External Sharing with Office 365: What You Need to Know
Page 1 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
WHITEPAPER
External Sharing With Office
365: What You Need To
Know The Definitive Guide On Successfully Planning External
Sharing With Office 365
WRITTEN BY Richard Harbridge, Kanwal Khipple & Haniel Croitoru
PUBLISHED 05.01.15 // REVISED 07.15.16
WRITTEN BY Richard Harbridge & Kanwal Khipple
PUBLISHED 04.17.16 // REVISED 09.21.16
External Sharing with Office 365: What You Need to Know
Page 2 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
Table of Contents 1. INTRODUCTION.................................................................................................................................................................... 5
2. EXTERNAL SHARING DECISIONS ................................................................................................................................... 6
Decision 1: Will you enable external sharing? ............................................................................................................ 6
Decision 2: Use SharePoint Online or Custom, Third Party or SharePoint Server Based Solutions? ...... 7
Office 365 External Sharing Limitations ................................................................................................................... 7
Getting Around External Sharing Limitations ......................................................................................................... 9
Decision 3: Will External Users Be Able To Accept An Invite With Personal Or Alternative Accounts? 9
Decision 4: Will you allow guest links? ....................................................................................................................... 10
Decision 5: Where will external sharing be enabled? ............................................................................................ 11
Key Considerations ........................................................................................................................................................ 11
Approaches ....................................................................................................................................................................... 12
3. FREQUENTLY ASKED QUESTIONS ................................................................................................................................ 13
Will we be able to invite anyone with an email (like Gmail accounts) or will there be restrictions? .... 13
Is there a way to avoid an external user linking an invitation with an unintended account? ................. 13
If I have tens of thousands of external users will SharePoint online performance be impacted? ........ 14
Can an external user invite other external users? ................................................................................................... 14
When I invite an external user is there a way to see pending invites? ........................................................... 14
4. EXTERNAL SHARING & EXTERNAL USER ROADMAP ........................................................................................... 16
External Sharing Capabilities In Office 365 Today .................................................................................................. 16
Ability To Add External Collaborators Or Readers To Any SharePoint & OneDrive Document ........ 16
Ability To Add External Collaborators Or Readers To Any SharePoint Site .............................................. 16
Office 365 Groups: Guest Access Support ............................................................................................................. 16
Yammer External Groups ............................................................................................................................................. 16
External Users Can Use Office Online ..................................................................................................................... 17
External Users Can Edit Lists, List Items and Documents ................................................................................. 17
External Users Can Read Lists, List Items and Documents .............................................................................. 17
External Users Can Navigate Sites & See Other Site Content ........................................................................ 17
External Sharing with Office 365: What You Need to Know
Page 3 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
Ability To Add External Collaborators To Your Internal Yammer Conversations .................................... 17
External Sharing Administration Settings .............................................................................................................. 18
Ability To Delete An External User To Revoke Access To A Site ................................................................... 18
Ability To See External Access Request History (Per Site Collection) .......................................................... 18
Ability To Set An Expiry Date For A Guest Link ................................................................................................... 18
The Ability To Share OneDrive For Business Folders Externally .................................................................... 19
Unlimited External Sharing ......................................................................................................................................... 19
Guests Can Sign-Up For An Account In Sharepoint Online And Onedrive For Business ..................... 20
External Sharing In Development ................................................................................................................................. 20
Allow/Deny List For External Sharing Domains ................................................................................................... 20
Restricting Sharing To Owners Only ........................................................................................................................ 21
Organizations Able To Assign Higher Value Licenses To External Users ................................................... 21
Orgs Manage Password For External Users .......................................................................................................... 21
Orgs Enable Multi-Factor Authentication (MFA) For External Identities .................................................... 21
Organizations Able To Block New Invitations But Allow Login For External Users ................................ 21
Group To Group Sharing & Org To Org Sharing ................................................................................................ 22
Azure AD Connect Sync’d Users Can Be Labeled Or Designated As External Users .............................. 22
External (Guest) User Access In Office 365 Planner ........................................................................................... 22
5. ENHANCEMENTS TO EXTERNAL SHARING & ACCESS ........................................................................................ 23
Customization Opportunity 1: Expiring External User Sharing in SharePoint Online ................................ 23
Customization Opportunity 2: Bulk Sharing With External Users ..................................................................... 24
Customization Opportunity 3: Create An App That Updates External User Properties. ........................... 24
Customization Opportunity 4: Create a script that Enables the use of a custom HTML email to bulk
invite users ............................................................................................................................................................................ 25
3rd Party Product Opportunity – ShareGate .............................................................................................................. 25
6. YAMMER EXTERNAL NETWORKS ................................................................................................................................. 26
What Are External Networks? ........................................................................................................................................ 26
New External Network Approval ................................................................................................................................... 26
External Sharing with Office 365: What You Need to Know
Page 4 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
The External Network Must Be Managed .................................................................................................................. 27
7. CONCLUSION ...................................................................................................................................................................... 29
Office 365 External Sharing Advantages .................................................................................................................... 29
Office 365 External Sharing Disadvantages .............................................................................................................. 29
8. RESOURCES .......................................................................................................................................................................... 31
9. ABOUT 2TOLEAD ................................................................................................................................................................ 32
About Authors ......................................................................................................................................................................... 33
External Sharing with Office 365: What You Need to Know
Page 5 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
1. INTRODUCTION If your organization performs work that involves sharing documents or collaborating directly with
vendors, clients, or customers, then you might want to begin using the external sharing features of
SharePoint Online to share content with people outside your organization.
