secure guest sharing environment in microsoft teams. sharing … · 2020-04-11 · 4 sharepoint...

A ShareGate guide to creating a productive and secure guest sharing environment in Microsoft Teams.

SHARINGIS SCARY

Every business will eventually move to the cloud and adapt to it. That’s a fact. ShareGate helps with that. Our products help IT professionals worldwide migrate their business to the cloud, increase cloud adoption while reducing sprawl, and control cloud costs.

Got questions? [email protected]

sharegate.com

Migrate to Office 365

Upgrade to SharePoint 2019

Track user access

Control oversharing

Reorganize your SharePoint content

Manage Office 365 Groups and Microsoft Teams

Ensure external users have access to the right things

Understand your Azure consumption

Optimize and monitor your Azure costs

© ShareGate

https://sharegate.com/?utm_source=Sharegate&medium=ebook&utm_campaign=sga_collabsecurely

Secure external collaboration in Microsoft Teams In any organization, whether large or small, sharing content is an important piece of the collaboration puzzle—especially when working with clients, vendors, or partners outside your company. With the rise of the cloud, sharing content externally is easier than ever for users, but it does have its risks.

While some Office 365 administrators think it’s safer to disable external sharing entirely, this can actually end up making the problem worse. The business landscape is changing, and today’s workers are accustomed to more freedom and flexibility with the way they do their work. If they can’t do what they need to with IT-approved tools, they’ll turn to other solutions—like email, Dropbox, or Google Drive.

Instead of doubling down, you should leverage the power of self-service to drive user adoption in productivity apps like Microsoft Teams. That way, data is kept in your tenant where you can protect it, monitor it, and control it.

Of course, securing sensitive data involves more than just flipping a switch. Once external sharing is enabled, you still need a strategy in place to govern its use. Having the right settings and policies ensures that employees use the tool correctly and keeps sensitive data secure.

That’s why we created this guide full of actionable tips to creating a secure guest sharing environment—so you can stay in control of the who, what, and how of external collaboration in Microsoft Teams.

— The ShareGate Apricot team

“It always boils down to the same thing: if you don’t allow people to create things in the tools you want them to use, or if you put too much friction between them and getting their job done, they’ll go use other solutions […]” — Marc D Anderson, Microsoft MVP and Co-founder and President at Sympraxis Consulting

@sympcmarc

https://sympraxisconsulting.com/

https://twitter.com/sympmarc

Chapter 1

05 Empower employees Enable guest access in Microsoft Teams

Chapter 2

13 Configure settings Ensure secure collaboration in Teams

Chapter 3

27 Maintain visibility Review who has access to content

Table of contents

5

Chapter 1 Empower employees: Enable guest access in Microsoft Teams

Empower employees Enable guest access in Microsoft Teams

Chapter 1

6


What is guest access in Microsoft Teams?

If external sharing is disabled in your organization, then guest access in Teams will also be shut down. That’s because guest access is a form of external sharing; when you invite a guest to join a team, you’re making content available to someone outside your organization. But there are certain aspects of guest access in Teams that make it a much more secure external sharing option.

When full guest access was introduced to Microsoft Teams, allowing external users to join existing teams and channels, it revolutionized the concept of external collaboration. Suddenly, users could invite anyone with an email address to join their team, where they could then make video calls, collaborate on documents, and participate in channel-based chats.

Teams is built on top of Office 365 Groups, so you can manage guests in your Azure Active Directory and the same compliance and auditing protection as the rest of Office 365 apply. Essentially, guest access lets you maintain complete control and your data never leaves your sight.

On the surface, external sharing is the act of making content available to someone outside of your organi-zation. It can also be used to share content between licensed users on multiple Office 365 subscriptions if your organization oversees more than one tenant. Behind the scenes, though, external sharing can mean very different things.

Depending on the needs of your organization, external sharing can be used to enable:

• Collaboration with guests in a document (via sharing link)

• Collaboration with guests in a site (via sharing link)

• Collaboration with guests in a team (via guest access)

Essentially, guest access lets you maintain complete control and your data never leaves your sight.

8


Enabling guest access in Microsoft Teams

Because Microsoft Teams is essentially a unified Office 365 user interface—integrating with other Mic-rosoft apps and services like SharePoint, OneDrive for Business, and Office 365 Groups—guest access features and capabilities in Teams can be managed through four different levels of authorization.

