SharePoint Online and OneDrive for Business Custom Sharing Controls

  • Article

Today, we're going to explore two relatively new sharing controls in SharePoint Online (and, by extension, OneDrive for Business).  The two options we're going to look at are located inside the SharePoint Admin Center (https://<tenant>-admin.sharepoint.com) under Sharing:

[toc]

Overview

To test both of these functions out (as well as how other users are affected), I'm going to work with 3 test users and two security groups.

Test Users

  • Aamir R Gregg
  • Baldwin Z Norton
  • Cal B Mcpherson

Test Groups

  • CanShareWithAuthenticatedExternalUsers
  • CanShareWithAuthenticatedExternalUsersAndAnonymous

Aamir will be a member of "CanShareWithAuthenticatedExternalUsers," and Baldwin will be a member of "CanShareWithAuthenticatedExternalUsersAndAnonymous.  Cal will not be a member of either groups.

The first option which talks about authenticated external users, means authenticated users that already exist in my tenant or new ones that I'm going to invite, but will have to authenticate when they want to access a resource.

This option maps to the radio button Allow users to invite and share with authenticated external.

We've seen a corollary option before in the OneDrive for Business Admin Center:

These users have been added as guests previously or when a person with the correct rights invites them the first time.  For this to have happened, the sharing settings for external users would have been opened, allowing SharePoint Online or OneDrive users to send invitations to external users to access Office 365 content.  The guest users could also be manually added through the Azure AD portal (which I'll show in a minute).  When you share an item with an external user through any Office 365 mechanism, a guest user object is created in your Azure AD tenant.

The second option, which references authenticated external users and anonymous maps to the radio button Allow sharing to authenticated external users and using anonymous access links.

The idea behind these two new sharing controls is "we have some users that we'll only allow to share with named users" and "we have some users that we want to enable to generate sharing invitations to both named and anonymous users."

But first, let me take a selfie.

Err.

Configure SharePoint Sharing Restrictions

  1. Log into the Office 365 admin portal portal (https://admin.microsoft.com) as an administrator, and navigate to Admin Centers | SharePoint.
  2. Select Sharing from the navigation window, and scroll to the Sharing outside your organization settings area and choose Allow sharing to authenticated external users and using anonymous access links in order to expose both options under Who can share outside your organization.

    A quick matrix (a [ ] means a field is multi-select / checkbox, a [o] means radio button, because I wanted some old-school ASCII this morning):
    [ninja_tables id="7444"]
  3. Under Sharing outside your organization, select the Allow sharing to authenticated external users and using anonymous links radio button to expose the Who can share outside your organization controls.
  4. Select both checkboxes under Who can share outside your organization.
  5. Click the Directory Lookup button, and then select the appropriate group from AAD (I haven't had much luck with just entering the group name and clicking the Resolve checkbox).
  6. Once both groups have been added to their respective sharing control areas, scroll down and click OK to save the settings.

Send a Guest Invitation through the Azure AD Portal

To show off the differences between the sharing invitation restrictions, I'm going to create a guest user in my Azure Active Directory tenant.  Once we get to the document sharing, this user will be an existing user, and selectable from the directory.

  1. Log into the Azure management portal (https://portal.azure.com) and navigate to the Active Directory blade (https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers).
  2. Select + New guest user.
  3. Enter the email address of the new external user, and optionally, a custom message.  This will generate an email-based invitation with a token that the external user can redeem for access to your tenant.  Click Invite when finished.
  4. The external user receives an email similar to the one displayed below.  Click the Get Started button to accept the invitation.
  5. After clicking on the Get Started button, you'll be redirected to a consent screen, granting access to your firstborn, all future royalties, and any pizza slices remaining in your fridge.  Click Accept and you'll be redirected to the MyApps Access Panel in the tenant.
  6. Congratulations! You're an external user!

Sharing is Caring

Now that we've got an external user that meets the conditions for existing account in the directory, we're going to attempt some sharing actions as various users and through various applications.

Sharing with a specific named user when that's all you can do

Previously, we created a user (Aamir), made him a member of the CanShareWithAuthenticatedExternalUsers group, and configured the SharePoint sharing access control to allow members of that security group to share with authenticated external users only. Here's what happens when Aamir attempts to share (spoiler: he's not going to be able to create anonymous sharing links).

OneDrive for Business

First, we'll try from OneDrive.

  1. Log in to Office 365 as a user that is a member of CanShareWithAuthenticatedExternalUsers (in this case, Aamir), navigate to OneDrive and attempt to share a document.
  2. Start entering the email address of my new external guest user that was just created.
  3. After clicking the name, you can see it is added successfully to the sharing invitation.
  4. Now, enter an email address for an object that does not already appear in the external directory and attempt to add it.  Since our sharing controls for the organization state that I can add authenticated external users, I should be able to add this specific email address.   The recipient will receive a sharing invitation that will create an external directory object (guest) identity.
  5. Select the drop-down (is it really a drop-down if the arrow points to the right?  Inquiring minds...) Only the people you specify who have this link can view to expand the invitation options.
  6. Notice that the Anyone option is grayed out.  This is because the Let only users in selected security groups share with authenticated external users and using anonymous links option in the SharePoint Admin Center (under Sharing) has been selected and populated with a group, and Aamir is not a member of the group.
  7. Click cancel to return to the previous dialog.
  8. Click the Copy link button.
  9. Notice the dialog text that indicates you can't create a link to share.
  10. The Send button is also grayed out.  You'll need to click inside the Add a message text area to clear the error and re-enable the Send button to generate the link.
  11. Click Send and receive confirmation that the sharing invitation has been sent.
  12. When the external user receives the invitation, it will look similar to the following:

Teams

We've seen how this works with standard OneDrive for Business.  What happens when the same user with the same restrictions attempts to invite an external user to Teams?  In this case, I have configured Teams in my tenant to allow guest access.

