Sharing is All About Control
Azure External Identities
Azure External Identities
Have a question?
We were taught to share as kids, but external sharing outside of your organization is a whole different set of manners!
October 27 | Denesh Sohan, Director of Products
Who should you share with and how in Office 365?
There are so many ways to enable external sharing within Office 365 for SharePoint and OneDrive that give your administrators or your users the control and governance to protect your information assets.
Whether you are an organization with a large alumnus, external contractors, or a supply chain that requires you to collaborate, sharing by definition doesn't mean everything for everyone. So, let's start with the types of sharing you can enable with revocable secret key links, some of which are transferrable:
Anyone link – transferrable, sharable; no sign in or registration required.
People in my organization link – transferrable, guaranteed upon sign in.
People with existing access link – direct pointer to content; explicit permissions.
Specific people link – non-transferrable; recipient confirmation with verification code.
For all the above sharing options, the owner of the shared content receives a notification to let them know who shared the content and the permissions attached to the link. Administrators can optionally require recipients to continually prove account ownership when they access shared items after a designated number of days. This is sharing made easy.
It's all about control – WHO, WHICH, WHAT, HOW
In the admin portal for SharePoint or OneDrive, you can specify the sharing permissions. For SharePoint site collections, you have the additional control of being able to modify the sharing permissions or turn them off completely.
Control WHO can share with external users
You've created a project or team site and know that external users need to be able to view information, contribute to it, or even share with their own colleagues. Not wanting to stifle collaboration and productivity, it's tempting to allow users free rein with information sharing. However, there must be boundaries to protect privacy and intellectual assets. The following options are available to site administrators to control who can share with users outside the organization.
- Select the "Don't allow sharing outside your organization"
- Select any of the "Allow…" options
- You also have the option to prevent external users from sharing content that they are not an owner of
Only specific people
- Select one of the options under "Who can share outside your organization"
- Let only users in selected security groups share with authenticated external users
- As the phrase suggests, all links require the external user to be successfully authenticated when accessing the content
- Additionally, you can specify that users don't require an account to access content
Control WHICH external users can be shared with
How far does your control reach go? You need to decide not just who can grant access, but to whom. With the public website and extranet portal Envision IT developed for OntarioMD, registered physicians are allowed to invite sponsored users to access private areas of the site. Incorporating our Extranet User Manager product and Azure Multi-Factor Authentication, the sponsored users are validated before they are allowed entry.
The following restrictions are set for who you want your content to be shared with outside the organization.
- Don't allow sharing outside your organization
Only authenticated users
- Allow sharing only with external users that already exist in your organization's directory
Only authenticated users except specific domains
- All authenticated users except users that have accounts in the specified domains (for instance generic Gmail or Yahoo addresses)
Only authenticated users in specific domains
- All authenticated users with accounts within the specified domains
- Allow sharing to authenticated external users and using anonymous access links
Control WHAT can be shared externally
Our own Envision IT corporate intranet includes client and partner sites that we often open to external users when projects get going. We share things like meeting agendas and minutes, mockups, wireframes, and digital assets. We may also have confidential information like budgets and credentials that we don't want shared externally. Office 365 allows you to set permissions on exactly what gets shared outside the organization.
- OneDrive files, folders, SharePoint sites, Office 365 groups
Only specific sites
- Use the "Site Collections" management ribbon "Sharing" option to specify whether the site collection is allowed for external sharing or not
Only files without sensitive content
- Use of security and compliance rules to restrict access to content sharing
Control HOW externally shareable links can be used
Permissions can become even more granular, allowing you to specify how externally shared links are used and accessed. The project site we developed for Associated Engineering allows users to easily request and create new project sites to share information with external partners and clients. For projects of a known limited duration, site owners can set links to expire after a specific date, or enforce re-validation by the external user after so many days.
Options for setting up externally shareable links include:
Default link type
- Set what the default link type is when a user clicks the "Share with..." option
- Options include direct to only those people who have permission, to internal users only, or anonymous access to anyone with the link
- No matter the default type set, users can still switch type prior to sending a link
Default link permission
- For any of the above link types, permission can be set to "View" or "Edit" by default
Anonymous access links
- With anonymous access links, users can set an expiration date for file permissions and folder permissions
Additionally, restrictions can be set so that external users must accept sharing invitations using the same account the invitation was sent to, and external users can be blocked from sharing content that they do not own.
Office 365 groups
- By allowing group owners to add external users to Office 365 groups, you enable those users to share in group resources
- The option here is also to enforce re-validation of external accounts so that users need to confirm their account by email response
- By definition, this is a managed account that represents a person outside your organization
- Users authenticate by signing into an existing Azure Active Directory (AAD) or Microsoft account (MSA)
- They can be put into Office 365 groups
- They will receive mail sent to the group email address, have access to the group's files and folders in OneDrive, have access to the Group's site in SharePoint, and participate in team chat in Teams
Now that you've got the rules, play nice!
All this can sound pretty overwhelming, but after all, you want your users and their friends to play nice in the sand box together! You want to build an environment that embraces information sharing beyond the boundaries of your organization, while maintaining effective governance of your site and keeping your intellectual property safe. Office 365 provides the options for setting highly granular permissions and controls. Once you've mastered which sharing restrictions work best for specific scenarios, it's child's play!