Sunday, 24 June 2018

SharePoint Permissions Part 5 - External Sharing

Photo by bruce mars on Unsplash

In part 1 we looked at how permissions inherit and cascade, and using SharePoint groups to avoid inheritance problems. In part 2 we covered using mail-enabled security groups in O365 to make your permissions more consistent. Part 3 focused on reducing your maintenance burden by using dynamic security group membership, and part 4 was all about the creation of a permissions strategy and accompanying design guide.

This has all been very internal user-focused.  What if you want to allow external users to access your site?  Or, perhaps more importantly, what if you want to make sure that only some things (or even nothing) can be shared with external users?  It's time to talk about external access.

External access is controlled at 2 levels: the tenant, and the site collection

Unlike site permissions, which cascade down and can be changed to be less or more restrictive at each of the site collection, site, library/list, folder and document levels, external sharing cannot be made less restrictive at the site collection level.  So your site collections cannot allow more external sharing rights than the tenant allows.  On the other hand, you can make your site collections more restrictive than the tenant, so if external access is allowed at the tenant level, you can prevent it at the site collection level if you want. (For reasons which will become obvious quite soon, this is probably the setup you'll want to use.)  But these are the only 2 levels at which you can change the external access settings - all of the sites, libraries/lists, folders and documents under a site collection will get their external permission settings from the site collection.

Let's start with preventing any external access to your SharePoint instance, because this is the easy part.  

To do this, you just need to turn off external access in the tenant settings by going to O365 Admin > SharePoint > Sharing and selecting the Don't allow sharing outside your organisation radio button.

If you do this then no-one will be able to share a document from a SharePoint site, nor will adding an external user to a site give them access (because when you add a user to a site, even as an administrator, you are actually sharing the site with them).  But there is a big caveat:

Turning off external sharing at the tenant level stops users sharing externally from OneDrive as well.

Now, that might be fine for you, in which case congratulations, you're done here, don't bother reading the rest of this article.

But if you want your users to be able to share externally from OneDrive, or need to allow one or more teams to share externally from SharePoint, then this won't work for you.  If you're wondering why this affects OneDrive, it's because OneDrive is a series of SharePoint sites, one for each of your users.  If you go to O365 Admin > OneDrive > Sharing, you'll see a note under External sharing that says "Your sharing settings for OneDrive can't be more permissive than your setting for SharePoint".  Hence, if you turn off external sharing for SharePoint, you're also turning it off for OneDrive.

In a scenario where even a single user needs to be able to share externally from OneDrive or SharePoint, you'll need to turn external sharing on at the tenant level.  Your options are as follows:

The options are described in detail by Microsoft here, where you'll also find an explanation of the other parameters that limit which external users can be shared with, and what those external users can do with their shared files.

One section of the parameters not covered by that Microsoft page is the sharing by security groups section:

This is known more formally - and unintuitively - as "per-group sharing".  It allows you to chose which security groups are allowed to share externally (the second option will only appear if you've chosen to allow users to share anonymous links) and you can find out more about it from Microsoft here.  Note that it also affects OneDrive, so it gives you a little more control there too.

But whatever parameters you've set, once you've allowed external sharing at the tenant level you now need to set up your site collections appropriately as well.

First things first, lets look at how you allow or not allow external sharing in a site collection.  Go to O365 Admin SharePoint > and the SharePoint admin portal will open in the Site Collections option.  Select the site using the checkbox next to it on the left hand side and click Sharing from the toolbar at the top:

If you don't want your site collection to allow external sharing, select the Don't allow sharing outside your organization radio button, click Save, and you're done: 

If your permissions strategy doesn't generally allow external sharing, set this in your template site and it will be copied through to any sites that use that template.  

If you do want to allow external sharing the full explanation of what each of these options will and will not allow can be found on this Microsoft page.  The first thing to note is that the Sharing outside your company options are missing some options that are in the tenant level options.  At the tenant level you could decide if anonymous links expire, and if so after how long, and also whether anonymous links allow anonymous users to view or edit.  You can't change this at the site collection level.  These are tenant-wide settings that every site collection will inherit.  

You can then choose the Default link type and Default link permission, both of which by default will inherit from the default organisation setting, but can be changed.

You've then got the ability to whitelist, or blacklist, domains which people can share with:

You can either whitelist certain domains (users can only share externally with users who have an email address in a whitelisted domain) or blacklist certain domains (users can share with any external users except those with an email address in a blacklisted domain).  You can't do both at the site collection level, although you can have a blacklist at tenant level and a whitelist at the site collection level.

The blacklisting is a rather odd option, in that a user from a blacklisted domain could simply create a free email address from a service that isn't blacklisted, and use that. So there would be no point blacklisting a competitor service when a user who really wanted to share with a competitor could just tell the competitor to create a new email address from a common service like gmail or  This is especially true when the blacklist must be filled in by hand, rather than syncing automatically with, for example, the untrusted site list used by a security program.  The use case for blacklisting therefore seems a bit lacking at the moment.

The whitelisting make perfect sense, however.  One site collection can only share with your external regulator, for example, while another site collection can only share with your parent company, and so on.  This gives the administrators a way to allow sharing with trusted organisations without worrying about people sharing things with whomever they want.

These lists can also be setup at the tenant level as part of the additional settings I mentioned.  If you've set this up at the tenant level, then this Microsoft page details the priorities, which I'll list here for ease:
  • In the case of conflicts, the tenant-level configuration takes precedence over the site collection configuration.
  • If a tenant-level allow list is configured, then you can only configure an allow list at the site collection level. The site collection allow list must be a subset of the tenant allow list.
  • If a tenant-level deny list is configured, then you can configure either an allow list or a deny list at the site collection level.
  • For individual OneDrive for Business site collections, you can only configure this setting by using the Set-SPOSiteWindows PowerShell cmdlet.
Note that the logic outlined above means that if a domain is blacklisted at the tenant level, this will overrule that same domain being whitelisted at the site collection level. You can list up to 1000 domains at the tenant level, but only 60 at the site collection level.  

Following on from this, you've also go the option to prevent users from sharing with external users without owner approval:

You'll have to decide if you want to change the default from allowing users to share freely, to requiring site owner approval to share.  This applies to ALL sites in the site collection and ALL sharing, whether it's internal or external.  If your permissions strategy has the administrators as site owners, this will create a lot of work, and you'd need to consider giving an information owner enhanced rights to handle this workload.

Once you've set the permissions for your site collection appropriate, click Save.

If you want to know what's being shared externally (which can often be a good way to tell if your permissions are correct) you can search for content that's been shared externally in the Security & Compliance Centre.

And that's the mechanics of external sharing.  In the next, and last, article in this series we'll look at sharing and AIP (Azure Information Protection).