Delivered conference sessions at Microsoft 365 Friday California and at Collabdays Birmingham. By default, Microsoft 365 is turned for external sharing. We will explore how you can plan to control for enabling and managing external sharing effectively. We will configure variety of settings and services to allow external sharing for your staff and your customers, partners and suppliers. With recent improvements in external sharing, this demo based session will cover the ins and outs for successful implementation of external sharing in Microsoft 365.

1. 22 January 2021
#M365California
28 January 2021
#collabdaysbirm
Everything you ever wanted to
know about external sharing in
Microsoft 365
Chirag Patel @techChirag

2. M365 California Sponsors

3. #collabdays
#collabdaysbirm
@collabdaysbirm
Thank you to our sponsors
Platinum
Gold
Community

4. Chirag Patel




Development DBA,
SharePoint
Administrator
2001
SharePoint & BPOS
Consultant
2012
Independent
SharePoint & Office
365 Consultant
2014
MicrosoftTeams,
Power Platform
2018
Microsoft 365
2019
M365UK
2020

5. Community Speaker
Chirag Patel
@techChirag
UK 2011-2014 #spsuk
EMEA 2011 #spsemea
India 2012 #spsindia
Belgium 2016-2017 #spsbe
Cambridge 2017 #spscambs
Paris 2015 #spsparis
Madrid 2016 #spsmad
Barcelona 2017 #spsbcn
London 2015-2017, 2019 #spslondon
Leicester 2019 #spsleicester
Ahmedabad 2020 #M365Ahmedabad
Bangalore 2020 #M365BLR
www.techChirag.com

6. External sharing workloads
Azure Active
Directory
Microsoft 365
(inc. M365
Groups)
Teams
SharePoint
and OneDrive
(organisation-
level)
SharePoint
(site level)

7. Look…I just want to share externally!
ANYONE
Easiest way to share files with anyone on the planet
Recipient has access if they have the link
Recipients decides who else gets access
PEOPLE in my COMPANY
Easiest way to share files within the company
Recipient has access if they have the link AND are in the company
Recipient decides who else in my company has access
PEOPLE with EXISTING ACCESS
Direct pointer, does not add permissions
Recipients who already have access via membership, or explicit permission
have access
Recipient cannot decide who else to share to
SPECIFIC PEOPLE
Sharer decides which specific people inside and outside have access
Only those people have access and prove their identity

8. Thinking about people and processes
External access
process with roles
and responsibilities
Training - including
compliance
requirements
Information security
policy
Information
classification policy
Instructions for 3rd
Parties – Setup,
access, policies
Managing external
access and
removing access
Sharing v Links v
Microsoft 365
Groups User

9. External Sharing Governance
Support staff
Enable self service
creation
Use lifecycle
management
Detecting
valuable content
Use classification
for sites
Scan with data loss
prevention (DLP)
Protect content
Limit reach
Enforce policy
Use conditional
access
Use IRM
(Information Rights
Management)
Charge
Responsibility
Manage group / site
ownership
Review external
membership
Use IT services and
management
tooling

10. Think about putting policies in place
Policy Examples
System will support external collaboration
Users cannot share content from OneDrive for Business Externally
Users can share content from SharePoint
External sharing should be disabled on sites by default
IT will restrict 3rd party / domains
Only users who have completed training are allowed to share content externally
External users are required to sign in
IT can enable / disable external sharing
Require external users to re-prove account ownership every 7 days
Prevent external users from sharing content they do not own
Only site owners can invite external users
External sites should have naming convention
External access sites to be identifiable in sites list
IT can remove 3rd party access

11. Azure - External collaboration settings
• Guest invite settings – Tenant
level
• Guest inviter role
• Members & Guest invite
• Restrictive domains
• Guest user access
restrictions (preview)
• Restricted - can view only their
own user profile. Searching will
not work.