Just because you can use the external sharing features doesn’t always mean you should, or that it will
satisfy all of your external sharing needs.
Do you understand the external sharing limitations in Office 365 today? Do you know what key
decisions need to be made to make sure your external sharing strategy is successful?
This whitepaper contains a summary of important planning guidance for any organization that is
looking to implement external sharing in Office 365 based on our work advising hundreds of
customers on being successful with Office 365.
NOTE: Considering an Extranet? While this whitepaper contains a variety of applicable
guidance for an Office 365 Extranet we tried not to go too deep into the advantages
of an Extranet running on other platforms. It may make sense to run your Extranet on
SharePoint 2016 either on-premises or hosted in a private/public cloud (like Azure).
If you aren’t certain what the right choice is by the end of this whitepaper, we highly
recommend contacting us so we can give you more prescriptive advice.
External Sharing with Office 365: What You Need to Know
Page 6 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
2. EXTERNAL SHARING DECISIONS There are five key decisions you need to make when planning for external sharing in Office 365.
1. Will you enable external sharing?
2. Will you use SharePoint online, custom, third party or SharePoint server based solutions?
3. Will External Users Be Able To Accept An Invite With Personal Or Alternative Accounts?
4. Will you allow guest links?
5. Where will external sharing be enabled?
Decision 1: Will you enable external sharing? This decision should be easy. You SHOULD enable external sharing. Even if you have alternatives,
there are controlled scenarios where external sharing could be useful for your organization.
If external sharing is turned off for the entire SharePoint Online environment, you will not be able to
turn it on for specific site collections.
If external sharing is turned off globally in the SharePoint Online Admin Center, any shared links will
stop working. If the feature is later reactivated, these links will resume working. It is also possible to
disable individual links that have been shared if you want to permanently revoke access to a specific
document.
You must be a SharePoint Online administrator to configure external sharing.
From the SharePoint admin center, click settings.
In the External sharing section do one of the following:
If you want to: Select this option: For this result:
Prevent all users on all sites
from sharing sites or
content with external users.
Don’t allow sharing
outside your
organization
Users will not be able to share sites or
content with users who do not have
licenses to your Office 365 subscription.
External sharing cannot be turned on for
any individual site collections.
External Sharing with Office 365: What You Need to Know
Page 7 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
Decision 2: Use SharePoint Online or Custom, Third Party or
SharePoint Server Based Solutions? While this may seem obvious, it is important to note that SharePoint Online can only be customized
so far. Microsoft runs the service and has a clear roadmap for external sharing. That roadmap may or
may not include capabilities important to your organization when it comes to managing and securing
external sharing.
Office 365 External Sharing Limitations Here are the most common reasons SharePoint Online won’t work for the external sharing needs of
an organization:
There is no way to create self-service options for external users to onboard themselves into a
SharePoint Online site.
There is no automation of external user onboarding.
o You cannot bulk invite external users OOTB nor is there OOTB automation of external
user invitation.
o Once you share something, the invitation is valid for seven days only. After that, the
invitation will expire, and you’ll have to send another invite.
o The invitation process email is sent by Microsoft and cannot be customized. This process
can enable users (depending on Decision 3) to link the invitation to the wrong account
by accident (or based on their choice).
o On the roadmap, there is a plan to some of these features in the future. See the
roadmap section for more details.
External users cannot create personal sites (what used to be referred to as My Sites), edit their
profile, change their photo, or see aggregated tasks.
o There was a hack for this, but it no longer works:
http://www.lifeonplanetgroove.com/profiles-and-pictures-for-office365-sharepoint-
online-external-users/
o The SharePoint service admin can update user profiles in SharePoint’s admin center for
external users to add some of the external user details, but external users themselves
cannot do so. This can be important for updating simple, but important user attributes
like chosen language. As an example if the language is set in the user profile you can
have the site display in a different language for that external user (often important for
globally dispersed external sharing scenarios).
External Sharing with Office 365: What You Need to Know
Page 8 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
Keep in mind that it takes time for the changes in the profile service to appear for
external users.
External users don’t get their own OneDrive for Business document library.
Office 365 has limited management of external users.
o We can only report on external users once they have access and can do basic things like
removing an external user. With code, we can do a bit more, but again nothing in the
invite or onboarding process only after the user has logged in or authenticated.
o There are limited if any 3rd party options.
o External users are difficult to detect but can be collected/listed – the more challenging
issue is identifying what supplier they are associated with as by default they could log in
with a different ID. So even with a central list of supplier invites maintained manually the
email listed may not match the email they use (as invites can be accepted and any email
used to include live/outlook emails).
Example: I invite [email protected] – I can’t depend on them using
[email protected] as Richard could accept the invite and use a MSFT ID like
[email protected] instead.
External users cannot be an administrator for a site collection (except in scenarios where you’ve
hired a partner to help manage Office 365.
External users cannot see the company-wide newsfeed (if you are using SharePoint Newsfeed).
o If you are using the SharePoint Newsfeed, stop and switch to Yammer.
External users cannot add storage to the overall tenant storage pool.
External users cannot access the Search Center or execute searches against “everything.” Other
search features that may not be available include Advanced Content Processing, continuous
crawls, and refiners.
External users cannot access site mailboxes.
External users are unable to sync libraries or folders offline.
External users are unable to download more than one file at a time.
External users cannot access PowerBI features such as Power View, Power Pivot, Quick Explore,
or Timeline Slicer. These features require an additional license, which is not inherited by
external users.
