The complex world of external sharing and access in Microsoft 365

The complex world of external sharing and access in Microsoft 365

(Updated 17 March 2023 with further details about Microsoft Entra settings and B2B Direct connect, see below).

By default, external sharing and access is (mostly) enabled by default in Microsoft 365.

Unless the settings have been changed in the various locations described below, end users can usually:

  • Click the ‘share’ icon next to a folder or document in SharePoint and OneDrive to share that content with external guests.
  • Add external guests directly to SharePoint sites, libraries, folders and documents, as described below.
  • Add external guests to Teams standard channels and Microsoft 365 Groups, allowing those guests to access the Team’s channel and/or Group content directly.

Behind the scenes, the ability to shared externally or given external guests access is subject to a range of configuration options.

  • External sharing can be configured to be: (a) very permissive (share with ‘anyone’), (b) very restrictive (‘share with only internal people’), or (c) somewhere in between (‘share with existing guests’ or ‘share with new and existing guests’ with additional controls as required).
  • External or guest access to Teams, SharePoint and/or OneDrive has similar options – all, some, or none.

This post provides an overview of the external sharing and external access configuration options across the Microsoft 365 environment, as well as a very brief dot-point summary describing the options monitor what has been shared or accessed.

Note that there is some cross-over between external sharing and access configuration settings, as stated in the text below (rather than repeating the same detail).

External sharing

External sharing is about end users giving external users or ‘guests’ access usually via a link to a folder or file in SharePoint (including Team- and M365 Group-linked sites) or OneDrive, including from Windows File Explorer or macOS Finder. It may also include ‘sharing’ a site or a document library; both of these options technically refer to giving access but they are included in the external sharing section because of the way the options are shown (‘Share site only’).

There are three key benefits of sharing:

  • A single ‘source of truth’ document is shared instead of being attached to email and sent as a new copy to other people.
  • If allowed, everyone can work on the same document at the same time (co-authoring).
  • There should (in theory at least) be a reduction in email attachments (and email size), and the potential for duplication.

The text below describes the various configuration settings across Microsoft 365 that can impact on external sharing. Some of these settings may also impact external access and vice versa. Click this link to view the external access options.

The Microsoft Entra admin center (includes Azure AD) contains several settings that can impact on external sharing and access. Responsibility: Global Admins.

Microsoft Entra (Azure AD) > Protect and Secure > Conditional Access

Conditional access policies configured in Microsoft Entra may be used to control what external guests can access, which in turn has a bearing on what can be shared with guests. External guest access may be restricted through the following conditional access policy options:

  • Whether or not the guest is a ‘B2B collaboration guest’ user (see below under Cross-Tenant Access settings), a ‘local guest user’ or ‘other’ (as defined; there are several other options as well).
  • The role to which the guest user may be assigned.
  • The cloud apps or actions to which the guest user may be assigned.
  • The devices the guest user may use (or may be required to register or use).
  • The authentication context.
  • The risk associated with the guest user or their device.
  • The authentication controls that may be set.
  • Any session controls.

Microsoft Entra (Azure AD) > External identities > All identity providers > Configured identity providers

When the option to share content is set to either ‘New and existing guests’ or ‘Existing guests’ (see below under M365 admin and SharePoint admin), external guests will be required to authenticate themselves to access the content via either:

  • For external guests with an Azure AD or Microsoft account – the Authenticator app.
  • For external guests who don’t have an Azure AD or Microsoft account – Email a One Time Passcode. The option to use an OTP must be set to ‘Yes’ in this section.

The following settings that relate to external sharing are located in the Microsoft 365 admin centre. Responsibility: Global Admins.

Microsoft 365 admin > Settings > Org Settings > Security and Private (tab) > Sharing

The option to ‘Let users add new guests to the organisation’ must be checked if ‘New and existing guests’ is selected (see below).

Microsoft 365 admin > Settings > Org Settings > Services (tab) > SharePoint

Note that the options described below also affect the SharePoint site linked with a Team (via the ‘Files’ tab). There is no separate Teams option to override this.

The following settings relating to external sharing are located in the Microsoft Purview admin centre. Responsibility: Global Admins, Compliance Admins.

It is recommended that the option to define information protection settings for groups and sites be planned carefully, with a full understanding of the implications. It may be a useful option to consider for specific use cases where there is a requirement to protect all sensitive content stored in individual SharePoint sites.

Microsoft Purview > Information Protection > Labels

Information sensitivity labels include the option, when this has been enabled, to apply a label to groups and sites. When this option is selected, information sensitivity labels can include the following options.

The following options appear if the ‘Privacy and external user access settings’ is checked.

The following options appear if ‘External sharing and Conditional Access settings’ is checked. Note the link with Microsoft Entra > Conditional Access policies.