1 Azure Active Directory

Guest access is governed at the highest level through Azure AD. This authorization level controls the guest experience at the directory, tenant, and application level. If sharing isn’t enabled at this level, guest access in Teams is disabled completely.

2 Office 365 Groups 3 Microsoft Teams

Authorization is required at both the Office 365 Groups and Microsoft Teams levels for guest access to work in Teams: Teams uses Office 365 Groups for team membership, and disabling guest access at the Teams level essentially functions like a giant on/off switch.

4 SharePoint Online / OneDrive

When users access files or folders through Microsoft Teams, that content is actually stored in SharePoint or OneDrive for Business—so if you want to collaborate on documents with guests through Teams, you need to have external sharing enabled at the SharePoint (or OneDrive) organization level.

If external sharing is disabled at the SharePoint or OneDrive level, users will still be able to join a team as guests. And depending on your Teams-wide settings (as well as configurations set at the individual team level), those guests will still be able to do things like make calls, create channels, and chat. But they won’t have access to any documents through the Files tab, even if a user shares a document directly with them through a conversation.

9


1 Enable external sharing in Azure AD

Before configuring external sharing anywhere else, you need to make sure it’s enabled for your Office 365 tenant as a whole—and that means checking your Azure Active Directory.

Sharing in Office 365 is governed at the highest level by the Organizational relationships settings in your Azure AD. If external sharing is disabled here, it will override any other sharing settings you’ve configured.

1. Log in to your Microsoft Azure portal.

2. Click on Azure Active Directory in the left navigation.

3. In the Manage section in the left navigation, click on Organizational relationships, then Settings.

4. Make sure Admins and users in the guest inviter role can invite and Members can invite are both set to Yes.

5. In the Collaboration restrictions section, check to make sure the domains of the guests you want to collaborate with aren’t blocked, then click Save.

10


2 Enable Office 365 Groups guest settings

Since Microsoft Teams uses Office 365 Groups for team membership, your Office 365 Groups guest settings need to be enabled in order for guest access to work in Teams.

To configure Office 365 Groups guest settings:

1. Navigate to your Microsoft 365 admin center and expand Settings in the left navigation.

2. Click on Services & add-ins and select Office 365 Groups from the list.

3. Make sure the boxes are checked for both Let group members outside your organization access group content and Let group owners add people outside your organization to groups, then click Save.

11


3 Enable guest access at the Teams organization level

This one is a no-brainer: if you want to collaborate with guests in Microsoft Teams, it makes sense that you need to have guest access enabled. It’s important to know that Teams guest access settings are applied across your entire tenant, and that guest access is turned off by default.

To enable guest access settings at the Teams level:

1. Go to the Microsoft Teams admin center, select Org-wide settings, then click on Guest access.

2. Toggle the Allow guest access in Teams switch to On, then click Save.

Note that it can take up to 24 hours for changes to take effect

12


4 Enable guest access to SharePoint Online (and OneDrive for Business)

Within the Office 365 ecosystem, SharePoint is the tool for document management—and that probably won’t change anytime soon. Case in point? Files and documents for Teams channels and chat conversations are actually stored in SharePoint Online and OneDrive for Business.

So it should come as no surprise that guest access in Teams is partly determined by the settings in your SharePoint admin center. In order for guests to have access to a team’s shared files, folders, and lists, your SharePoint settings need to allow for sharing with guests.

Before you start managing external sharing on a site-by-site (i.e. team-by-team) basis, you need to make sure it’s enabled at the organization level in your tenant. This setting is applied across your entire tenant, including SharePoint sites connected to an Office 365 group.

To allow external sharing at the organization level:

1. Sign in to the Microsoft 365 admin center as a global or SharePoint admin.

2. In the left pane, select SharePoint under Admin centers (if you don’t see it, select Show all for the full list of admin centers). If the classic SharePoint admin center appears, select Open it now at the top of the page to get to the new SharePoint admin center.

3. In the left pane under Policies, select Sharing.

4. Under External sharing, select Anyone, Existing guests, or New and existing guests.

By default, the sharing level for SharePoint and OneDrive is set to Anyone, which allows users to share files and folders with unauthenticated people. Choose Existing guests or New and existing guests to make sure all guests are authenticated.

https://admin.microsoft.com/

13


Configure settingsEnsure secure collaboration with

guest users in Teams

Chapter 2

14

Chapter 2 Configure settings: Ensure secure collaboration with guest users in Teams

That’s why we recommend keeping external sharing enabled and configuring the settings according to the needs of your organization. If you simply turn it off, employees will find a way to accomplish their daily tasks by some other means. Instead, provide them with what they need from the get-go so you can stay in control.

