If your organization leverages SharePoint Online, you can take advantage of a convenient new feature that makes it very easy to share nicely with others -- to collaborate and share content with your external partners and customers without having to pay for a full user license. But take a close look at the benefits and risks before you dive in.
But, before you decide to share externally, you should be aware of the implications and make sure you have a governance and security model that balances the benefits of a greatly improved external sharing model with the risks of inadvertently sharing too much. For the most part, this means understanding the business scenarios in which sharing externally are important and making sure Site Owners and Administrators thoroughly understand how to invite external users to your environment safely and securely.
There are several scenarios where providing access to internal content by external users might be really handy:
- You’re working with a partner on a project and you want to share and collaborate on the creation of one or more documents.
- You have a single internal document -- for example, a flyer for an event you are hosting -- that you want to make available from your website or Facebook page for a short period of time.
- You have an internal discussion forum and you want to invite a guest expert to participate – for a short period of time or as a member of the extended team.
Before you decide that you want to share content externally, you should carefully think about the risks and implications of putting “too much share” in SharePoint. Here are some things you need to know and what you should think about:
- Who is an external user?
- What does it mean to be an external user of a SharePoint site?
- Who can (and should) extend an invitation to an external user?
- Do you want to share an entire site with external users?
- What if you only want to share a single document?
Who is an external user?
External users are people who are not licensed users within your organization. A contractors who is part of your organization or an affiliate would not be an external user, but a partner or customer or client with whom you need to share information in the course of your work would be
What does it mean to be an external user of a SharePoint site?
External users do not get all the same features as your fully licensed users, but from a document collaboration perspective, an external Member of a site can do and see virtually all the same content as an internal Member. If you share an entire site with an external user, that user will be able to:
- Browse, search and edit content within that site consistent with the permission group into which you have placed them.
- See the names of other users in the People Picker.
- View and assign metadata to documents they contribute.
- Connect a list or library to Outlook.
- View content on all sub-sites that inherit permissions from the parent site.
External users don’t get to do everything that internal users can. External users will not be able to:
- Install the desktop version of Office on their computers even if this is part of your plan.
- Create their own personal sites, have a newsfeed or see your enterprise newsfeed.
- Add a picture or edit their own profile.
- See a “task roll up” of all of their tasks across multiple sites.
- Access your Search Center and execute searches against “everything.” They will only be able to search content to which they have been provided explicit access.
Who can extend an invitation to an external user?
Only users with “manage permissions” (typically Site Owners) can extend an invitation to share a site or a document with an external user. Even though Visitors and Members will see the SHARE button, when they try to initiate an external sharing request, they will get an error message that says “Sorry, you are not allowed to share this with external users.”
This is great because it limits the number of people who can open up your content externally, but it means that you really need to provide training on when and where it is appropriate to extend an external invitation when you give your Site Owners this super power.
Once you have given access to external users, it’s not particularly easy to quickly show a list of who the external users are for your site. You can look at the Access Requests history in Site Settings or scan the members of a security group for email-only names, but neither of these approaches show you a concise list. For this reason, it’s a good idea to create a security group for your external users and place them in that group when you invite them. For example, you could create External Members and External Visitors and then invite external users in to one of these groups instead of the “out of the box” security groups for your site.
Do you want to share an entire site with external users?
Of course, the answer is “it depends.”
If you want to enable your partner to work with all of the content on your site, to create, edit and view content, then you will want to grant access to the entire site. But, understand that these users will also have access to any sub-sites that inherit security from the site to which you are granting access. The risk with sharing an entire site is, of course, TMI (too much information).
This is one of the reasons why you want to make sure that all Site Owners understand the basic concepts of SharePoint security and your governance policies for sharing external content. You might consider only inviting external users to the lowest level site in a hierarchy, on a site that has unique permissions.
What if you only want to share a single document?
In many scenarios, you don’t want to share an entire site with a partner, but you want to be able to work collaboratively on a single document. For example, in a business development scenario, you may want to only share a contract document with a prospective customer. Sharing a document externally requires the same permissions as sharing a site, but when you share a document, you have an additional option -- the ability to allow external user to access your site without any authentication. (The ability to do this is controlled globally and at the site collection level by the administrator.)
When you share an individual document, just like when you share a site, you specify whether access is read-only or whether the external user can edit the document. If you do not require authentication and you allow a guest user to edit a document, the Modified By user shows up as “Guest Contributor.” If you require authentication, which means your external user will have to sign in with an existing Microsoft account (such as their Outlook.com account or the Office 365 account issued by their own organization), you will see the user name associated with the Microsoft account in the Modified By field.
As a best practice, it is always a good idea to require authentication if you are allowing an external user to edit a document, as shown in the image below:
Setting Up External Sharing
Setting up your SharePoint Online site to allow external sharing depends on the version of SharePoint Online that your organization uses. External sharing is turned on by default. You may want to consider turning it off globally before anyone starts using sites or until you know exactly how you want to use and support this feature.
- If your organization is using Office 365 Small Business Premium, the Office 365 administrator is the only person who can enable or disable the external sharing feature for all sites. When this feature is deactivated, any external user previously invited to sites can no longer access the sites. To enable or disable external sharing, go to Admin > Service Settings > Sites and Document Sharing. You can also use this same location to remove individual external users.
- If your organization is using one of the Office 365 enterprise plans, you can configure external sharing at two levels within the SharePoint administration center. First, you can turn external sharing on or off globally for the entire environment. Additionally, you can turn external sharing on or off for each individual site collection.
You can also specify whether or not you want to allow sharing with only authenticated users or with both authenticated and anonymous users through guest links as shown in the image below. If your site has been upgraded from SharePoint 2010, you will not be able to manage external sharing through the SharePoint admin center for sites still using the SharePoint 2010 experience. For these sites, you will need to explicitly activate the Site Collection Feature called “External user invitations.”
It is important to think about external sharing as part of your overall governance and security planning for SharePoint Online. In addition to creating separate security groups for external users as suggested earlier, you may also want to create separate site collections that are only used for collaboration with external users so that you can allow external users to access specific content without opening up the entire environment. Remember that in all cases, your goal is to balance the ease of getting work done with trusted external partners while minimizing the risk of exposing your private content.
Summary of Tips and Best Practices
- If you enable external sharing, make sure your Site Owners understand SharePoint security inheritance and when and how it is appropriate to share either a site or a document.
- If you are going to have more than just a few external users for your site, create an appropriately named security group and put your external users in that group. For example, External [Site Name] Members.
- If you are granting edit permissions for a document to an external user, be sure to select the option to require authentication.
Title image courtesy of everything possible (Shutterstock)
Editor's Note: To read more about the evolution of SharePoint go here.