The following settings that relate to external sharing are located in the SharePoint admin centre. Responsibility: Global Admins and SharePoint admins.

SharePoint admin > Policies > Sharing

The option set in the previous point flows to the SharePoint admin sharing section and affects both SharePoint and OneDrive. SharePoint admins cannot make the option more permissive, but they can make it less permissive for either SharePoint or OneDrive (e.g., internal only for OneDrive).

Additional options directly below the above graphic, that impact on external sharing (and access), are listed below:

  • Limit external sharing by domain (unchecked by default)
  • Allow only users in specific security groups to share externally (unchecked by default)
  • Guests must sign in using the same account to which sharing invitations were sent (checked by default)
  • Allow guests to share items they don’t own (unchecked by default)
  • Guest access to a site or OneDrive will expire automatically after this many days (60 by default)
  • People who use a verification code must reauthenticate after this many days (30 by default)
  • Choose the type of link that’s selected by default: Specific people (only the people the user specifies); Only people in your organisation; Anyone with the link.
  • Select the default link permissions (Edit or View)

SharePoint Admin > Active Sites (list) > per site sharing controls

The settings above apply to all new and existing sites.

  • M365 Group/Team- based sites always allow external sharing by default (unless ‘Only people in your organization’ is selected)
  • SharePoint sites that are NOT based on a Microsoft 365 Group do not allow external sharing by default.

When any site is selected from the list of active sites, the ‘Sharing’ option appears in the ribbon menu.

When selected, the SharePoint admin can do the following for each site:

  • Modify the sharing option to make it less permissive (e.g., ‘Only people in your organisation’) or up to the most permissive option allowed in both the M365 admin centre and SharePoint sharing policies section described above.
  • Limit sharing for the site by domain.
  • Modify the following options already set above under the sharing policies section: (a) Expiration of group access; (b) Default sharing link type; (c) Default link permissions.

The following settings relating to external sharing (and access) are located in every SharePoint site, including SharePoint sites visible from the ‘Files’ tab of Teams. Responsibility: SharePoint admins, Site Collection Admins, Site Owners.

Each SharePoint site > (gear icon) > Site Permissions – Add Members (drop down option) > Share site only

If the above settings allow it, Site admins and Site Owners may add an external guest to the site permissions. These permissions inherit ‘down’, giving the guest access to libraries > folders > items and lists > items. Some care should be taken when ‘sharing’ a site with external users in this way.

Note that, if a guest is added to a Team or Group, this will automatically give the external guest access to the SharePoint site as a (guest) members. This access can be removed, if required, by modifying the site, library, folder or document/item permissions.

Each SharePoint site > (gear icon) > Site Sharing and Guest Expiration

SharePoint admins and Site Owners may further restrict site sharing and guest expiration options from the gear icon.

Site sharing can be set as follows:

  • Site owners and members can share files, folders and the site. People with edit permissions can share files and folders. (Default option)
  • Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site.
  • Only site owners can share files, folders and the site.

The Access Expiration section will show when access to sharing links will expire.

Additionally, access requests may be allowed or denied, and requests can be sent to either the site owners (including the Group/Team owners) or a specific email address. A custom message may be added.

Each SharePoint site > Library permissions

It is not possible (there is no option) to ‘share’ a library. To give external guests access to a library, either:

  • Let the library inherit the site permissions, where an external guest has been added.
  • Set unique permissions on the library (via Library settings) and add the guest user to the library permissions, either by name or as a member of a permission group or other group created for this purpose.

Note that providing access to a library but not the site assumes the external guest will have the URL of the library to access it. This may not be a suitable way for the external user to access the library.

Each SharePoint document library > Folder or Document

Assuming all the above options allow it, end users can either

  • Add an external person to the permissions of the folder or document via the ‘Manage Access’ – ‘Direct Access’ option, which is a similar process to adding a guest to a site or library.
  • Share a folder or a document with external guests via the ‘share’ icon. This icon is also available in Windows File Explorer and macOS Finder.

To use the ‘Manage access’ option, click the three-dot menu to the right of the library or document name and select ‘Manage access’. To add external guests, click on the + sign to the right of ‘Direct access’ and add their name.

To share a folder or document, click on either the ‘Manage access’ option or use the Share icon directly. The latter will show the sharing type and link type combined, e.g.,

  • People you specify can view
  • People with existing access can read
  • People in (the tenant) can view

There may be an option to block download.

The message above will appear if external guests cannot be added via Manage Access or by adding them to the Share dialog box.

BONUS SECTION

Each SharePoint site > Legacy features OR limited access

Kudos to a professional colleague for raising this issue recently.

An end user may see the following message ‘People with existing access can use the link’ when they click the Share button.

There can be two reasons why this message appears.

First, the person attempting to share the folder or document may have read-only access to the item being shared.

