SPTechCon The SharePoint and Office 365 Conference Logo

Getting Started with External Access in Office 365

Getting Started with External Access in Office 365

by: Mark Rackley

One of the best features of Office 365 is the ability to easily collaborate with external users. By giving external users access to your SharePoint Online sites, you can share documents, lists, calendars, tasks, issues and dashboards; set up alerts; and even use these users in your workflows. What's even better, there are no extra license fees for these external users and Microsoft manages various account utilities (like changing passwords) making external sharing an extremely cost effective and simple feature in Office 365. For many organizations, the ability to quickly set up an extranet in SharePoint online with no additional licensing fees is a no-brainer. I would argue this feature alone is worth investing some time into looking at Office 365 for most SMBs.

But how do you get started? How do you enable external sharing? How do you effectively structure your sites? How do you invite external users to your site? How do you prevent external users from seeing information you don't want them to see? How can you tell if a user accepted your invite? All these questions are answered in various posts around the interwebs, but I didn't see a single post that summed it all up.

Although external sharing is easy to configure, if you aren't careful it can quickly get out of hand and become a nightmare to maintain. In this blog post, I'll walk you through all the steps to get your SharePoint Online Extranet set up. I'll also give you some recommendations to help keep it manageable.

Enable External Sharing
First things first, make sure that external sharing is enabled in Office 365 tenant. Recently, Microsoft changed the UI (crazy right?) to allow you to disable external sharing for all your site collections in Office 365. It is generally enabled by default, but to make sure sharing is enabled follow these steps.

1. Open up the Office Apps menu by clicking on the apps icon in the top left of your screen in Office 365 and selecting the "Admin? tile. This will open up the Office 365 Admin Center.


2. Next, click on "External Sharing? and then "Sharing Overview."


3. Under the "Sites? section, make sure that the toggle switch is set to "on? if you want to enable external sharing for your SharePoint sites.


4. Alternately, you can click on the "Sites? under "External Sharing."


5. From here, ensure the checkbox is check to "Let external people access your sites."


At this point, you can also specify if you will allow anonymous users the ability to access information in SharePoint. Think long and hard before you decide to allow anonymous sharing. Anonymous sharing may sound cool on the surface, but make sure that you are aware of all the potential headaches you are opening yourself up to by allowing the potential for anonymous users to access your information. So, unless you know what you are doing, I'd suggest selecting "No anonymous guest links,? which will prevent anyone from sharing content anonymously in any of your SharePoint Site Collections.

Please note that when you enable external sharing at this point, you have NOT shared any of your site collections externally. You've just allowed them to be configured so that external users can access a site collection.

You Gotta Keep 'em Separated
When sharing externally available SharePoint sites with external users, it becomes critical to have a solid plan in place to ensure external users only have access to the content that they should have access to. In order to adequately segregate external users from your critical internal information, you should create a Site Collection specifically for sites external users will need access to. This "Extranet? Site Collection can (and probably should) contain multiple sub sites that external users will access.

External Site Collection
The process of enabling external access to a site collection is as follows:

1. From the "Office 365 Admin Center? (Go back to step 1 in the previous section if you don't remember how to get there), click on "SharePoint? under the "ADMIN? heading.


2. This takes you to the SharePoint admin center. From here, click on the checkbox next to the name of the Site Collection that requires external access and click on the "Sharing? button located in the ribbon:


3. This opens up a dialog box. From here, specify the type of external access you would like to grant and click on "Save."


Your site collection is now configured to allow external users to access it.

Not to make your life too easy, there's yet another way to enable external sharing on a site collection. The other method is as follows:

1. From the "Office 365 Admin Center,? click on "Sites? under the "EXTERNAL SHARING? heading.


2. This takes you to a dashboard that shows a list of all your Site Collections and their current status in regards to external sharing. To enable external sharing for a Site Collection, click the checkbox for your desired site collection and click on the pencil icon.


3. Click on the checkbox to "Allow external users to access this site,? then click Save.


Your site collection is now configured to allow external users to access it.

At this point you may be thinking, "Why should I set up an entire new site collection for my external users? Why not just enable external sharing on my internal Site Collection and create sub sites for my external users?? Well, that's an excellent question. The reason is that by enabling external sharing on your site collection, you've created the POTENTIAL for external users to access internal information. All it takes is for one person to accidentally share your internal site with an external user. By creating a separate site collection for both internal and external users, you help prevent any accidental sharing of information.

