One of the key benefits of living in the SharePoint Online cloud is the ease of collaboration, not just with your co-workers, but also with all the partners and vendors. External sharing gives people outside of your organization access to certain areas of your site or to specific documents. Here's an overview of best practices and key facts about external sharing in SharePoint online.
External Sharing Changes in SharePoint Online
In early 2018, Microsoft changed the way SharePoint Online works with external users. You can now share the content with the following options:
- Sharing files and folders with anonymous users – When this option is enabled, users can create a link to a document giving anonymous users access to that particular file.
- Sharing files or folders with named external users – When you share a file with an External User, it’s treated as an ad hoc external recipient that won’t require a Microsoft account to be created or used.
- Sharing sites – When you share a site, a Microsoft or Organizational account is still required. A Guest Account will be provisioned in your Azure AD for this particular user. Notice the slight change in the naming convention here, as Microsoft is slowly transitioning from the term External User to Guest User.
- Adding external users to an Office 365 group – If a SharePoint site is also an Office 365 group, you can add External Users to the group, granting them access to the SharePoint site and other group content. Please note: Currently you can do so only via the Outlook group admin interface.
SharePoint Online administrators can control which of these options are available for SharePoint Online and OneDrive. Learn more about new SharePoint Online and OneDrive sharing capabilities.
External Sharing Key Facts
When administering a SharePoint Online environment, security is of paramount importance. Most importantly, you need to control the sharing of external content. Here are a couple of things you should keep an eye on:
- When you share a SharePoint Site with a Guest / External User, it will be visible in the Azure AD (Filter by Guest User type).
- When you share an Office 365 Group with a Guest User, it will be visible in the Group admin UI in Outlook and Azure AD (see above).
- When you share a file with an External User, information about that can be retrieved only on that particular file. There is no record in Azure AD as the user has neither a Microsoft nor an Organizational account.
Dealing With External Users - Best Practices
SharePoint Online administrators are probably finding it a bit challenging to detect which files have been shared with ad hoc External Users. One way to find all such users is to navigate to the User Information List. This hidden list shows all the users who have access to a SharePoint site collection. The list URL goes like this: http://your_site_collection_url/_catalogs/users/simple.aspx.
All the users with a display name in an email format are External Users. However, even if you do manage to detect them, you won’t be able to tell which sites and documents they have permissions to edit or view. So, we advise you to think twice before sharing content with External Users.
If you can’t avoid external sharing, here are a couple of best practices to follow:
- Make sure your end users know what they are doing. It is so easy to share something with an external email.
- Turn off sharing via anonymous links.
- Restrict content sharing to pre-approved email domains only.
- Disable sharing for site collections with really sensitive data.
- When sharing content with a user, make sure that only the user with that exact email address can view the content.
Detect External Users and Externally Shared Content
Here at SysKit, we are making some fine tools to help you detect and report on all the External Users in your SharePoint Online sites. With our SysKit Security Manager, you can easily detect all the Guest/External and ad hoc External Users.
With our reports, you can easily pinpoint externally shared files and with whom they’ve been shared.
Download our 30-day free trial and check it yourself.