Once you’ve enabled external sharing at all four authorization levels, you can configure guest access settings at the following authorization levels based on the needs of your organization:

1 Azure AD

Org-wide guest access settings: Determine how external collaborators can be invited into your tenant.

2 Microsoft Teams

Org-wide Teams settings: Configure external access and guest access settings, including guest access capabilities for calling, meeting, and messaging. These settings are applied across all of your teams in the Teams admin center.

Guest permissions for individual teams: Control if guests can create, update, and delete channels on a team-by-team basis in the Teams app.

3 SharePoint

Organization-level sharing settings: Decide whether to allow users to share content anon-ymously or limit sharing to authenticated external users. These settings are applied across every SharePoint site in your tenant.

Site-level sharing settings: Apply more restrictive sharing settings on a site-by-site (and thus team-by-team) basis.

Because of the risks associated with external sharing, some Office 365 administrators think it’s better to disable it entirely. But this can lead to a multitude of other problems, like employees turning to unapproved tools such as Box.com or Google Drive to send documents—the dreaded shadow IT.

15


1 Configure org-wide guest access settings in Azure Active Directory

Global admins can control the guest experience at the directory, tenant, and application level through the settings in Azure AD.

To configure settings for external users across your entire organization, return to your Organizational relationships settings by logging in to your Azure portal (Azure Active Directory > Organizational relationships > Settings). You should see the same UI where you previously enabled external sharing.

Note that you can also access these settings through the External collaboration settings page. (Azure Active Directory > Users > User settings. Under External users, select Manage external collaboration settings).

16


Guest user permissions are limitedThis policy determines permissions for guests in your directory. Selecting Yes will exclude guests from certain directory tasks, like enumerating users, groups, or other directory resources.

If you select No, then guests will have the same access to directory data as your organization’s regular users.

Admins and users in the guest inviter role* can inviteSelect Yes to allow admins to invite guests. Select-ing No disables guest access in Teams completely.

*Teams does not currently support the guest inviter role.

Members can inviteChoose Yes to allow all of your organization’s users to invite guests to collaborate on resources like SharePoint team sites that are secured by your Azure AD.

Selecting No means that only admins can invite guests, and it will limit the guest experience for teams that have non-admin owners: they’ll only be able to add guests once an IT admin has added them in Azure AD.

Guests can inviteSelect Yes if you want to allow guests to invite other guests.

Enable Email one-time passcode for guests (preview)Still in preview, Email one-time passcode (OTP) for guests allows invited guests without an Azure AD or a Microsoft account (who also can’t log in with Google federation) to be authenticated via an email code roundtrip as a first-factor authentication.

For more information, check out the official Microsoft documentation (https://docs.micro-soft.com/en-us/azure/active-directory/b2b/one-time-passcode).

Collaboration restrictionsThese settings let you control where guest invi-tations can be sent according to domain. Allow invitations to be sent to any domain is the most inclusive option, meaning users can send invita-tions to external users without restrictions.

The other two options are more restrictive, allow-ing or blocking invitations to specific domains. Choose Deny invitations to specific domains if you want to allow users to share freely for the most part—they’ll only be blocked from sending invites to the domains you choose.

If your employees only ever need to collaborate with a handful of other businesses, you could select Allow invitations only to the specified domains to limit external collaboration to users in those domains. This is the most restrictive option, so in most cases we’d recommend choosing one of the first two.

From here, you can choose to enable the following policies:

https://docs.microsoft.com/en-us/azure/active-directory/b2b/one-time-passcode



17


2 Configure org-wide Teams settings

From the Teams admin center, you can configure org-wide settings for External access and Guest access. It’s worth pointing out that external access and guest access mean two very different things in Teams.

EXTERNAL ACCESS gives access permis-sion to an entire domain—allowing Teams users from other domains to find, contact, and set up meetings with you. Users in another organization’s Teams can call you through Teams and send instant messages. If you want them to be able to access teams and channels, guest access might be the better option.

GUEST ACCESS is when you invite an ex-ternal user to be a member of the team—it gives access permission to an individual rather than a domain. Once a team owner has granted someone guest access, they can access that team’s resources, share files, and join a group chat with other team members.