External users cannot use eDiscovery. eDiscovery requires an Exchange Online license.
External users cannot open downloaded documents that are protected with Information Rights
Management (IRM).
External Sharing with Office 365: What You Need to Know
Page 9 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
External users cannot use Excel Services features, including Calculated Measures and Calculated
Members, decoupled Pivot Tables and PivotCharts, Field List and Field support, filter
enhancements, search filters.
External users who edit content through a guest link (anonymously) will not have their changes
tracked.
External users cannot use SharePoint Online data connection libraries.
External users cannot use Visio Services.
External users cannot access Add-Ins.
Getting Around External Sharing Limitations There are essentially two options if the Office 365 external sharing features, roadmap, and broad
capabilities don’t meet your external sharing needs.
Option 1: You can work around these limitations by building custom solutions (see section 5 of this
whitepaper) or by using 3rd party products.
Option 2: You can get many of the advantages SharePoint provides when it comes to external
sharing and providing extranet experiences but will need to implement SharePoint on-premises,
hosted by a 3rd party or in a private/public cloud. You will need to invest in additional SharePoint 3rd
party products and may need some customization support in addition to this to meet your external
sharing needs.
Decision 3: Will External Users Be Able To Accept An Invite
With Personal Or Alternative Accounts? Using the SharePoint Online Management Shell, administrators can now enforce new controls over
how external users accept invitations. When enabled, the
RequireAcceptingAccountMatchInvitedAccount parameter requires external users to accept invitations
with the email account with which they originally received the invitation.
If this parameter is not set or is set to null:
When a user shares with an external user, they enter an e-mail like [email protected], and an email
is sent to Stephen at [email protected]. When he attempts to accept the invitation (by clicking the
link in the email), he can log in with any account he wants to use. For example, he could use
[email protected], [email protected], or even [email protected]. The sharing email can be
External Sharing with Office 365: What You Need to Know
Page 10 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
forwarded and accepted by anyone. This system ensures that external users who use email aliases or
who do not have a Microsoft account or organization account can accept the invitation.
If this parameter is set to true:
The RequireAcceptingAccountMatchInvitedAccount parameter ensures that the user who receives the
invitation is also the user who accepts it. If an invitation is sent to [email protected], only a user
who can log into [email protected] can accept the invitation. Any other email account displays an
error page that directs the user to use the appropriate account.
Notes that this does not apply to invitations that have previously been accepted in SharePoint Online
and it only affects external sharing invitations that are generated after the parameter has been set. It
will also not affect external users who have previously accepted an invitation. They will be able to log-
in and use the system as normal. This feature does not work with e-mail aliases.
Decision 4: Will you allow guest links? There is a decision that needs to be made if you will enable guest links or only external sharing invites.
This can be done at a site collection or site URL designated level, but a broad enterprise question on
whether you will enable these anonymous links is an important decision.
You will also need to decide what the default expiration period will be. IT can set a tenant policy
(RequireAnonymousLinksExpireInDays) that makes expiration dates mandatory for anonymous or
guest links and assigns default expiration period (e.g., 7 days). Users can still set an expiration date
that is shorter, but not longer, than the default period.
You must be a SharePoint Online administrator to configure external sharing.
From the SharePoint admin center, click settings.
In the External sharing section do one of the following:
If you want to: Select this
option: For this result:
Require external users
who have received
invitations to view sites
or content to sign-in
with a Microsoft account
Allow external
users who accept
sharing
invitations and
sign in as
Site owners or others with full control permission
can share sites with external users.
All external users will be required to sign in
before they can view content.
Invitations to view content can be redeemed only
once. After an invitation has been accepted, it
External Sharing with Office 365: What You Need to Know
Page 11 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
If you want to: Select this
option: For this result:
before they can access
the content.
authenticated
users
cannot be shared or used by others to gain
access.
Allow site users to share
sites with people who
sign in as authenticated
users, but you also want
to allow site users to be
able to share
documents through the
use of anonymous guest
links, which do not
require invited
recipients to sign in.
Allow both
external users
who accept
sharing
invitations and
guest links
Site owners or others with full control
permissions can share sites with external users.
All external users will be required to sign in
before they can view content on a site that has
been shared.
Site owners or others with full control
permissions can share documents and opt to
require sign-in, or send an anonymous guest link
for documents.
When site users share a document, they can grant
external users either view or edit permissions to
the document.
External users who receive anonymous guest links
can view or edit that content without signing in.
Anonymous guest links could potentially be
forwarded or shared with other people, who
might also be able to view or edit the content
without signing in.
Decision 5: Where will external sharing be enabled? Where external sharing will be enabled is a more complex question and gets into the implementation
decisions you need to take when implementing External Sharing.
Key Considerations You should include planning for external sharing as part of your overall permissions planning for
SharePoint Online. In general, it’s a best practice to operate on the “principle of least privilege” and
grant external users minimal and limited access to your environment. You may even want to create a
special permissions group to which external users are assigned when they receive invitations. You
should also consider segmenting your content by security levels so that sensitive content is centrally
located and can be tightly secured. If you anticipate an ongoing need to have external users log in to
External Sharing with Office 365: What You Need to Know
Page 12 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
your site and perform specific tasks, consider creating a site collection that is dedicated to the purpose
of external sharing. This way, you can allow external users access to specific content without opening
up your entire environment to them.
