Provision SharePoint Online Site Collections
- 9/5/2015
- Objective 2.1: Configure external user sharing
- Objective 2.2: Create SharePoint site collection
- Objective 2.3: Plan a collaboration solution
- Answers
SharePoint Online allows collaboration for people within an organization, and also allows collaboration with people who are external to the organization. For many organizations, SharePoint Online has taken the place of the traditional shared file server when it comes to sharing documents. Understanding how to configure and manage SharePoint Online site collections is critical for an Office 365 administrator. Administrators must ensure that resources are externally shared when appropriate, and that access to resources is restricted when required.
Objectives in this chapter:
- Objective 2.1: Configure external user sharing
- Objective 2.2: Create SharePoint site collection
- Objective 2.3: Plan a collaboration solution
Objective 2.1: Configure external user sharing
This objective deals with the settings related to allowing people external to your organization’s Office 365 tenancy access to content stored within SharePoint Online. There are a variety of sharing options, from allowing read and edit access to people with Microsoft accounts, to allowing read and edit access to anyone who has the correct URL for a document.
Understanding external users
External users are people who need to collaborate with people in your organization using content hosted on SharePoint Online, but who haven’t been provisioned with an organizational Office 365 or SharePoint Online license.
The use rights available to external users depend on the features available to the SharePoint Online tenancy with which they will collaborate. For example, if your organization has an E3 Enterprise Plan, and a SharePoint site uses enterprise features, the external user will be able to use and view those enterprise features.
External users can perform the following tasks:
- Can use Office Online to view and edit documents in the browser. Can use their own version of Office to interact with content hosted in SharePoint Online, but are not eligible for licenses to the tenancy’s Office 365 Office ProPlus software.
- Perform tasks on the site commensurate with their permission level. For example, adding an external user to the Members group grants that user Edit permissions. They will be able to add, edit, and delete lists, list items, and documents.
- View other site content, including navigating to subsites to which they have been invited, and view site feeds.
External users are restricted from being able to perform the following tasks:
- Create personal sites
- Edit their profiles
- View the company-wide newsfeed
- Add storage to the tenant storage pool
- Enact searches against “everything” or access the Search Center
- Access site mailbox
- Access PowerBI features, including Power View, Power Pivot, Quick Explore, and Timeline Slicer
- Use eDiscovery
- Open downloaded documents protected by Azure Rights Management (it is still possible to open these documents using Office Online)
- Access SharePoint Online data connection libraries
- Use Excel Services features, such as Calculated Measures and Calculated Members, decoupled Pivot Tables and PivotCharts, Field List and Field support, filter enhancements, and Search Filters
- Use Visio Services
Enabling external user sharing globally
The external sharing options configured at the SharePoint Online tenancy level override those configured at the site collection level. You can configure the following global external sharing options shown in Figure 2-1:
Don’t Allow Sharing Outside Your Organization.
- Choosing this option prevents all users on all sites within the SharePoint Online tenancy from sharing sites or content with external users.
Allow External Users Who Accept Sharing Invitations And Sign In As Authenticated Users.
- Choosing this option requires external users who have invitations to view content or sites to sign in with a Microsoft account, such as an Outlook.com account.
- Site owners and users with Full Control permissions are able to share sites with external users.
- Site owners and users can choose to allow external users View or Edit permissions on documents.
- All external users must sign in with a Microsoft account before they can access content.
- Invitations to view content can only be redeemed once, and then are tied to the Microsoft account used for access. After an invitation has been used, it cannot be used by someone else to gain access with a separate set of Microsoft account priviledges.
Allow Both External Users Who Accept Sharing Invitations And Guest Links.
- Choose this option if you want to allow content to be shared with people who sign in with Microsoft accounts as well as allow anonymous guest links. Anonymous guest links allow access without any form of authentication.
- Site owners and users with Full Control permission are able to share sites with external users.
- Site owners and users with Full Control permission are able to choose between requiring sign-in or sending an anonymous guest link when sharing documents.
- When sharing a document, site owners and users can select between granting View and Edit permissions.