Second, certain legacy features may be (or have been) activated on the site.

  • Limited-access user permission lockdown mode
  • SharePoint Server Publishing Infrastructure
  • (The Site feature ‘SharePoint Server Publishing’ may also impact the option)

When the legacy features are (or were) activated, the following messages may also appear via the ‘Manage Access’ option, when ‘Direct Access’ appears.

The first message indicates that the user does not have permission to share and must send a message to the user (?) to allow sharing. This makes no sense because it seems the guest user must be asked for permission to share.

The second message, which may and may not appear, notes that ‘Sharing folders is disabled’.

If this message appears, check to see if the legacy features noted above have been enabled. If they were disabled (after being enabled in the past), there may be indications in the Site Permissions that these options were previously enabled, for example ‘Approvers’, ‘Designers’.

External Access

External access is about allowing external guests access to content stored in SharePoint or OneDrive (including content uploaded to those locations via Teams or File Explorer). There is some crossover with the external sharing options described above as both SharePoint site and library ‘sharing’ actually describes a way of providing access to that site or library. External access also refers to Teams and Microsoft 365 Groups.

The following settings relating to external access are located in the Microsoft Entra admin centre. Responsibility: Global Admins.

Microsoft Entra (Azure AD) > Protect and Secure > Conditional Access

Conditional access policies are described above under External Sharing.

Microsoft Entra (Azure AD) > Identity governance > Entitlement management > Access packages

The settings for each access package define how guest users may be granted access to the environment. The options include:

  • The Resource Role the guest will have: Groups and teams, Applications, SharePoint sites.
  • Expiration settings.

Microsoft Entra > External identities > Cross-tenant access settings > Organisational settings

Teams standard channels can include guest users.

Teams private channels can only include a subset of the parent Team members (including Guests).

Teams shared channel may include all the non-Guest members of the parent Teams, and external guests (which is usually the reason for the shared channel based on the following rules:

  • For guests who work in an organisation with Azure AD, the external Azure AD organisation has been added by both organisations (‘handshake’ confirmation – both sides must agree). See also below.
  • For guests that do not belong to an organisation that has Azure AD (e.g., people with a gmail account) may be added if the ‘Collaboration settings’ section below has been configured.

For organisations that have Azure AD, there may be a requirement after adding the organisation to change the Default settings listed below, noting that (a) B2B collaboration (settings all allowed by default) adds the external guest to Azure AD whereas (b) B2B direct connect (settings all blocked by default) does not add the user to Azure AD.

  • Inbound access settings
    • B2B collaboration for external users and groups: All allowed
    • B2B direct connect for external users and groups: All blocked
  • Outbound access settings
    • B2B collaboration for users and groups: All allowed
    • B2B direct connect for users and groups: All blocked

In other words, it may be easier to invite an external guest to a standard or private channel (which adds them to Azure AD as a guest) rather than having to configure the B2B direct connect settings for each ‘trusted’ external organisation.

Microsoft Entra > External identities > External collaboration settings

A range of settings in this section impact on external sharing and collaboration, and some have a direct link with related settings in other admin centres, as described below.

  • Guest user access
    • Guest users have the same access as members (most inclusive) – Default
    • Guest users have limited access to properties and memberships of directory objects.
    • Guest user access is restricted to properties and memberships of their own directory objects (most restricted).
  • Guest invite settings
    • Anyone in the organisation can invite guest users including guests and non-admins (most inclusive).
    • Member users and users assigned to specific admin roles can invite guest users including guests with member permissions.
    • Only users assigned to specific admin roles can invite guest users.
    • No one in the organisation can invite guest users including admins (most restrictive).
    • Enable guest self-service sign up via user flows (Yes/No)

Note – The second and third options in the setting above are directly connected with the following setting in the M365 Admin centre > Settings > Org Settings > Security & Privacy (tab) > Sharing. If ‘Only users assigned to specific admin roles …’ is selected, then the check box in the M365 Admin centre becomes unchecked (see below).

  • External user leave settings
    • Yes/No. This setting is usually enabled (Yes) allowing guest users to remove themselves automatically.
  • Collaboration restrictions
    • Allow invitations to be sent to any domain (most inclusive)
    • Deny invitations to the specified domains
    • Allow invitations only to the specific domains (most restricted)

The following settings relating to external access are located in the Microsoft 365 admin centre. Responsibility: Global Admins.

Microsoft 365 admin > Settings > Org Settings > Security and Private (tab) > Sharing

The option to ‘Let users add new guests to the organisation’ must be checked to allow guests to be added to the directory.

This setting is directly connected to the setting in Microsoft Entra > External identities > External collaboration settings (above). If this setting is unchecked, then the Microsoft Entra setting will change to ‘Only users assigned to specific admin roles can invite guest users’.