The external sharing settings for individual site collections cannot be less restrictive than whatever is
allowed for the entire SharePoint Online environment, but these settings can be more restrictive. For
example, if external sharing is turned on for the entire SharePoint Online environment, but it is limited
to allow only authenticated users, then that will be the only kind of external sharing you can allow in a
specific site collection. If external sharing through both sign-in and anonymous guest links is allowed
for the entire SharePoint Online environment, you can opt to turn off external sharing entirely for a
specific site collection, or you can limit external sharing to authenticated users (no guest links).
If you change the external sharing settings for the My Site site collection, these changes will also apply
to any existing or newly created personal sites (formerly called My Sites).
Sharing settings on the “my site” site collection (e.g., https://contoso-my.sharepoint.com) will apply to
the OneDrive for Business sites for all users of the organization. You cannot selectively manage sharing
for a particular user’s OneDrive for Business site.
Approaches Generally speaking, many organizations set up an approval process and combine it with the site
provisioning process. Organizations typically take multiple approaches to managing external sharing
access settings for sites.
Approach 1: Based it on site classification. Some classifications of sites do not have external sharing
enabled due to the confidential nature or high impact of those sites. Other sites can have it requested
to be turned on but will not be on by default. Some site types will have it on by default such as OneDrive
for Business sites, customer sites, or partner sites (Extranets).
Approach 2: A core Extranet environment (or environments) will be configured, and this external
sharing option will be enabled only in that designated collection of sites. This requires users to copy or
move their content to these external sites, but ensures easier tracking and often may be leveraged if
you are pulling in enterprise data to surface to external parties. As an example, you might have a
supplier extranet that syncs data from SAP so that suppliers can see the current status of invoices,
services, or other information. In that scenario, external sharing (and customizations) are implemented
on targeted sites but not necessarily available across the tenant.
External Sharing with Office 365: What You Need to Know
Page 13 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
3. FREQUENTLY ASKED QUESTIONS There are quite a few frequently asked questions around external users. We have included a few here
to help improve your readiness and understanding around how some of the external sharing features
work.
Will we be able to invite anyone with an email (like Gmail
accounts) or will there be restrictions? When an external user is invited, an email is created with a special invite ID. This email goes to
whatever email is invited. So I can easily invite [email protected] and when I do
[email protected] gets an invite email (1) that they can then click on to accept the invite.
When they click on this, they then choose to login with a Microsoft account (personal or school/work
account). So, in theory, ANY email can be invited, but the authentication happens with a specific MSFT
related account (Hotmail, outlook, 365 tenants, etc.) – when they log in what happens is the invited
user is now associated with the one that logged in (for permissions). So if I shared a few sites as an
example with [email protected] but signed in with [email protected], it
would still give me appropriate access.
The above may seem confusing, but it’s meant to enable a consistent onboarding experience.
You might be wondering – can we set up the authentication to instead work with Google or Facebook
accounts instead of just Microsoft Passport authentication? The short answer here is no. The long
answer is still no, but we would be happy to explain this in depth if you are interested.
Is there a way to avoid an external user linking an invitation
with an unintended account? There is a PowerShell command that can be run that makes it, so the ONLY email that can accept/login
from the invite is the email invited. This is a 1:1. So if the email is misspelled, or unable to authenticate
with Azure Active Directory (like Gmail), then they would be unable to log in. The big positive here is
that you ensure consistent user email addresses. In other words, if you invite [email protected] I
CANNOT authenticate with [email protected], only my [email protected] email.
External Sharing with Office 365: What You Need to Know
Page 14 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
If I have tens of thousands of external users will SharePoint
online performance be impacted? The short answer is no. You should still be careful when planning how you will manage so many external
users and what access they have, but there are no limits or impacts to performance if you share with
more external users.
Can an external user invite other external users? The short answer is yes. If you give full control to an external user (the permission), they may be able
to share content with other external users. This is why giving external users specific permissions (least
privilege rights) is a good idea.
When I invite an external user is there a way to see pending
invites? Absolutely. All pending invites are displayed in the SharePoint site.
External Sharing with Office 365: What You Need to Know
Page 15 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
External Sharing with Office 365: What You Need to Know
Page 16 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
4. EXTERNAL SHARING & EXTERNAL USER ROADMAP This section of the whitepaper has been broken down into two subsections. The first section
summarizes what has been released and the second section summarizes what is in development
based on public disclosure by Microsoft. Please note the last date this document was updated as
things may have changed.
External Sharing Capabilities In Office 365 Today What follows is a summary collection of core capabilities already released.
Ability To Add External Collaborators Or Readers To Any SharePoint
& OneDrive Document When you add an external collaborator, you can either invite them based on a targeted email address
you send the invite to or share a document as a guest link which will enable them to view or edit it
without signing in.
Ability To Add External Collaborators Or Readers To Any SharePoint
Site Directly from the share button on the top right corner, you can invite new users. You just have to write
the email address directly inside the pop-up window.
If you then click on "Show Options", you’ll get the option to change the group you want to add the
external user into. By default, the external users are added to the Members Group and have
[Contribute] rights.
Office 365 Groups: Guest Access Support Office 365 Groups: guest access support - Guest access support enables teams using Office 365 Groups
to collaborate easily with external team members (members that are not part of their
organization/tenant). Guest users will have access to all of the groups assets: inbox, files, calendar, and
notebook. Microsoft introduce some administration controls to help you manage guests in Groups.
Yammer External Groups Yammer External Groups - External Groups help extended teams collaborate closely in Yammer. Users
are be able to invite outside participants such as vendors, partners, and customers into a group in their
Yammer network.