- All external users will be required to sign in with a Microsoft account before accessing content.
- Anonymous links can be shared and forwarded, meaning that unauthorized people can be granted the permission assigned when the document is shared with the anonymous guest link.
FIGURE 2-1 External Sharing settings
To configure external user sharing for the SharePoint Online tenancy, perform the following steps:
- Sign in to the Office 365 Admin Center with a user account that has SharePoint Online administrator privileges.
- Under Admin, click SharePoint. This opens the SharePoint Admin Center.
In the SharePoint Admin Center, click Settings, as shown in Figure 2-2.
FIGURE 2-2 SharePoint Admin Center
Scroll down within the settings area until you get to the External Sharing section and choose between one of the three following options shown in Figure 2-3:
- Don’t Allow Sharing Outside Your Organization
- Allow External Users Who Accept Sharing Invitations And Sign In As Authenticated Users
- Allow Both External Users Who Accept Sharing Invitations And Anonymous Guest Links
FIGURE 2-3 External Sharing settings
Turning off external sharing has the following consequences:
- If you disable and then re-enable external sharing, external users who have been granted access to content will regain access.
- If you disable and then re-enable external sharing, site collections that had sharing enabled will have sharing re-enabled.
- If you want to block specific site collections from having sharing re-enabled, disable external sharing on a per site collection basis prior to re-enabling external sharing.
- When you disable external sharing on a specific site collection, any configured External User permissions for that site collection are permanently deleted.
- Turning off external sharing at the site collection level disables guest links, but does not remove them. To remove access to specific documents, you need to disable anonymous guest links.
- Changes made to external access do not occur immediately, and might take up to 60 minutes.
Enabling external user sharing per site collection
Only SharePoint Online administrators are able to make changes to the SharePoint Online tenancy’s external user sharing settings. Site collection administrators are allowed to configure sharing settings on a per site collection basis as long as external user sharing is set to one of the following options:
- Allow External Users Who Accept Sharing Invitations And Sign In As Authenticated Users.
- Allow Both External Users Who Accept Sharing Invitations And Anonymous Guest Links
The sharing options at a site collection level are similar to those that are available at the SharePoint Online tenancy level, and are shown in Figure 2-4.
FIGURE 2-4 Site collection sharing
These options have the following properties:
Don’t Allow Sharing Outside Your Organization.
- Prevents all users on all sites in the collection from sharing sites or content with external users.
- Users are unable to share content or sites with users who are not members of their organization’s Office 365 tenancy.
- If sharing had been enabled previously, any permissions assigned to external users will be deleted.
Allow External Users Who Accept Sharing Invitations And Sign In As Authenticated Users.
- Allow users with Microsoft accounts who have been sent invitations to access sites and content in a site collection.
- Site owners and users with Full permission can share sites and documents with external users who sign in with a Microsoft account.
- Invitations that are redeemed by external users are tied to the redeeming Microsoft account, and access cannot be shared with other Microsoft accounts.
Allow Both External Users Who Accept Sharing Invitations And Anonymous Guest Links
- Site owners and users will Full Control permissions are able to share sites and documents with external users.
- Allows sites within a site collection that have been authenticated with Microsoft accounts to be shared with users.
- Invitations that are redeemed by external users are tied to the redeeming Microsoft account. Access cannot be shared with other Microsoft accounts.
- Site owners and users with Full Control permissions are able to share documents through an anonymous link.
- When sharing documents with external users or through anonymous links, View or Edit permission can be assigned.
- Anonymous links can be shared with the original sharer, having no control over which external parties access anonymously shared content after the guest link has been forwarded.
Settings configured at the SharePoint Online tenancy level determine those available at the individual site collection level. If sharing is only allowed for external users at the SharePoint Online tenancy level, the option to allow anonymous guest links to be sent at the site collection level will not be available. If sharing is blocked at the SharePoint Online tenancy level, then sharing will not be possible at the site collection level. Modifications to the external sharing settings for the My Site site collection apply to any existing personal sites as well as any personal sites created in the future.