Configured in the Teams admin center for your organization

Enabled in the Teams admin center for your organization

No access to your organization’s teams or team resources

Access can be granted to existing teams and channels in Microsoft Teams

External users in other domains are allowed to find, call, chat, and set up meetings with you

Teams admins can control which features guests can and can’t use in Microsoft Teams

By default, all external domains are allowed, with the option to add allowed domains or blocked domains

Anyone not part of your organization can be added as a guest in Teams

Gives access permission to an entire domain

Gives access permission to an individual user

18


Configuring external access

External access settings in your Teams admin center (Org-wide settings > External access) can be configured for the following three scenarios:

1. Open federation: External access is turned on in Teams by default, meaning users can communicate with all external Teams domains (and external Teams users can find, call, chat, and schedule meetings with your users). External access can also allow users to communicate with external users still using Skype for Business and Skype.

Once turned on, external access can be configured to allow or block specific domains. Click on Add a domain and enter a domain name, then choose whether you want it to be Blocked or Allowed.

2. Allow specific domains: If you create a list of allowed domains, all other external domains will be blocked.

3. Block specific domains: Instead, you could create a list of blocked domains, which allows users to communicate with all external domains except those you’ve specified.

Configure external access if:• You oversee more than one domain and have users in different ones who need to collaborate on a project

• You want users to use Teams to communicate with people in a specific business outside of your organization

• You want Teams users anywhere in the world to be able to find and contact you

19


Configuring guest access

Let’s assume you’ve already turned on guest access in the Teams admin center (Org-wide settings > Guest access). If not, you can go back and find more details in Chapter 1.

Once guest access is enabled, people outside your organization can access teams and channels. But you can further configure settings to control which features guests can access, such as:

• Calling: Do you want to allow your guests to make private calls?

• Meetings: Do you want to allow guests to use IP video, screen sharing mode, and/or Meet Now?

• Messaging: Do you want to allow guests to chat, edit or delete sent messages, and/or use things like GIFs and memes in conversations?

Configure guest access settings if:• Your users need to collaborate with individual external users rather than an entire domain

• On top of chatting, calling, and scheduling meetings, users also need to collaborate with external users on shared files

20


Configure guest user permissions for individual teams

Depending on their purpose, you probably have at least a few teams in your tenant that have different security requirements. Maybe your marketing team does everything in-house while your procurement team is in constant contact with outside vendors, for example.

Within the Teams app, you can control whether guests in each team can:

• Create and update channels

• Delete channels

21


3 Configure SharePoint settings

SharePoint Online lets you control external sharing settings for your entire organization as well as for individual sites.

• Organization level: For any external sharing to be allowed, it first has to be enabled at the organization level. You can change the organization-level sharing settings from the SharePoint admin center (Policies > Sharing).

• Site-level sharing settings: Once enabled across the organization, external sharing can be restricted on a site-by-site basis. Global or SharePoint admins (but not site owners) can change the external sharing setting for a site in the SharePoint admin center (Sites > Active sites > select the site in question. Then select Policies and click on Edit under External sharing).

If a site’s external sharing option and the organization-level sharing option don’t match, the most restrictive value will always be applied—so think about the most permissive setting needed by any site in your organization when configuring sharing at the organization level.

22


Authenticated or anonymous?

If you decide to enable external sharing in Office 365—and we recommend that you do!—only sharing with authenticated external users is the safest way to go.

There are pros and cons to each approach, so you’ll need to decide which may be more relevant to the particular needs of your organization.

1 Sharing via an anonymous link

Documents, files, and folders can be shared with external users via an anonymous link, meaning the person accessing the document can’t be identified by the organization. These external users are commonly called “anonymous users”.

Anyone with access to the shared link can view and edit the relevant files, and they can forward the link freely as well. Be wary of this option—you won’t be able to tell if sensitive information is being shared with unsuitable users outside your organization.

To allow sharing via anonymous link, select the Anyone sharing option.

In essence, permission to access your content is given to the hyperlink, not to a specific user. If you absolutely have to enable anonymous sharing, consider configuring additional security settings, like Link expiration or Link permissions.

23


2 Sharing with authenticated external users

Content—including lists, libraries, and complete sites—can be shared directly with specified external users. With this method, external collaborators are sent an invitation by email and prompted to sign in using an account from a trusted provider (or in some cases, a verification code) in order to access the content in question.

