefully this is something Microsoft will include eventually)
Allow sharing to authenticated external users and using anonymous access links.
- This options completely opens up the external sharing. Your users can externally share with anyone, without without requiring the external user to authenticate. With anonymous sharing, you also get the option to expire links after x number of days, and you can set the access link types that get sent out to users. By setting Files or Folders to ‘View’, this will mean every anonymous external link sent out will always be read only. If set to ‘View and Edit’ for files or ‘View, Edit, and Upload’ for folders, that allows the person who is sending out the anonymous external link to decide if they want to apply Read only or Contribute permission for the link.
Who can share outside your organization
If your organisation wanted to only allow a group of people to externally share, here they can do that. This can be done by using individual people names, or even with an AD group. What is nice here, is if you don’t trust a group of people to allow anonymous sharing, you can also assign a different group of people to allow anonymous sharing.
Default link type
When someone selects a document/folder and clicks on the Share option you can default the link type, so the user doesn’t need to switch each time.
Direct – specific people: (Screenshot below – Yellow option) Specific people
Internal – only people in your organization: (Screenshot below – Blue option) People in <tenantName>
Anonymous Access – anyone with the link: (Screenshot below – Green option) Anyone
The tick option of use shorter links when sharing files and folders
Default link type
Here you can set the default permission of either view or edit when someone creates a sharing link. This isn’t just for external links, this applies to anonymous, internal and direct links. If your company is quite security conscientious, setting this to View is a good idea.
As stated on the page, these settings do not apply to anonymous access links.
Limit external sharing using domains (applies to all future sharing invitations).
- If your company only works with a couple of 3rd party companies, and your documents shouldn’t be shared with anyone else, this is a good option to use. Here you can ‘whitelist’ domain names to send to.
Prevent external users from sharing files, folders, and sites that they don’t own.
- Once you have externally shared your document to someone, do you want them to then be able to share onto someone else that you haven’t authorised? If not, then ensure this is ticked. If it their own document that they have uploaded/created that will be able to share that.
External users must accept sharing invitations using the same account that the invitations were sent to.
- When you send an link to someone, by having this option selected, they will only be able to sign in using the email address you sent the invite to. This option selected can also cause problems if you send the link to someone personal email, and they also have their own 365 account, as their 365 cookie token can get picked up, and they receive the error message that the account they are using to sign in with is not the same account the invite was sent to.
Require recipients to continually prove account ownership when they access shared items.
- Once the external user has logged in once without this ticked a cookie is put on their machine to allow them access to that document again without require to re-authenticate with code.
These notifications are for when sharing using One-Drive for business. You can optionally select if an email will be sent or not for the following 3 options.
- Other users invite additional external users to shared files.
- External users accept invitations to access files.
- An anonymous access link is created or changed.
OneDrive External Sharing
There is also a configuration page for OneDrive external sharing.
Go to the OneDrive admin centre. Click the Waffle -> Admin. Under Admin centers click OneDrive. Then on the left-hand navigation, click Sharing.
Note that these setting when changed here, will affect the settings you set in SharePoint Admin centre for Sharing. So, change something here, then head back to the SharePoint Admin Centre sharing page, and the changes will reflect there. However, there is one setting here, that isn’t in the SharePoint Admin Centre sharing page, and that is OneDrive permissive sharing.
The above sections allows you to set the Sharing settings for SharePoint different to OneDrive. In the above screenshot, I’ve allowed Sharing (not anonymous) in SharePoint and prevented any external sharing in OneDrive.
Please note: You cannot set the OneDrive to be more permissive than SharePoint, As stated underneath the sliders.
Site Collection sharing
In SharePoint Admin Center in the Site Collections, you can change some of the tenant sharing settings just for that give site collection. Select the site collection you wish to change and click Sharing in the ribbon.
Sharing outside your company
At the site collection level, you are able to choose a option for Sharing outside your company, as long as it’s less permissive than your tenant settings.
Site collection additional settings
Allowing non-owners to invite new users
By clicking the “Turn off sharing for non-owners on all sites in this site collection” will only allow people in the Owners group to share anything with anyone externally. Once turned off, it looks like there is no way of turning it on again. They way you turn it back on is going into the Site Collection -> Site Settings -> Site Permissions -> Access request settings. Here you can tick the top check box “Allow members to share the site and individual files and folders” (More explaining on the Access Request Settings in next section)
Site Collection (in the site) settings
By going to the actual root site, there is one more place where you can affect sharing settings. This is the Access Request Settings.
Site Settings -> Site Permissions. Then Access Request Settings in the ribbon.
There are 3 settings here.
Allow members to share the site and individual files and folders
With this ticked, members can share.
- However, with this just ticked they cannot share the site. When a user tries to share the site the Share button clicks but nothing happens.
With this unticked you are turning off sharing for everyone except for Owners.
Allow members to invite others to the site members groups.
- With this ticked. Any user that is part of the Members group will be able to Share the site. It doesn’t matter if a user has permissions in the site, say in a different group, unless they are part of the members groups, they will not be able to share the site.
Allow access requests
- With this ticked and with an email address put in place. When a member attempts to share a site, an owner must allow the access. Requests can be found at: Site Settings -> Access requests and invitations.
In this blog post I have explained the different areas where you can set up Externally Sharing in your tenant/site. In my next blog post I’m going to go through the steps as a user, sharing documents/folders with external users and the steps the external user goes through to sign in.