Here is a mini table of contents
- Scenario 1: Don't Allow Sharing Outside You Organization
- Scenario 2: Allow sharing only with the external users that already exist in your organization's directory
- Scenario 3: Allow users to invite and share with authenticated external users
- Scenario 4: Allow sharing to authenticated external users and using anonymous access links
- External Sharing Matrix
The settings in the screenshot below are accessible via a Global admin OR a SharePoint Admin (meaning someone who has been granted access to the SharePoint Admin center BY a Global Admin). The location is as follows: O365 Portal>>SharePoint admin>>Sharing
This is an External Sharing Matrix created by my colleague and fellow PFE Kevin Kirkpatrick. Check out his blog here.
In this blog we will be discussing the highlighted portion of the matrix below.
Once you choose an option other than 'Don't allow sharing outside your organization' you will receive the following screen as a reminder of the fact that SharePoint Site collections also have individual sharing settings that you can set. These SharePoint site collection settings RESPECT the settings of the SharePoint Admin Center. You would click OK to proceed knowing that any site collections that previously had sharing settings enabled will be re-activated since you are activating it at the SharePoint Admin center level.
I make sure that the site collection sharing settings are also set to the same level of sharing, in this case 'Allow external users who accept sharing invitations and sign-in as authenticated users' (see previous blog for a thorough explanation of these settings)
The Site Owner is allowed to invite an external user. Now if they user is already in Azure AD then the site owner may see a result listed as below. If not, they user will not be found but that is fine. Proceed to send the invite anyway. We require the user to accept the sharing invite to be added to Azure AD if they are not. Then we add them to the O365 portal as well.
The external user will now get an invite in their email like this
One small hurdle that may happen is that after clicking on the 'Organizational Account' the external user may receive a 'You need permission to access this site'. They can then click the 'Request Access' link which will notify the owner of the to specifically approve this request
The owner of the site can then approve the access request (Site collection >> Access requests and invitations) via the screen below. Once that is complete the External user will have access to the site.