This setting is required if end-users want to give new guests access to content.

Microsoft 365 admin > Settings > Org Settings > Services (tab) > Microsoft Teams

‘Allow guest access in Teams’ must be checked for guests to be able to access standard channels.

Microsoft 365 admin > Settings > Org Settings > Services (tab) > Microsoft 365 Groups

  • ‘Let group owners add people outside your organisation to Microsoft 365 Groups’ must be checked for external guests to be added to a Microsoft 365 Group as a (guest) member.
  • ‘Let guest group members access group content’. If this option is not checked, the guests will be listed as members but won’t have receive emails or be able to access any group content, unless it was shared with them.

Microsoft 365 admin > Settings > Org Settings > Services (tab) > SharePoint

The options to give new and existing guests access to SharePoint sites (including a M365 Group or Team-linked SharePoint site), libraries, folders or items are all described above under the sharing options.

The following configuration settings relating to external access are located in the Microsoft Teams Admin centre. Responsibility: Global Admins, Teams Admins.

Microsoft Teams admin > Teams policies > Global

The Teams global policies section is used to determine whether the following can be created:

  • Create private channels
  • Create shared channels
  • Invite external users to shared channels
  • Join external shared channels

As noted above, even when the option to ‘Invite external users to shared channels’ is set to allowed, the ability to invite them will depend on whether (a) for users in organisations with Azure AD, if that organisation has been added via the Microsoft Entra cross-tenant setting or (b) for all other users, if the Microsoft Entra external collaboration settings allow this.

Th following settings relating to external access are located in every Team. Responsibility: Team Owners.

Each Team > Manage Team > Settings > Member permissions

A Team owner can restrict the ability of Team members to create standard channels (to which external guests could be invited), create private channels, or delete and restore channels. All these options are enabled by default.

Each Team > Manage Team > Settings > Guest permissions

A Team owner can allow external guests to create and update channels, or delete channels. These options are disabled by default.

Each Team > Each standard channel > Manage Team > Add member

Subject to the previous settings:

  • A Team owner can add a guest member to a Team. Guest members are indicated as ‘Guest’. Note that guests added in this way also (a) adds them to the list of Guests in Microsoft 365 Admin centre under Users, (b) add them to the associated Microsoft 365 Group, (c) gives the guest access to the Team’s SharePoint site and all content on that site.
  • A Team member cannot add a guest member to a Team, even if that guest already exists in the directory. They will see an error ‘We didn’t find any matches’. They can only add other internal users.

Per Team > Private Channel > Manage Team > Add member (or Channel > Add member)

While both Team Owners and Members (if not disallowed) can create a private channel, only the Owner can add an external guest to that channel, as long as the guest is already a member of the parent Team. Team Members will receive an error message: ‘We didn’t find any matches’.

Per Team > Shared Channel > Manage Team > Add member

Team Owners can create a Shared Channel and, in doing so, have the option to ‘Share this channel with everyone on the team’ (Check box visible on the screenshot to the left). This will add all other members of the parent Team to this Shared channel but NOT external guests.

If they attempt to add an external guest that belongs to an Azure AD organisation, and the Microsoft Entra options have not been configured to allow the person to be added, they will receive the error ‘You can’t share this channel with people from this org’.

If they attempt to add an external guest that doesn’t have an Azure AD account (e.g., a public email like gmail), and the Microsoft Entra options have not been configured, they will receive the error ‘We cannot find any matches. Make sure the email address is correct’.

An end user who is only a Member of a Team cannot create a Shared Channel. They are also unable to add any external users because this option is not available to them – they can only view the Owners and Members.

The following settings relating to external access are located in every SharePoint site, including sites linked with a Team (‘Files’ tab) or Group. Responsibility: SharePoint Admins, Site Collection admins, Site Owners (includes Team and M365 Group Owners).

Per SharePoint site > Documents library > Folders linked with channels (or other folders)

Access to a Teams-linked SharePoint site can be modified via the Site Permissions or using the ‘Manage Access’ option for each Folder in the channel-associated folders of the Documents library.

Group/Team/Site Owners can remove external guests from the channel linked folders on the SharePoint site via the Site, Library or (Team channel-linked) Folder by creating unique permissions but still allow them to access to the Team channel/s.

How to know who has accessed content?

The following options provide the ability to see if content has been shared with external guests.

  • Audit logs in the Microsoft Purview Compliance admin centre (access restricted to Global Admins and Compliance Admins and custom roles)
  • Per site – gear icon – Site Usage (or Site contents – Site Usage)
  • Per item – Manage Access – Direct access, or Share button – Shared with (at bottom of dialog box). Also, click the ‘Advanced’ option at the bottom of the Manage Access dialogue.

These options will be described further in a separate post.

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s