  1. Log in as Aamir to Teams (https://teams.microsoft.com).
  2. Navigate to a team, and click Add more people.
  3. I start entering the email address for an existing external user, and the name populates in the picker.
  4. Now, I'm going to add an address for a user not already existing in the organization.  As you can see, I have the ability to add them as a guest as well.
  5. For bonus credit, you can tag over to the Azure Admin portal, go to the Azure Active Directory blade and see that this new user shows up as invited (just like any other user you invite to a resource in your tenant).

Awesome. As a sidebar conversation, Teams doesn't allow you to share content anonymously.  That's not to say the content can't be shared anonymously... but we'll save that for a follow-up post.

Now, let's go see what happens with a user that has the ability to create links to named authenticated users and anonymous, as specified by the second sharing control.

Sharing with named and anonymous users

So, we've seen some of the restrictions around sharing that were applied to Aamir.  Now, we're going to go through the same sharing activities and see how the sharing controls affect our second user, Baldwin, who is a member of the CanShareWithAuthenticatedExternalUsersAndAnonymous group.

OneDrive for Business

  1. Log in with a user that is a member of CanShareWithAuthenticatedExternalUsersAndAnonymous (in this case, Baldwin), navigate to OneDrive and attempt to share a document.
  2. Select Only the people you specify who have this link can view to expand the invitation options.
  3. As you can see, the sharing control restrictions allow Baldwin to generate anonymous access links.
  4. Select Anyone to allow anonymous link creation.
  5. You can choose to just generate a link via the Copy link button available in sharing dialog, or you can optionally enter email addresses and send an email invitation to those users directly.
    It's not terribly intuitive at this point; if you just enter an email address and click Send, you won't get a pop-up for copying the link--it will just go straight to the sending portion of the game:

    Ugh. So, if users want both an anonymous link and to send an email to specific recipients, they'll need to click the Copy link button before sending, copy the link, and save it for future use or click the Shared link (under the sharing column for the document) afterwards to see the anonymous link that was created:

Teams

Since Teams doesn't allow anonymous sharing natively, owners will see exactly the same dialog boxes and have the same options as long as external guests are allowed to be added.

What about users who aren't a member of either group?

So, we've configured SharePoint sharing controls to allow external sending to named and anonymous for members of  the aptly named CanShareWithAuthenticatedExternalUsersAndAnonymous, and members of CanShareWithAuthenticatedExternalUsers to allow external specific external users only.  What happens when our third test user, Cal B McPherson, who isn't a member of either group, attempts to share?

Let's find out.

OneDrive for Business

  1. Log into Office 365 as a user who is not a member of either of the Sharing control groups.  For this final set of examples, we're going to use Cal B McPherson.
  2. Navigate to OneDrive for Business and attempt to share a document.
  3. Click Only the people you specify who have this link can view to expand the invitation options.
  4. As you can see, the Anonymous option is grayed out, since Cal isn't a member of the group that is allowed to share externally.  However, something I noticed is that through the UI, it would appear that Cal may be able to invite named users, both existing guests and new guests, even though he isn't a member of the group that can invite external users.
  5. However, when he attempts to add a user not in the directory, he receives the following error:
  6. A user who is not a member of either of those groups can invite someone who is already a guest user, however:
  7. This extends to external guests who have been invited but have not yet accepted the invitation, since they technically have a directory object ID.

That's it for OneDrive!

Teams

As the last test, we're going to see how Teams responds to these restrictions.

  1. Still logged in as Cal, navigate to Teams and select a group.
  2. Attempt to add an external member.  So far, the user picker identifies the user as external.
  3. And, when I click add, still allows the me to add the user.
  4. And, from the members panel of the team, you can see that the guest was added.
  5. And, Azure AD shows the user as having a pending invitation.
  6. And, given that, it's not surprising that my new external test user also received an invitation.

Trouble in paradise

Using this knowledge, at this time, a user who is not a member of either of the sharing controls group can go to Teams and invite an external user that they want to share a OneDrive file with, and then be able to select them from the OD4B picker successfully:

I have confirmed this functionality with the product group.

Workarounds

  1. If you turn off Guest Access for Teams, the user not a member of either groups will not be able to work around their current restriction.  However, no one else will be able to add External guests to Teams, either.
  2. For users that you may not "trust" to add guests to the organization, you may want to limit who can create Office 365 groups to internal employees that you trust.
  3. Use Office 365 Group Classifications to define classifications for groups (such Public or Confidential) and then manage the Office 365 Group's AllowAddGuests property.

For more information on using PowerShell to administer Office 365 groups, see /en-us/office365/enterprise/manage-office-365-groups-with-powershell.

That's all for now!