External Sharing with Office 365: What You Need to Know
Page 17 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
Currently, Yammer supports external networks (see the appendix for more details and guidance) and
adding external participants to a conversation in addition to external groups
External Users Can Use Office Online External users can use Office Online for viewing and editing documents. If your plan includes Office
Pro Plus, they will not have the licenses to install the desktop version of Office on their computers.
External Users Can Edit Lists, List Items and Documents External users can perform tasks on a site consistent with the permission level that they are assigned.
For example, if you add an external user to the Members group, they will have Edit permissions, and
they will be able to add, edit and delete lists; they will also be able to view, add, update and delete list
items and documents.
External Users Can Read Lists, List Items and Documents External users can perform tasks on a site consistent with the permission level that they are assigned.
For example, if you add an external user to the Visitors group, they will have View permissions, and they
will be able to view lists; they will also be able to view list items and documents.
External Users Can Navigate Sites & See Other Site Content External users can see other types of content on sites. For example, they can navigate to different
subsites within the site collection to which they were invited and see pages, web parts, roll ups, and
views. They will also be able to do things like view site feeds (if you are using SharePoint site feeds).
Ability To Add External Collaborators To Your Internal Yammer
Conversations Add external collaborators to your internal Yammer conversations - Add external collaborators--such
as vendors, partners, and customers--to new conversations, existing conversations, and private
messages from your Yammer network.
To include an external participant, simply add their email address to a Yammer conversation in your
network, and they’ll be able to see and respond to this conversation from their Yammer network or
email inbox. Your data stays secure because outside participants only access the conversations they
have been added to and not the rest of the information in your network.
External Sharing with Office 365: What You Need to Know
Page 18 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
External Sharing Administration Settings External Sharing administration settings - External collaboration settings have been consolidated into
one place in the Office 365 Admin Center for admins to enable the access of their SharePoint sites and
Exchange calendars with external organizations. Also, admins can also enable their users to
communicate with people outside of their organization using Lync.
Three commonly used external collaboration settings are now grouped together in the External Sharing
tab on the Office 365 admin center left navigation menu. By enabling these settings, you can give your
users the ability to share access to their SharePoint sites and documents and Exchange calendars so
that they can collaborate more easily with people in external organizations. By enabling the Lync
collaboration setting, you can give your users the ability to communicate with people outside of your
organization. With these commonly used settings right at your fingertips in the Office 365 admin center,
you no longer have to go into a different admin portal just to enable/disable them.
Ability To Delete An External User To Revoke Access To A Site Within Office 365 Administration if you go to the External Sharing options, then sites you can see
reporting on the number of external users who have access to a site collection. From this point, you can
view external users and delete them. Deleting them revokes access they have to the site collection.
Ability To See External Access Request History (Per Site Collection) On each site collection, you can see all the access requests from the Site Settings > Access requests and
invitations link. This does not contain any of the anonymously shared guest links, only invited users.
Ability To Set An Expiry Date For A Guest Link Set an expiry date for a guest share - Microsoft provided the ability to expire external guest links.
External Sharing with Office 365: What You Need to Know
Page 19 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
Microsoft also added the ability for IT to set a tenant policy (RequireAnonymousLinksExpireInDays)
that makes expiration dates mandatory for anonymous or guest links and assigns default expiration
period (e.g., 7 days). Users can still set an expiration date that is shorter, but not longer, than the
default period.
The expiration options are:
Never – The default selection for all new guest link shares.
1 Day
30 Days
60 Days
Custom – Up to the user to define.
The Ability To Share OneDrive For Business Folders Externally Share OneDrive for Business folders externally - Today a user can share an individual file from OneDrive
for Business with an external party. A short time ago Microsoft provided the ability to share a whole
folder.
Unlimited External Sharing Microsoft has made it so there are no limits on the number of external users on any SharePoint Online
or Office 365 plan.
External Sharing with Office 365: What You Need to Know
Page 20 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
Guests Can Sign-Up For An Account In Sharepoint Online And
Onedrive For Business Previously, guests who wanted to create an account during the redemption flow were required to
enter ten or more fields of information, to create an account. This proved to be a huge barrier for
guests who are trying to access a resource shared with them. These users will now see the lightweight
sign-up flow which only requires a minimal amount of information.
External Sharing In Development What is currently in development by the Microsoft team?
Allow/Deny List For External Sharing Domains Allow/Deny list external sharing domains - Admins can determine a list of domains that their users can
share with or a list of those that they can’t share with.
This set of capabilities will greatly improve options for enabling external sharing. One new approach
available will be to turn on external sharing but only for approved external customers or partners. This
way a request must be made to add the external domain to the allowed list before they will get access.
Alternatively, it also provides an important control so that competitors or selected companies can be
blocked easily and when appropriate.
External Sharing with Office 365: What You Need to Know
Page 21 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
Restricting Sharing To Owners Only Similar to adding more controls with allowed and blocked domains this enables you to control who
can externally share. An owner versus a contributor.
Today only site owners can share a site by inviting an external user. However, all members as
contributors can share lists, libraries, and documents.
Organizations Able To Assign Higher Value Licenses To External
Users This comes up more frequently than you might think. Especially in Extranet scenarios. Earlier in this
document we outlined limitations of external users. Many of these limits are based on licensing. By
adding licensing to an external user, they may be able to do quite a bit more.
Orgs Manage Password For External Users This is something that Microsoft understands is important to have effective Extranet scenarios in
Office 365 and has mentioned as part of their roadmap at Ignite 2015.
