4 Sharing Strategies for Your Office 365 Extranet
Azure External Identities
Azure External Identities
Have a question?
If you are in the process of preparing to roll out an extranet within your organization, it is important to ensure that your implementation strategy aligns with the need you are addressing. In Office 365, there are options available out of the box (ootb) and they may work quite well for your scenario. It is very crucial to ensure you are not only addressing current needs but also covering future needs that may arise as growth and adoption of the extranet begins!
There are a number of possible solution options that can align with your sharing strategy. At a very high level they are:
- Use the out of the box SharePoint Online sharing features
- Use the out of the box SharePoint Online and Azure AD B2B features
- Leverage Extranet User Manager and Azure AD B2B
- Build a custom Extranet portal that is integrated with SharePoint Online via Extranet Publisher
In the following sections each of these solutions will be expanded on.
OOTB SharePoint Online External Sharing
External sharing OOTB in SharePoint Online works very well for small, unstructured scenarios where there are a limited set of users. For example, sharing a single document or a folder with a few documents works very well. External sharing is typically setup from within SharePoint by providing direct access to a single user and or generating a link that can have permissions applied to it. Links can have one of the four permissions below applied:
- Anyone with the link will have access to the document
- People in your business with the link will have access to the document
- People with existing access, which means people who have previously had access (whether they be internal or external to your organization) can access the document
- Specific people, which is where you can specify a user's email address and only they are able to access the document
You can additionally extend these links to have expiration dates as well as passwords that you can then share with the receiving user. This is an excellent option for smaller scenarios that include ad hoc sharing of documents with a single or few users. It is important to note that external sharing ootb is mainly controlled by the users sharing the documents, often IT administrators may not have insight into the various items shared externally at any given time. If you would like to learn more about setting up external sharing, check out a previous article that covers the best methods for configuring external sharing.
OOTB SharePoint Online and Azure AD B2B
We recommend the first option above when a small number of external users will be interacting with the system. However, if there is any chance that the small set of users could scale to a larger set with more complex permissions required, OOTB SharePoint and Azure AD B2B tools would be sufficient to manage the process.
The main difference with this solution is that you are moving away from inviting individual users to your extranet to larger sets of users that are typically identified by Groups or Roles. Instead of inviting a single user to a specific SharePoint site, you are granting permission to a certain group that exists in the form of an Azure Active Directory group. Any users that belong to the group will have the applicable permissions that were applied in the SharePoint site.
This is ideal for larger sharing scenarios where turnover of users is inevitable. With the group permissions in place, an IT Administrator is able to add/remove users accordingly and does not need to worry about any permissions. It is important to note that with this option, IT administrators are the only individuals able to manage this external access as it is all completed within Azure Active Directory which is not the place any end user/business user should be accessing. If you would like to learn more about Azure AD B2B, check out the Article Repository we maintain with the latest information from Microsoft.
SharePoint, Extranet User Manager and Azure AD B2B
This option builds on the previous solution in order to support a larger number of external staff where there is a requirement to have a non-IT administrator managing user access at a large scale. The difference in this solution is that it leverages our Extranet User Manager (EUM) product. EUM scales Azure AD B2B to large numbers of external users and internal owners. Rather than going through the Azure portal to invite the external users, our EUM application would manage this. Some of the scenarios EUM supports are:
- Inviting and removing users through the EUM user portal
- Web parts that can be added directly to the SharePoint site pages to manage the external users
- Private registration links that can be shared with each vendor to allow them to request access to their vendor site or folder
- Approval workflows on access requests
- Delegation of the user/group membership administration to either internal or external business users themselves
If you would like to learn more about the value add of Extranet User Manager to Azure AD B2B, check out a recent webinar we ran on Building a Structured Extranet Using Azure AD B2B.
Custom Extranet Portal
The above solutions are focused on collaboration scenarios, both large and small. However, sometimes when you breakdown the goal of your extranet implementation, it is actually just secure publishing of documents out to an external audience.
When user counts get into the thousands or tens of thousands of external users, the onboarding and portal user experience becomes critical. The people coming in can be very non-technical, and the system needs to be easy for them to understand and use. Part of the Extranet User Manager product family, Extranet Publisher is a tool for publishing data from SharePoint to an external portal, such as a .NET Azure Website.
Users can create an account with their email address and a password, or they can also use their social credentials (Facebook, Google, Microsoft, etc.) to log in easily. In this scenario EUM acts as a full Identity Provider, supporting Open ID Connect, SAML 2, and WS-Federation. Consequently your publishing portal can be built in any modern web stack, although we typically use .NET Core 2 to create these portal sites. All of this can be hosted in an Azure App Service, which is fully managed and patched by Microsoft.
Interested in learning more about Publisher? Check out our
Extranet Publisher Overview!