12. Tenant Level Sharing
• Control who can add
guests
• Control whether
guests can access
group emails, team
files, OneNote and
other M365 Group
elements

13. Microsoft 365 sharing
• Control whether
admin or all
users can add
guests
• This setting
same as in
Azure – External
Collaboration
setting

14. Microsoft 365 Groups
Feature Guest user allowed?
Create a group No
Add/remove group members No
Delete a group No
Join a group Yes, by invitation
Start a conversation Yes
Reply to a conversation Yes
Search for a conversation Yes
@mention a person in the group No
Pin/Favorite a group No
Delete a conversation Yes
"Like" messages No
Manage meetings No
View group calendar No
Modify calendar events No
Add a group calendar to a personal calendar No
View and edit group files Yes, if enabled by tenant admin
Access the group OneNote notebook Yes, access from welcome email
Browse groups No
https://support.microsoft.com/en-US/office/adding-guests-to-microsoft-365-groups-bfc7a840-868f-4fd6-a390-f347bf51aff6

15. SharePoint External Sharing
• To whom do you want to share?
• What can be shared?
• Who can share?

16. Default behaviour of links across all sites
• Control default scope for sharing
links and permissions
• Controls available at both platform
level and site level

17. External Sharing at Site Level
• Content you share with
• Flexibility of limit
sharing by domain
• Default sharing link
type
• Default link sharing
permission

18. Managing external sharing (SharePoint)
Control WHO can share
to external users
• Everyone
• Only specific people
• No one
Control WHICH external users can be shared with
• Anyone
• Only authenticated users
• Only authenticated users except specific domains
• Only authenticated users in specific domains
• No one
Control WHAT can be
shared externally
• Anything
• Only specific libraries
• Only files without sensitive content
Control HOW externally shareable links
can be used
• Default
• Enabled, but not default
• Mandatory expiration date
• Block externally-shareable edit links
• Disabled

19. Look…I just want to share externally!
• Someone from outside your Microsoft 365
tenant to whom you have given access to
one or more sites, files, or folders.
• 3 types of users:
• Anonymous
• Authenticated without MSA
• Authenticated with MSA
External User (OneDrive/SharePoint) Guest (Microsoft 365 & Azure B2B)
• Also known as external user that grants them
access to all apps within M365 group (emails,
calendar, notes, files, and plans)
• Foundation for Microsoft Teams, Planner,
PowerBI, Dynamics CRM and other Enterprise
Apps

20. External Sharing Invitation Management
• Separate invitation manager to Azure AD
• Adds users to SPO directory after users have
redeemed their invitations
• New invitations generated every time you share
• Can pick external users from Azure AD
OneDrive/SharePoint Online Azure AD B2B
• Users are added immediately on invitation so that
they show up everywhere
• OneDrive/SharePoint Online invited users also
show up in Azure AD after they redeem their
invitations
• Guests in Microsoft 365 Groups already uses Azure
AD B2B invitation APIs for sharing

21. SharePoint - Invitation Models
• User-initiated guest invitation model - This is the default for a new site collection and the
recommended model as it provides control to administrators and at the same time flexibility of
end users being able to collaborate with their new business partner users without much
intervention.
• Site-owner-initiated guest invitation model - If you want more control than the default sharing
model over who can invite new users to a site, you can configure the site to only allow site owners
to invite new users. This prevents ad-hoc invitations from being sent out by site users.
• Admin-managed partner users model - In an admin-managed partner users model, the Microsoft
365 you pre-populate your organisation's directory with the guest users who you'll be inviting to
your site. This can be done by importing users from other Microsoft 365 or Azure AD.

22. Site Usage
• Awareness when
content is
externally shared

23. Issues accessing files/folders, etc.
• You give an external user access
to a Microsoft SharePoint Online
or Microsoft OneDrive for
Business resource.
• The user accepts the invitation
but is signed in by using another
Microsoft account at the time.
• The user browses to the shared
resource.
• User receives one of the following
error messages:
• Access Denied
• Let us know why you need access
to this site.
• User is not found in the directory
• You need permission to access this
site.
https://support.microsoft.com/en-gb/help/3026478/error-message-when-an-external-user-accepts-a-sharepoint-online-invita

24. Auditing Sharing events
• SharingInvitationCreated: A user in your organisation tried to share a resource (likely a site) with an external user.
This results in an external sharing invitation sent to the target user. No access to the resource is granted at this point.
• SharingInvitationAccepted: The external user has accepted the sharing invitation sent by the acting user and now
has access to the resource.
• AnonymousLinkCreated: An anonymous link (also called an "Anyone" link) is created for a resource. Because an
anonymous link can be created and then copied, it's reasonable to assume that any document that has an
anonymous link has been shared with a target user.
• AnonymousLinkUsed: As the name implies, this event is logged when an anonymous link is used to access a
resource.
• SecureLinkCreated: A user has created a "specific people link" to share a resource with a specific person. This target
user may be someone who is external to your organisation. The person that the resource is shared with is identified
in the audit record for the AddedToSecureLink event. The time stamps for these two events are nearly identical.
• AddedToSecureLink: A user was added to a specific people link. Use the TargetUserOrGroupName field in this
event to identify the user added to the corresponding specific people link. This target user may be someone who is
external to your organisation.
https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide

25. Microsoft Teams (Guest Access)

26. Dataverse (Database in Teams!)
• Teams can invite guests who can access the apps, bots, flows, and data in the Dataverse for Teams database within
their team. However, they won't be allowed to install, make, or edit apps. They can only discover and run apps in
their team.
• Guests can view and run all resources in the team. By default, guests have full access to records they create and
don't have access to other users' records.
https://docs.microsoft.com/en-us/power-platform/admin/about-teams-environment

27. Authorise guest access (Microsoft Teams)
• Azure Active Directory: Controls the guest experience
at the directory, tenant, and application level.
• Microsoft Teams: Controls Microsoft Teams only.
• Microsoft 365 Groups: Controls the guest experience in Microsoft 365 Groups and
Microsoft Teams.
• SharePoint Online and OneDrive for Business: Controls the guest experience in
SharePoint Online, OneDrive for Business, Microsoft 365 Groups, and Microsoft Teams.
https://docs.microsoft.com/en-us/microsoftteams/teams-dependencies

28. Disabling guest access for specific team (M365 Group)
• SharePoint site external sharing is separately disabled.
• Can be done from SharePoint Admin Centre
#Set tenant and M365 Group value
$tenant = "YourM365Tenant"
$groupName = "YourM365GroupName"
Connect-AzureAD
#Disable guest access for specific M365 Group.
$template = Get-AzureADDirectorySettingTemplate | ? {$_.displayname -eq "group.unified.guest"}
$settings = $template.CreateDirectorySetting()
$settings["AllowToAddGuests"]=$false
$groupID= (Get-AzureADGroup -SearchString $groupName).ObjectId
Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups | fl Values
New-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups -DirectorySetting $settings
Get-AzureADObjectSetting -TargetObjectId $groupID -TargetType Groups | Set-AzureADObjectSetting -
TargetObjectId $groupId -TargetType Groups -DirectorySetting $settings
Disconnect-AzureAD
https://docs.microsoft.com/en-us/microsoft-365/admin/create-groups/manage-guest-access-in-groups

29. Planner
Task Non-guest owners and
members
Guest user members
Create tasks and buckets Yes Yes
Edit task fields Yes Yes
Attach a file or link to tasks Yes Yes. However, an admin
must allow it through the
Microsoft 365 Groups
settings. For more
information, see Allow
guests to be added to all
Microsoft 365 groups.
Invite guest users Yes No
Comment on a task Yes Yes
Create a plan Yes No
Delete a public plan Yes No
Delete a private plan Yes. Group owners only. No
Add members to a public
plan
Yes No
Add members to a private
plan
Yes. Group owners only. No
Edit plan name Yes Yes
Edit public plan settings Yes No
Edit private plan settings Yes. Group owners only. No
View public plans Yes Yes
Join public plans Yes No

30. Yammer
• Create and manage an external
network
• Add external messaging participants
• Create and manage external groups
• Find external participants
• Disable external messaging

31. Monitor Guests
• Identity Governance
• Conduct Access Reviews on a
regular basis
• Requires an Azure AD Premium
P2 license.
• Member and guest users who are
assigned as reviewers
• Member and guest users who
perform a self-review
• Group owners who perform an
access review
• Application owners who perform an
access review
https://docs.microsoft.com/en-us/azure/active-directory/governance/access-reviews-overview

32. Services: Calendar

33. Services: User consent to Apps
• Read user profile details
• Microsoft recommends disabling end-user consent to applications. This will centralise the
decision-making process with your organization's security and identity administrator team
https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/manage-consent-requests

34. Services: User owned apps and services

35. Microsoft Forms

36. Services: Sway

37. Further resources
• How Microsoft manages and enables external sharing and collaboration with
SharePoint (Microsoft Ignite)
• Coaching your guests through the external sharing experience
• Set up and manage access requests
• Searching for site content shared externally
• Configure Teams with three tiers of protection
• Create a secure guest sharing environment
• Create a B2B extranet with managed guests
• Settings interactions between Microsoft 365 Groups, Teams and SharePoint

38. 22 January 2021
#M365California
28 January 2021
#collabdaysbirm
techChirag.com
Thanks!