Once the invitation is accepted, the collaborator is typically added to your organization’s Azure Active Directory as a guest user, but will only have access to the specific elements you shared with them. If you’ve shared an entire site, they’ll have access to everything in it, so make sure it’s free of sensitive content.

To restrict sharing to authenticated external users, select the New and existing guests or the Existing guests only sharing options. We recommend choosing New and existing guests whenever possible—otherwise users have to wait for an admin to add new guests to your directory.

AUTHENTICATED EXTERNAL USERS ANONYMOUS EXTERNAL USERS

WHAT CAN BE SHARED?

A complete site

Lists and libraries

Documents and list items

Only documents and folders

HOW IS IT ACCESSED?

Must sign in or enter a verification code to view content

Content is accessible via a shareable link without having to sign in

WHO CAN SHARE?

Site owners or users with full control permissions can share a site

Site users can share lists, libraries, and documents

All site users can share documents and generate a shareable view/edit link

WHAT ARE THE SECURITY RISKS?

If you give full control to an external user, they could then share content with other external users

Permission inheritance (if you give access to a site or Office 365 group)

Anonymous guest links can be shared with other people who might view or edit the content

Changes can’t be tracked in the document

24


Default sharing link type

Instead of placing unnecessary restrictions, you can nudge users towards a more secure sharing option by defining which type of sharing link is selected by default when users share files and folders.

Users can still change the type of link to another option before sharing (so long as it’s enabled); however, changing the default option can help prevent accidental and unnecessary anonymous sharing.

You can choose any of the following link types as the default:

• Specific people: This is the safest option if your users collaborate frequently with people outside your organization. This type of sharing link can be used to grant a guest user access and requires them to authenticate.

• Only people in your organization: Choose this option if you think that most of the sharing in your organization takes place between your own users.

• Anyone with the link: This type of sharing link grants anonymous access to anyone who has access to the link. You can only use this link type if you have Anyone sharing enabled.

25


More SharePoint settings

The following sharing policies can also be enabled at the SharePoint authorization level:

Limit external sharing by domainJust like you can restrict collaboration at the Azure AD level, you can choose to allow sharing generally—except for with a few specified domains of your choosing. Or, you can go the other way around and choose the more restrictive option: block sharing except for the domains you include. This setting can be configured org-wide as well as at the individual site level.

Guests must sign in using the same account to which sharing invitations are sentBecause guests can, by default, receive an email invitation at one account and sign in with another, you can enable this policy to limit external users to one account.

Allow guests to share items they don’t ownBy default, guests can only share items if they have full control permissions. Only check this box if you want to let external users share documents they didn’t create.

Show owners the names of people who viewed their filesThis is turned on by default, but if it somehow gets turned off we definitely recommend re-enabling it. If this option is disabled, the owner of a shared file will no longer see info on the file card like: which users viewed the file without editing it; the number of views on the file; and the number of people who have viewed it.

Let site owners choose to display the names of people who viewed files or pages in SharePointAlso turned on by default, this setting determines whether site owners can allow users with access to see details about who has viewed something on its file card.

26


Configure sharing settings at the site level

Once configured at the organization level, site-level sharing settings can be modified to define the type of guest access you want to allow for each team. If the two settings don’t match, the most restrictive value will always be applied.

Let’s say your organization-level settings are set to Anyone; your PR department sends out mass press releases that are frequently reshared. But your accounting team works with sensitive documents on a daily basis; you only want to grant authenticated guests access to that team’s content. You could change the site-level sharing settings to New and existing guests for the SharePoint site associated to the accounting team.

To configure external sharing for an individual SharePoint site:

1. Sign in to the Microsoft 365 admin center as a global or SharePoint admin.

2. Navigate to the SharePoint admin center the same way as before.

3. In the left pane under Sites, select Active sites.

4. Select the site you want to configure external share for, then click Sharing.

5. Select Anyone or New and existing guests, and click Save.

Depending on the permissiveness of your organization-level Share-Point settings, you can also choose to limit sharing by domain, change the type of default sharing link, and limit sharing permissions to ‘view-only’ at the site level.

https://admin.microsoft.com/

27


Maintain visibility Keep an eye on who has access

Chapter 3

28

Chapter 3 Maintain visibility: Keep an eye on who has access

In order to protect your sensitive content on an ongoing basis, you need to understand where it lives, what users are doing with it, and why it may be at risk. That’s why you should regularly review what’s been shared externally and with whom.