Sub Site Architecture
At this point you have a Site Collection with external sharing enabled. Rather than adding a lot of content to your root site and adding a lot of external users, you should definitely put some thought into the architecture of your root site and what other sub sites you might need. Do you want to share all your content in your root site collection with every external user? Or do you need to allow some external users access to certain data but other external users access to different data? Give some thought to the granularity of your data. You can restrict access at the site level, list level and item level. Keep in mind, the more granular you get with your permissions, the more difficult it becomes to manage.

A good practice is to organize your information so that the security can be handled at the site level, creating sub sites for each security barrier. Maybe you need a sub site for each client. Maybe you need project sites. Maybe you need a site for each client that has sub sites for projects with those clients. Plan out how you envision collaborating with external users and develop a site structure that will be the most simple for you to maintain but also allow flexibility for those little one-offs that always pop up.

When creating sub sites for external users, it can be very helpful to give each sub site unique permissions. This helps ensure users do not accidentally get access to new sites being created. It can also make security audits easier to understand which sites users have access to.

The process for creating a new sub site with unique permissions is as follows:

1. From the parent site of the sub site you are about to create, click on the "Site Contents? link located under the cog on the top right of the page.


2. Scroll to the bottom of the page. You will see a list of sub sites (if they exist) and a link to create a new sub site (if you have the correct permissions). Click on the "new subsite? link.


3. At this point, supply a Title and URL Name for your site. Best practices dictate to keep your URL short and simple without spaces in the name.


4. Next, select the Site Template to base your new site on. Site templates determine which base features are activated and what base lists and libraries are created. Or you can do what most people do and always select "Team Site."


5. Now it is time to make sure the site has unique permissions. Make sure to select the "Use unique permissions? radio button.


6. Finally choose navigation inheritance. Generally speaking you do NOT want to inherit navigation if you are using unique permissions. Leave "No? selected and click on the "Create? button.


7. Your site will now be created and you will be taken to a page to set up the security groups for your site. By default these groups will have the same name as your site with a security group for "Visitors,? "Members? and "Owners." After finalizing the name of your groups, click "Ok." Another practice that could make your life easier is to only add internal users to these default groups and create different security groups for your external users. (We'll cover this more later.)


8. Next you need to add users or AD groups to your SharePoint Security groups to give your internal users access. From the Site Settings menu (located under the cog in the top right of the screen) select "Site Permissions."


9. This will bring you to a page showing your three SharePoint Groups.


10. Click on the name of each group and from the next screen select New->Add Users.


11. In the dialog that appears in the box that reads "Enter names, emails addresses, or 'Everyone'? enter the name of the appropriate user or AD Group and click on the "Share? button.


Repeat steps 9-11 for each SharePoint Security group. Your new sub site has now been created and its security has been configured for internal users.

Creating Groups for External Users
The next step in the process is to create SharePoint Security groups for your external users. Again, it can make your life easier if you don't put external users in the SharePoint Security groups created in the previous section. Putting internal users and external users in the same group would quickly become cumbersome to maintain effectively.

When creating security groups for external users, it is important to consider which users will be added to each group. All users in a group will have the same access to information in a site. It may make sense to create a security group by the name of an external company if all of the external users work for that same company. It may make more sense to create a general external group for all external users (i.e., "My Test Site External Members?).

When naming an external security group and not using the name of an external company, I suggest putting the word "External? in the name of the group to easily identify it as an external group.

To create a security group for external users:

1. Click on the "Site Settings? link under the cog on the top right of your SharePoint page, then select "People and Groups."


2. From the next screen, click on "Groups? from the top left navigation pane.


3. Then click on "New->New Group."


4. Give your group an appropriate name.


5. Next, specify the default access the group has to this specific site. Here I recommend that you only give this group "Read? access when creating the group, and then increase the access later if needed. Giving a group greater permissions at this point would give the group that permission to the entire site. I have found that external users generally require elevated permissions on specific libraries and not the entire site. Select the group permission and click "Create."


Repeat this process for the number of external groups you need.

To see which groups have access to your site and what their permissions are, click on the "Site Settings? menu underneath the cog in the top right of your page and then select "Site Permissions."


You will then be presented with a screen that shows you which groups have access to the current site and what their permissions are:


This is also the page you would go to if you ever wish to delete the unique permissions for a site and have the site inherit permissions from its parent. You may also stop inheriting permissions from a parent site from this page in case a site was ever mistakenly set up to inherit permissions.

In the next section we'll discuss sharing your site with external users and adding them to these groups.

Sharing your site with external users
After your external security groups are created, you can start inviting external users to your site and adding them to the appropriate groups.

To add external users:

1. From a page within your site, click on the cog in the top right of the screen and then "Shared With...?


2. This will bring up a dialog listing which users with whom the site is currently shared. To invite external users to this site, click on the "Invite people? link:


3. Enter the e-mail addresses for the external users you wish to invite to the site, and if you wish enter a personal message that the user will see when they are invited to the site.


