Part of my job at Sharegate is to analyze and answer all the great feedback we receive here. I have to say, I’m always pleased to read positive feedback, but I’m also very happy when we have great suggestions so I can discuss them with the team. It might end up as a new feature!
Recently, we received a lot of questions on how to manage the Office 365 external sharing of documents and list items. Questions like "How can I find all the objects with permissions given to external users", "How can I discern which users are internal or external users" or "How can it can be easier to be sure all the site collections are secure".
So I’ve decided to look at the external sharing on Office 365. I found the feature really powerful but very complex to understand.
Table of Contents
I’ve separated the content in multiple sections:
- How to configure External Sharing on Office 365
- How to share content
- How to manage External Sharing from Office 365 Administration
- How Sharegate can help you control external sharing
So clear up your mind, and let's dive into Office 365 External Sharing.
Other Articles to Learn Office 365
A Quick Overview
In Office 365, you'll find two different external user types:
- Authenticated User
- Anonymous Guest
The table below gives you a quick overview on what can be shared depending on the external user type:
|Authenticated Users||Anonymous Guests|
|What you can share|
|Who can share|
|What kind of sharing|
|What are the security risks|
i. How to configure external sharing on Office 365
First of all, you need to be administrator of your Office 365 and manage the tenant options.
1. Go to the Administration from the Office 365 menu
2. From the settings menu, activate the External Sharing option. You can choose between 3 options:
- Don't allow sharing outside your organization
- Allow external users who accept sharing invitations and sign in as authenticated users (All external users must sign in to access your site collection. So you'll be able to track their activities. They will be considerate as users.)
- Allow both external users who accept sharing invitations and anonymous guest links (With the link generated, user can access to the content without signing in. It's easier to share content and to access to it, but much riskier for your organization for lack of tracking possibilities.)
You then have the options for all the different site collections you have inside your tenant. You can activate external sharing only at the site collection level. So be careful, all the sites and sub sites will have the option. I advise you to create a different site collection only dedicated to the external sharing. So you’ll be sure your content is secure.
3. For each site collection, you can set the external sharing from the Site Collections menu. You can select one or multiple site collections at once.
4. Apply the external sharing option you want for your site collection
ii. How to share content
There are a lot of different combinations that can confuse some persons (including myself) with external sharing. Pay close attention here!
1. Authenticated user
Share a site
Directly from the share button on the top right corner, you can invite new users. You just have to write the email address directly inside the pop-up window. Click on the “suggested” email address (which is clearly the same you just typed) so it would appear underlined.
If you then click on "Show options", you’ll get the option to change the group you want to add the external user to. By default, the external users are attributed to group members and have [Contribute] rights. This is where you have to be careful, be sure of the group permissions before adding an external user to a group.
Once you share something, the invitation is valid for 7 days only. After that, the invitation will expire and you’ll have to send another invite.
The email invitation looks like this:
Access to a site as an external user
Now be careful when you click on the link, there's a complex behavior there. Depending on what's open on your browser or if you already have a Microsoft account or not, you might link the invitation with a wrong sign in authentication.
Let me rephrase that! Let’s say email@example.com is my professional Microsoft account, that I use for my OneDrive and to share some of my content with other people. I also have an Hotmail account which is my personal email address.
Here's what can happen:
- If I’m already logged in with my live.com account and click on the "Go To Contoso" link, I’m going to link my live.com account to the Contoso Site. So, as an external user, I’m going to authenticate myself with this account.
- On the other hand, if I’m at home and my Hotmail account is open and I click to the same Contoso Site link, my Hotmail account will be linked to the site. This is definitely not something I want to happen!
This is a huge security risk for your organization because, even if you send an invitation to your contact's professional account, he or she might end up accessing your documents with their personal Microsoft account. The name and email address you'll see in Office 365 might be different than the ones you've sent the invitation to.
Once a user has signed in, he can ask access to other sites or lists. The administrator will receive a notification and can manage requested access from Office 365.
Share a list or library
Once you’re inside a list or library, you have the option accessible from the ribbon, the "Shared With" button.
The flow here is the same as sharing a site then, but instead of giving access to a site group, you grant permission to the external user.
Share a document
To share a document with an external user, use the Document Menu Dialog and click on Share. Then you have the same popup as Site or List sharing option.
The only difference here is the “Can Edit” or “Can view” option you can see on the right.
If you uncheck the Require Sign-in check box, it'll send the external link (the same way as the Get A link Option described below). Confusing, I know!
2. Anonymous Guest
As I said at the beginning of the blog, anonymous guest link can only be done on a specific document. To share a link, just use the menu and select “Get a Link”.