Orgs Enable Multi-Factor Authentication (MFA) For External
Identities Security today often requires additional hardening and protection. In addition to the already active
efforts for working with rights-protected documents being able to ensure those who sign in can provide
two factors of authentication or more is something that Microsoft will actively work towards.
Organizations Able To Block New Invitations But Allow Login For
External Users If external sharing is turned off globally in the SharePoint Online Admin Center, any shared links will
stop working. If the feature is later reactivated, these links will resume working. It is also possible to
disable individual links that have been shared if you want to permanently revoke access to a specific
document.
This would enable a simpler alternative. Disable new shares but allow existing ones to continue to
function.
External Sharing with Office 365: What You Need to Know
Page 22 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
Group To Group Sharing & Org To Org Sharing Currently, external sharing is done at an individual level. Over time, Microsoft will develop methods to
enable organizations to share with other organizations or groups to share with groups externally.
Azure AD Connect Sync’d Users Can Be Labeled Or Designated As
External Users When you sync your current AD, there may be many external users within it. This feature would greatly
help not only with enabling external users in Office 365 in a more enterprise or organization-wide
fashion, but it would greatly help with identifying who needs/should have appropriate licensing.
External (Guest) User Access In Office 365 Planner Office 365 Planner will support task assignment and collaboration with team members who are not a
part of the tenant. This helps teams collaborate with their vendors and channel partners effectively.
External Sharing with Office 365: What You Need to Know
Page 23 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
5. ENHANCEMENTS TO EXTERNAL SHARING & ACCESS What follows are examples of custom solutions or third party products that improve the external sharing
experience. In all cited custom examples, we would be happy to develop a production-ready solution
for your organization.
Customization Opportunity 1: Expiring External User Sharing
in SharePoint Online SharePoint Online makes it extremely easy to share sites and content with external users. For this reason,
SharePoint Online has seen rapid adoption for many extranet scenarios and in OneDrive for Business.
SharePoint Online provides administrators the tools to manage external sharing, including
enabling/disabling sharing and visibility into external users within a site collection. External sharing is
simple, secure, and extremely powerful. However, once the content is shared externally, it can stay
shared forever or at least until it is manually revoked by a content owner or administrator.
There are ways to create custom solutions that improve the management of external users, in
particular, the expiration of external user sharing at an organizational level.
There is a great set of sample code by Richard Di Zerega that outlines an approach that requests users
to confirm whether an external user still requires access or whether the access should be revoked. It
also automatically terminates access if no response is provided.
The blog post on it can be found here.
External Sharing with Office 365: What You Need to Know
Page 24 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
Next Steps If Desired: We have built something like this in our research and as functioning solutions
for customers in the past including similar scenarios like the expiration of sites. We can build this, but
it would require planned development effort to implement something like this for your organization
as we would want to ensure the administration interface, business rules/logic, and capabilities met
your needs.
Customization Opportunity 2: Bulk Sharing With External
Users In theory, you can share bulk documents or sites with external users if you build the interface and user
the APIs appropriately. You would need to create the interface in an app, and it would need appropriate
permissions, but this could enable or workaround the current gap in how external sharing is managed.
There is a sample of code that would support this in the OfficeDev Patterns & Practices.
Next Steps If Desired: We have built several apps in our research and as proof of concepts for
customers in the past around this. Some fully functioning solutions are also in place for a few customers
that ease this challenge today. We can build this, but it would require planned development effort to
implement something like this for your organization as we would want to ensure the administration
interface, business rules/logic, and capabilities met your needs.
Customization Opportunity 3: Create An App That Updates
External User Properties. In theory, we might be able to develop an app that updates user properties since the CSOM code
looks like it works. Preliminary testing resulted in positive outcomes.
External Sharing with Office 365: What You Need to Know
Page 25 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
There are some complications (a few mentioned in comments in this article), but a solution using this
approach seems feasible with code. http://blogs.msdn.com/b/vesku/archive/2014/11/07/sharepoint-
user-profile-properties-now-writable-with-csom.aspx
Risk On Development Impact: External users cannot access add-ins…
Example reference: http://www.sharepointappie.nl/office-addins-external-users/
We may need a model where they update something which adds a queue request to a list. Then based
on the queued item a provider hosted app reads the new request and performs the task (this would
need to run in Azure etc. – as an external event receiver or timer job).
Next Steps If Desired: We can build this, but it would require planned development effort to
implement something like this for your organization as we would want to ensure the administration
interface, business rules/logic, and capabilities met your needs.
Customization Opportunity 4: Create a script that Enables the
use of a custom HTML email to bulk invite users Setting up many external vendors, partners or customers at once in SharePoint Online can be difficult.
One of the issues is that invitation emails are sent from Microsoft, and the content is controlled by the
Microsoft onboarding process. This approach ensures the email comes from your domain, sends an
email via your Exchange Online and allows you to determine what content to include.
There is an example of a PowerShell script created by Paul Choquette that does this based on a CSV
file today. https://gist.github.com/star-crossed/0d7d0b2fd0d9945b6a861bb0429f445e
Risk On Development Impact: While this method and approach can work for administrators or bulk
activity it may be wise to develop an app that performs similar functionality, but that enables key
users to accomplish this task.
Next Steps If Desired: You can run the script with minor changes and get the benefit outlined here, or
you can work with a partner like us to personalize and improve upon the script example provided.
3rd Party Product Opportunity – ShareGate ShareGate has built some capabilities into their product for external sharing reporting and
management. We are a ShareGate partner so let us know if we can help get you started exploring their
amazing product catalog.