Here are three ways to review external access in Microsoft Teams:

1 Verify guest access in Microsoft Teams

2 Manually review sharing links for each team’s SharePoint site

3 Schedule automatic external sharing reviews

Should those budget spreadsheets still be shared with your organization’s former accounting firm? Who still has access to last quarter’s user research reports? Even with all the right settings configured, securing content is a whole lot easier when you can see everything that’s been shared externally.

29


Why are access reviews important?

Microsoft Teams enables you to collaborate internally and with users from external organizations—such as clients, vendors, or partners.

Depending on your settings, users can invite anyone with an email adress to join existing teams and channels, where they can access team resources, conversations, and shared files as a guest.

But the convenience of self-service has led to a need for better access management capabilities. Consider the following:

• When a new employee joins your organization, how do you make sure they have access to the things they need to be productive?

• As employees move between project-based teams or leave the company, how do you ensure their old access is removed—especially when it involves guests?

While too many restrictions can hurt user adoption, excessive access rights are equally undesirable. The latter situation indicates a lack of control over access and can lead to audit findings and compromises.

As an IT admin, you need to proactively engage with team owners to make sure they review who has access to their resources. After all, they’re the ones who know best. Which brings us to our next point…

As an IT admin, you need to proactively engage with team owners to make sure they review who has access to their resources.After all, team owners are the ones who know best.

31


Before you get started: Ensure every team has someone who’s accountable Even if you know exactly what’s been shared and with whom, how are you supposed to know who should still have access? You’re going to have to ask someone who has the answers you need for questions like these: the owners of each team.

Owners have unique permissions that make them vital to the proper functioning of each team. Essentially, they’re accountable for managing a team’s membership and content throughout its lifecycle. Common best practice says you should have at least 2 owners to share the management of each team. That way, if one owner leaves, there is still someone who is accountable. But things change, employees move around, and ownerless teams do happen.

Before you start conducting access reviews, you need to make sure every team has a valid owner who can help you. ShareGate Apricot detects ownerless teams automatically and helps you fix the problem faster. See which of your teams are missing owners and assign ownership to a new user in just a few clicks. Then, entrust team owners to make simple decisions for their team about external sharing—that way, every team has someone who’s accountable.

You can manually entrust owners as new teams are created—or automatically entrust all owners to put external sharing decisions on autopilot. For more details on entrusting owners, check out the ShareGate Apricot documentation. https://support-apricot.sharegate.com

https://support-apricot.sharegate.com/hc/en-us/articles/360020776231

https://support-apricot.sharegate.com/hc/en-us/articles/360020776231

32


1 Verify guest access in Microsoft Teams

Depending on how your SharePoint sharing settings are configured, guest users in Teams likely have access to their team’s shared documents. So reviewing a list of your guest users can help give you some idea of what’s been shared with whom.

See your guest users: Microsoft Teams admin center As a global admin, you can view all of your teams’ guest users in the Teams admin center (Teams drop-down > Manage teams).

From there, you can see a list of all your teams along with the number of guests each one has:

33


Then, click on an individual team to see who the guests are within that team (those users will have ‘Guest’ listed next to their name in the Role column).

See a team’s guest users: Microsoft Teams app Since owners know who their team needs to collaborate with on a regular basis, they’re the ones who can validate guest access.

You can either send owners a list of their team’s guest users to review—or ask them to check guest membership for themselves in the Teams app by selecting More options next to their team name > Manage team > Members.

Any guests that shouldn’t have (or no longer need) access to their team can be deleted in the same interface in Teams. You’ll probably need to follow up with various owners to make sure they’ve actually reviewed membership. Then, you still have to log any changes they make for audit and compliance purposes. After all of that is finally said and done, you’ll be just about ready to start on the next review; for ongoing security, you need to review guest access regularly.

Aside from requiring quite a bit of manual work, this option is problematic because you can only see external users that were added as members to that team (i.e. granted guest access). If a user shared a file directly with someone outside the organization, that external individual won’t be listed as a guest.

34


2 Manually review sharing links for each team’s SharePoint site

To make sure you catch all external sharing links, including those shared with external users who aren’t team guests, it’s possible to generate a report on file and folder sharing in each team’s associated SharePoint site.

Report on file and folder sharing in each SharePoint site Running a file and folder sharing report on a given SharePoint site can help you understand how sharing is being used within the associated team.

The resulting CSV file will tell you if any files or folders are being shared with guests, and includes sharing info for every unique file, user, permission, and link on that SharePoint site.