4. BEFORE YOU CLICK SHARE, Click on the "SHOW OPTIONS? link. This will display the SharePoint Security Groups for your site. Select the appropriate External Group and THEN click the "Share? button.


At this point the users specified by their e-mail addresses will get a link inviting them to the SharePoint Site. When the external user clicks on the link in the e-mail, they will be prompted to log into the external SharePoint site using a Microsoft Live ID. If the external user does not currently have a Live ID, one can be obtained for free here.

Checking on the status of an invitation
In order to check on the status of invitations you have sent out:

1. Click on the "Site Settings? link under the cog on the top right of the page for your site and then click on the link "Access requests and invitations."


2. This will display a summary of the invitations and requests for access to the site. From here you can see if an invitation is still pending (meaning the user has not accessed the site yet).


It is important to note that inviting a user to the site does NOT create a user within the site. A user "object? does NOT exist in the site until an invitation has been accepted and the person has logged in with their Microsoft account.

Adjusting permissions
If the recommendations of this document have been followed, at this point you should have one or more external users added to Security Groups created for external users and these Security Groups have read access to the site. This means that these external users have read access to EVERYTHING in your site.

In some cases this access will need to be modified. This section will walk you through removing access from a list or library for a group as well as elevating the permissions for a list or library for a group. Remember, the more granular you make your security, the more difficult it becomes to maintain. If you can configure your security so that permissions are entirely inherited at the site level, your life will be easier in the long run. That being said, we do live in the real world...

Removing access for a List or Library
Whenever you add a new list or library to your site an external group will get access to that list or library based on the group's access to the site. For instance, if Group "A? has read access to the site and you create a new list or library, Group "A? will automatically have read access to that newly created library. It may be necessary to remove access for a specific group for a library. For example, in a site, there may be a security group for "Company A? employees, and there might be libraries that are for internal use only that users in the "Company A? security group should not be able to access.

 To remove a security group's access to a list or library, follow these steps.

1. Click on the cog in the top right of the page and select the "Site contents? link.

2. For your specific list or library, click on the ellipses and select "Settings."


This will take you to the list or library settings.

3. From the settings page, click on the "Permissions for this document library? (or list) link.


4. If the list or library is still inheriting permissions from the site, click on the "Stop Inheriting Permissions? button in the ribbon. (If you don't see this button, the list already has unique permissions.)


5. Click on the checkbox next to the name of the group from which you would like to remove access to this list or library, then click on "Remove User Permissions."


At this point, the users in the group that had permissions removed will no longer appear on this page, and the users in the group will not be able to access the specific list or library. This includes list views and individual items for this list.

Changing permissions for a list or library
In other circumstances it may be necessary to elevate a Security Group's permission to a list or library. In the same site mentioned in the previous section, there could be a library called "Company A Working Library.? Users in the "Company A? security group need to have access to add files to this library. However, because "Company A? users only have Read access to the site, their permissions will need to be elevated on this library to grant "Company A? users the ability to upload files.

To change permissions for a security group on a list or library, follow these steps:

1. Click on the cog in the top right of the page and select the "Site contents? link.

2. For your specific list or library, click on the ellipses and select "Settings."


This will take you to the list or library settings.

3. From the settings page, click on the "Permissions for this document library? (or list) link.


4. If the list or library is still inheriting permissions from the site, click on the "Stop Inheriting Permissions? button in the ribbon. (If you don't see this button the list already has unique permissions.)


5. Click on the checkbox next to the name of the group for whom you would like to modify permissions and click on "Edit User Permissions."


6. Next you will be presented with a list of possible permissions. Select the permissions you would like to grant the external group and then click "OK."


7. The new user permission level will be reflected in the list or library permissions page.


At this point, the users in the group that had permissions modified will now have permissions based upon how they were set. This does not change permissions for the rest of the site, just this specific list or library.

The Fine Print
As you can see, there are quite a few steps to follow to get everything set up and running. It's not difficult, but you should definitely plan things out. As with many things in SharePoint, this is not a one-size-fits-all solution. If you have a lot of external users and a lot of sub sites, this could get cumbersome to maintain and audit (the number of security groups alone could explode). I would definitely suggest investing some time in creating PowerShell scripts to automate what you can and audit what's going on in your site.

A couple of PowerShell cmdlets you might want to get familiar with immediately are Get-SPOExternalUser and Remove-SPOExternalUser.

These two cmdlets will help your write scripts to easily see a list of all your external users as well as permanently remove them from the tenancy's folder.

Whatever you do, document your approach, create rules for how you create sites and manage external user access, and follow those rules!

View all Blog Posts