Here is a summary of what ShareGate provides for External Users and External Sharing.
External Sharing with Office 365: What You Need to Know
Page 26 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
ShareGate enables you to find a site collection with external sharing turned on and what
settings are applied.
ShareGate also allows you to find a list of all Office 365 external users.
ShareGate also enables you to find documents with anonymous guest links.
ShareGate has some reporting around what objects within SharEPoint have been externally
shared (based on site groups or site access).
What are they working on?
Enabling or Disabling an external user on Site Collections
Directly check permissions from the External Users List
Directly add or remove permissions from the External Users list
Delete all anonymous guest links generated
Remove permissions from a site, list, or libraries directly from the Externally Shared Objects
reports.
6. YAMMER EXTERNAL NETWORKS What follows is high-level guidance material useful when planning for external Yammer networks.
Since external sharing is now enabled in Yammer conversations, it is important to understand still
some of the key considerations that come into play when using Yammer’s external networks.
What Are External Networks? Yammer external networks are just like the Yammer network you normally use within your company,
but an external network can include members from any company. Your company sponsors some these
networks to use in collaborating with customers and partners. Each network you join will have its feed,
groups, and “follow” relationships.
The owner of an external network can determine if it’s an “open” network, meaning anyone from your
company and/or anyone from a given set of email domains can join without approval, or a “closed”
network, meaning all members are personally approved by an administrator. The network administrator
should make it clear who will be allowed into the network. Often external networks that contain partner
or supplier exclusive information may be “closed” networks to control membership more tightly.
New External Network Approval It is a good idea for any request for a new Yammer external network to be vetted and approved first.
This should often be done at a VP or executive level as a new external network with Yammer comes
External Sharing with Office 365: What You Need to Know
Page 27 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
with some additional considerations. It helps if the requesting network manager has experience running
a successful internal network or large scale group.
The External Network Must Be Managed Internal Yammer networks should always be managed, but in an external network, this can be even
more important.
An external network for partners, or customers often represents the organization, and it’s
brand with those audiences. So it may be necessary to involve others in coordinating and
making the network a part of the marketing teams multi-channel strategy.
Membership of an external network (especially a partner or supplier one) should be managed if
possible. As an example if a partner or supplier member leaves their organization and joins a
competitive one they should no longer have access. In this scenario membership should be
controlled to either corporate identities or additional validation that corporate secrets/strategy
are not shared may be recommended.
External networks may have additional confidentiality recommendations. Here is a sample of
reasons for when it might be okay to post confidential information on an external Yammer
network.
o You may post Company confidential information on the external network only if each
of the following criteria is met:
You are posting in a private group or sending a private message,
The membership of the private group or private message is strictly limited to
those who need to know the information for business reasons.
Disclosure meets any additional requirements put in place by your organization
or the business group that the information pertains to, and
Disclosure is not otherwise prohibited by any other policies or legal requirements
applying to that information, including those that apply to regulated information
such as social security numbers, credit card information or medical information.
Posting regulated information, such as government identification numbers (e.g.
social security numbers, passport numbers, etc.), financial data (e.g. credit card
numbers, financial records, etc.) or medical information should generally be
avoided even in a private group. Please consult with your manager or legal
contact if you have questions about policies and regulations that may apply to
information you wish to post to Yammer.
External Sharing with Office 365: What You Need to Know
Page 28 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
External networks can be extremely impactful but often requests and questions are asked of
the organization, or it’s representatives. Responsiveness is key here where it may not be as
urgent or prioritized within an internal Yammer network.
External Sharing with Office 365: What You Need to Know
Page 29 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
7. CONCLUSION There are some great ways out of the box to share content with external users and there is no cost for
an external user in Office 365. External Sharing can be implemented in many ways when using Office
365 and offers incredible flexibility to meet most external sharing needs.
Office 365 may or may not meet all of your needs from an external authentication perspective. This
often depends on your requirements for management of external users, access, and how they
should/need to authenticate.
Office 365 External Sharing Advantages Continually improving set of features and capabilities for both end users and administrators.
Simplified sharing model with granular access capabilities for external users.
External user identities are managed by external parties or external users.
Extremely cost-effective as very little customization (if any) is needed.
Light-weight solution to basic data sharing where complex business logic is not required or
access to other internal resources/capabilities is also not required.
Office 365 External Sharing Disadvantages You still have to manage external user access at an organization level (when organizations
should no longer have access or specific users should no longer have access).
o There are features in the roadmap that will improve this, but it’s a clear automation,
partner and customization opportunity today.
Shared content can be isolated from on-premises data resulting in two distinct siloes of
sharing when on-premises data also needs to be shared.
o There are workarounds for this such as syncing data to the cloud from internal systems
like ERP or CRM (we do this all the time with help from great partners). But this isn’t “out
of the box”.
You need to understand Office 365 External Sharing limitations as they exist today.
External user management and external sharing is a significant area of investment that Microsoft is
focused on. So be sure to check the latest features available in this space as some scenarios that were
more limiting in the past may have more robust reporting, management or user options available.
External Sharing with Office 365: What You Need to Know
Page 30 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
NOTE: Considering an Extranet? It may make sense to run your Extranet on SharePoint 2016.
This also has no cost for external user licensing even when on-premises or hosted in a
private or public cloud (such as Azure). We have been working with SharePoint 2016
since it’s early preview days and have built plenty of SharePoint extranets for other
customers contact us if you are looking for deeper SharePoint Extranet guidance or
implementation support.