Depending on if you have Office suite online, users with an Edit Guest link might edit online or directly in Word. The Modified By column would be “Guest Contributor”.
iii. How to manage external sharing from Office 365 Administration
1. Central administration
- Manage external user
From the Office 365 administration, go to the External Sharing options, then Sites. When selecting a site collection, you’ll see if there are some external users. From there, the only management you can do is view or delete them.
- How to disable all the external sharing
From the Settings menu, you can change Office 365 external sharing options on the site collection. If you chose the “Don't allow sharing outside your organization” option, the system might ask you if you’re sure. All the external sharing done inside the site collection would be disable.
2. External sharing at a Site Collection Level
On each site collection, you can see all the Access Requests from the Site Settings > Access Requests and invitations. There you can see all the pending request, the external user invitations and the history.
The only limitation here is that you can’t see the history of anonymous shared links.
As you can see from here, SharePoint Online doesn’t give you a lot of management options:
- You can’t have a big picture on which objects are shared
- You can’t see what are the permission access for an external user
- You can’t see an anonymous guest link document list from the administration
- A shared invitation won’t appear in the administration as long as the user isn't authenticated
For those reasons, we thought we could add new features inside Sharegate Management so you’ll have a complementary tool to help you keep control over your security.
iv. How will Sharegate help you control external sharing
I really like the power of Sharegate's Office 365 & SharePoint management features. Since I’ve been inside and learned the capabilities offered, I’m hooked and use it every day.
We've added different reports and conditions. I want to link them as an answer to a business need so you see the value behind them.
Find a Site Collection List with external sharing enabled
My first business need is that I want to have the big picture on my Office 365 site collections. I also want to know which one has the external sharing activated and what type of external sharing is applied.
Achieving this with Sharegate is dead simple: Run a new "Find" query. Select Site Collection Object Type and add the column "Shared by Link" and "Shared by Email".
Then choose your target, you know you can target more than one Office 365 environment at once. And then see the results as below:
If the "Share by Email" is enabled, it means that the site Collection allows external users who accept sharing invitations and sign in as authenticated users.
If the "Share by link" is enabled, it means that the site Collection allows both external users who accept sharing invitations and anonymous guest links.
Find the list of all Office 365 External Users
My second business need is that I want to know who are the external users (all authenticated) so I can control Office 365 security and check their access and permissions.
From Sharegate, you can run a built-in Security Report called "External Users". You just have to select your target and run the report. I do like to add the email, and the account as columns I want to see in the report.
As a result, you have the list of all external users in Office 365: their names, the sites they have access to, their accounts and email addresses. You can see on the picture below the purpose of connecting to Office 365 with a different email than the one the invitation was sent to.
From there, you can use Sharegate's Check Permission security action to view the permissions linked to a user.
Find document lists with anonymous guest link enabled (edit or view)
It's impossible to have the list of anonymous users because they are anonymous! So as a user, I want to know the list of documents that have been shared by link. And then I'll want to know if it's either a view or an edit link.
You can run the built-in security report Documents with anonymous guest links enabled. You can add the Last Modified By column if you want to see if an anonymous guest has modified a document.
Find Externally Shared Objects in Office 365
Finally, I need to know what are the different objects that have a real external sharing. What I mean by "real" is that someone has invited an external user, or shared a document with a link. Since it's easy to see if the feature is enabled, but it's hard to control the sharing of the object, there's a risk here! Maybe someone added an external user to a site group and gave full access to the complete site. You probably want to manage that!
What I like with this report is the fact that I can see all external users as well as all the users who have been invited but not yet authenticated. I'm now sure I can secure my whole Office 365 environments!
What's next for Sharegate
Powerful isn't it? But it's only the first part of what we've got planned to manage External User in Office 365. We want to add more related fixing features such as:
- Enabling or Disabling an external user on Site Collections
- Directly check permissions from the External Users List
- Directly add or remove permissions from the External Users list
- Delete all anonymous guest links generated
- Remove permissions from a site, list, or libraries directly from the Externally Shared Objects reports.
If you have more ideas, don't hesitate to send us feedback.
I hope you're now more comfortable with the external sharing on Office 365. This feature is so powerful. I love it! It's easier for me to share content with different companies we collaborate with here at Sharegate. I don't have to ask IT to add a user inside the Active Directory. I can share content by myself, it's quick and very powerful. Once collaboration is done, I remove the user from the site. It's as simple as that.
But for Office 365 security, it's risky. Make sure all your site collections aren't opened, and manage your security by checking reports every day. You don’t want official (and secret) documentation to be open and accessible to the world. I'd advise you to plan how you'll deal with the external sharing: add new rules inside your governance plan and make sure all users have the training and knowledge so they would do it right. Don't be afraid of Office 365, it's secure. You just need to understand how it works and find great tools that will help you to manage its access.
What are your plans to control Office 365 External Sharing?