Validate external sharing links, and revoke access as needed

Once you’ve run reports for every team’s SharePoint site, you still need to:

1. Send each team’s report to the owner(s) to validate, then follow up with them to track their progress.

2. If they determine that changes need to be made to a sharing link (or access should be revoked), you (or the team owner) must go in SharePoint and do it one file or folder at a time.

3. Then, just like option #1, you have to manually log any changes for compliance and internal auditing reasons.

4. Repeat the entire process over again.

With all the manual labor involved, this option is probably even more time-consuming than the first one. And by the time you make it through one review, get ready to start the whole convoluted process over. To keep your data secure and ensure external users have access to the right things, you need to repeat this process on an ongoing basis.

The resulting CSV file will tell you if any files or folders are being shared with guests, and includes sharing info for every unique file, user, permission, and link on that SharePoint site.

For more details and step-by-step instructions, check out the official Microsoft documentation. (https://docs.microsoft.com/en-us/share-point/sharing-reports)

You need to run a report for every single SharePoint site connected to one of your Microsoft teams—so right off the bat this option requires quite a bit of heavy lifting for IT.

https://docs.microsoft.com/en-us/sharepoint/sharing-reports

https://docs.microsoft.com/en-us/sharepoint/sharing-reports

The truth is: there’s simply no easy way to manually review external access for each of your teams.

You’re much better off leaving all that work to ShareGate Apricot. Take a look at our tool.

36


3 Schedule automatic external sharing reviews

Sure, it’s possible to review what’s been shared and who has access manually. But that could be a full-time job in and of itself, so we don’t recommend it. Even if your owners complete the reviews when you tell them to (and they won’t; it’s a tedious task to undertake, you’ll still need to log any changes.

The truth is: there’s simply no easy way to manually review external access for each of your teams using Microsoft’s out-of-the-box solutions. You’re much better off leaving all that work to ShareGate Apricot.

ShareGate Apricot gives you full visibility into who’s shared what, when, and with whom. Simply con-nect your tenant to our software to see every single link to files shared externally by each of your teams. We do all the heavy lifting for you—no need to code, script, search audit logs, or manually pull reports anymore.

37


1. Set up your external sharing policy in the app settings.

Schedule automatic external sharing reviews We’ve come up with a better way to confirm that every single link to files shared externally should still be shared: automated external sharing reviews.

With ShareGate Apricot, scheduling reviews is as easy as 1-2-3:

2. Choose how often you want external sharing reviews to occur (say, every 90 days).

3. Schedule the date you want the review to begin. And off you go!

Activate external sharing so group owners will review their

shared links for you.

38


Get the answers you need from the people who have them

Did we mention that ShareGate Apricot saves you the trouble of contacting every single owner to validate which links should be shared? Once your external sharing policy is set, team owners you’ve entrusted will receive an automatic email asking them to review all of their team’s external sharing links.

In just a few clicks, entrusted owners can delete links to sensi-tive files through our easy-to-use interface—no need to go to each of their SharePoint team sites to revoke access.

Owners have 14 days to complete the review, with a reminder email sent after 7 days if they haven’t reviewed all of their teams yet—no need for you to manually follow up!

39


Track progress and log changes automatically

Know when your next external sharing review is coming thanks to an automatic email reminder 2 days before the start date. Once a review has started, you can track its progress in the app.

40


You can also filter your teams to see which ones have been reviewed (and which ones haven’t).

Throughout the process, we log every action taken during those reviews—so you can easily perform internal audits.

After 14 days have passed, or when all of your teams have been reviewed, you’ll receive an email with stats from the review. You can also see the review’s stats in-app.

ShareGate Apricot automates this complex, multi-step process for you. That way, you can perform reviews more regularly and keep your data secure over time—giving you greater peace of mind.

Ensure external users have access to the right things in Teams. With ShareGate Apricot’s easy-to-use governance platform for Microsoft Teams, you’re sure your data stays secure. Get full visibility into who’s shared what with whom, and automate external sharing reviews so they’re performed on an ongoing basis.

See what’s been shared externally

Schedule automatic link reviews

Tracks each review’s progress

Easily perform internal audits

Ready to find out how many files are shared outside

your organization?

Try ShareGate Apricot for free.Visit sharegate.com/freetrial-apricot

https://sharegate.com/freetrial-apricot

https://sharegate.com/freetrial-apricot