External Sharing with Office 365: What You Need to Know
Page 31 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
8. RESOURCES This section contains useful resources around Office 365 external sharing.
8.1. Our Whitepapers & Related Resources A few of our popular (and comprehensive) whitepapers:
“When To Use What” In Office 365 – This 70+ page whitepaper is a guide around providing the
right kind of enterprise user guidance for Office 365.
Intranets With Office 365: What You Need To Know – This 70+ page whitepaper is a definitive
guide to planning, and building world class Office 365 Intranets.
Measuring The Business Impact & ROI Of Office 365 – This 60+ page whitepaper outlines
many key considerations around how to measure the impact Office 365 has on a business,
while also outlining the ways Office 365 provides effective reporting capabilities today.
Driving Office 365 Adoption & Usage: What You Need To Know – This 70+ page whitepaper
outlines all of the key considerations when planning and improving Office 365 technology and
end user adoption.
Many other great resources and samples can be found and are regularly posted on our resource site
at http://Office365Resources.com.
8.2. Recommended Microsoft Reading There are some great articles written by Microsoft and community leaders on the subject of external
sharing. What follows are a few quick resource links that might help you when it comes to working
with, and plan for; external sharing in Office 365.
1. The Office 365 Roadmap
2. Office 365 Patterns & Practices Samples
3. Manage External Sharing For Your SharePoint Online Environment
4. Share Sites Or Documents With People Outside Your Organization
External Sharing with Office 365: What You Need to Know
Page 32 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
9. ABOUT 2TOLEAD 2toLead has been labelled as a generous Microsoft consulting company by its clients and employees. 2toLead
employs trusted, passionate and experienced consultants who work hard to solve the most challenging business
and technology problems that face our clients.
The Top 3 Ways 2toLead Helps Customers:
1. INCREASE ADOPTION by going far beyond just deploying things right and ensure your organization is
being pro-active in getting the maximum value out of your technology investments.
2. LEVERAGE THE CLOUD to reduce costs, improve business agility and capabilities inside and outside of
your organization by leveraging cloud technology like Office 365 and Azure.
3. IMPROVE EXPERIENCES & ENGAGEMENT by understanding where, how, and why users interact with
your business while building world-class portals, social networks and websites that your customers,
partners and users love.
The reason 2toLead is called a generous consulting company is that when we hire employees, it is extremely
important to us that they are both passionate about technology and generous people. The generosity of our
employees is a critical reason for why we are so successful. Most of our customers hire us to ‘give advice’ and we
believe the give portion of that statement is just as important as the advice portion.
For more information:
Visit our website at www.2toLead.com
Follow us on LinkedIn
Like us on Facebook
Follow us on Twitter @2toLead
External Sharing with Office 365: What You Need to Know
Page 33 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
About Authors
Kanwal Khipple
Kanwal, Founder & CEO of 2toLead, is a leading User Experience expert within the SharePoint industry, with
experience in building award-winning portals and solutions that take advantage of Microsoft’s Cloud platform
(SharePoint, Office 365 & Azure). Kanwal’s drive for success as the Creative and Technical Lead on projects has
garnered him as a recipient of the Neilson Norman award for Top 10 Intranets (2014 & 2015).
Kanwal’s passion lies in continuing to push for user experience innovation when redesigning intranets for the
majority of the largest brands in the world. He continues to preach on the importance of designing with
usability as the primary focus. Kanwal’s thirst to share knowledge has made him a prominent figure within the
SharePoint community. Because of his passion and his involvement in many community driven events including
launching successful user groups in Canada and the USA, Kanwal has been recognized as a SharePoint MVP by
Microsoft (2009 to 2013) and most recently as an Office 365 MVP (2014-2016). He’s also co-authored a book
on Pro SharePoint 2013 and Responsive Web Development http://amzn.to/sp2013rwd
Feel free to reach out to him if you’d like to discuss your project, want to run an idea by him or just want to
reach out to a friendly technologist.
http://www.twitter.com/kkhipple +1-416-888-7777
www.LinkedIn.com/in/KanwalKhipple [email protected]
www.Slideshare.net/kkhipple
External Sharing with Office 365: What You Need to Know
Page 34 of 34 YOU WILL LOVE THE WAY WE WORK.
TOGETHER.
RICHARD HARBRIDGE
Richard is the Chief Technology Officer and an owner at 2toLead. Richard works as a trusted advisor with
hundreds of organizations, helping them understand their current needs, their future needs, and what actions
they should take to grow and achieve their bold ambitions.
Richard remains hands-on in his work and has led, architected, and implemented hundreds of business and
technology solutions that have helped organizations transform both digitally and organizationally. Richard has a
passion for helping organizations achieve more; whether it is helping an organization build beautiful websites to
support great content and social strategy, or helping an organization leverage emerging cloud and mobile
technology to service better their members or the communities that they serve.
Richard is an author and an internationally recognized expert in Microsoft technology, marketing, and
professional services. As a sought-after speaker, Richard has often had the opportunity to share his insights,
experiences, and advice on branding, partner management, social networking, collaboration, ROI,
technology/process adoption, and business development at numerous industry events in around the globe.
When not speaking at industry events, Richard works with Microsoft, partners, and customers as an advisor to
business and technology, and serves on multiple committees, leads user groups, and is a Board Member of the
Microsoft Community Leadership Board.
http://www.twitter.com/rharbridge +1-416-300-3678
http://www.LinkedIn.com/in/rharbridge [email protected]
www.Slideshare.net/rharbridge