To configure sharing at the site collection level, perform the following steps:
- Sign in to the Office 365 Admin Center with a user account that has SharePoint Online administrator privileges.
- Under Admin, click SharePoint. This will open the SharePoint Admin Center.
In the Site Collections area, select the site collection for which you want to configure sharing, and click Sharing in the Site Collections toolbar shown in Figure 2-5.
FIGURE 2-5 Site Collections
On the Sharing dialog box, shown in Figure 2-6, specify the type of sharing you want to enable, and click Save.
FIGURE 2-6 Sharing options
Sharing settings configured at the site collection level determine the sharing options available at the document level. If sending anonymous links is not allowed at the site collection level, it will not be allowed from a document hosted within a site in that collection.
Sharing with external users
After sharing is appropriately configured at the SharePoint Online tenancy level and at the site collection level, there are three basic methods that allow you to share content with external users:
- Share an entire site and invite users to sign in using a Microsoft account (including Office 365 accounts from separate organizations, such as workplaces or schools).
- Share individual documents by inviting external users to sign in using a Microsoft account.
- Send users a guest link that allows users external to the organization access to each individual document that you want to share anonymously.
Sharing a site
To share a site with an external user, perform the following steps:
Sign in to Office 365 with an account that has permission to share the site. Select Sites from the list of My Apps as shown in Figure 2-7.
FIGURE 2-7 Office 365 Apps
- In the list of sites, select the site that you want to share.
In the upper right-hand corner of the Site page, click Share, as shown in Figure 2-8.
FIGURE 2-8 Share
On the Share Site dialog box, shown in Figure 2-9, provide the name of the person with whom you want to share the site, specify the permission level, and click Share. You can choose between the following levels:
- Excel Services Viewers [View Only]
- Team Site Members [Edit]
- Team Site Owners [Full Control]
- Team Site Visitors [Read]
FIGURE 2-9 Team Site sharing
An invitation will automatically be sent to the person or people who you invited. If the invitation isn’t accepted within seven days, it will expire. Users accepting an invitation must sign in with a Microsoft account, such as an Outlook.com or Hotmail.com account, or an Office 365 account.
You can determine which external users a SharePoint Online site collection has been shared with by performing the following steps:
- Sign in to Office 365 with an account that has permission to share the site and select Sites from the list of My Apps.
- In the list of sites, select the site that you want to share.
In the upper right-hand corner of the Site page, click Share, as shown in Figure 2-10.
FIGURE 2-10 Share
On the Share Site dialog box, click Shared With, as shown in Figure 2-11. The dialog box will list all users with whom the site collection has been shared.
FIGURE 2-11 Shared With
Sharing a document
There are two ways to share a document: sharing with an external user who must authenticate and sharing through an anonymous guest link.
To share with an external user who must authenticate using a Microsoft account, which includes the option of using an Office 365 account, perform the following steps:
- Sign in to Office 365 with an account that has permission to share the site, and select Sites from the list of My Apps.
- In the list of sites, select the site that hosts the document that you want to to share.
Next to the document that you want to share, click the ellipses and then click Share, as shown in Figure 2-12.
FIGURE 2-12 Share Document
On the Share page, select Invite People and then type the Microsoft account addresses of the people with whom you want to share the document. You can choose between the permissions Can Edit and Can View. Select the Require Sign-In check box to require the account be used to sign in. If this option is not selected, a link will be generated and forwarded to the email address provided. Figure 2-13 shows the document Example1 shared to the Microsoft account orin.thomas@outlook.com, with the permission that allows the user of that account to edit the document.
FIGURE 2-13 Share document
- Click Share to share the document.
You can view the Shared With section of the Shared dialog box to view a list of users who have access to this shared document. Figure 2-14 shows the document Example1 shared with Orin Thomas.
FIGURE 2-14 Shared With
The process of creating a shared link is similar. Sign in to Office 365, locate the document that you want to share, and then open the Sharing dialog box by clicking the ellipses next to the file and clicking Share. On the Get A Link section, you have the option of creating a View Only link, an Edit link, or both. Figure 2-15 shows a document where a View Only link and an Edit link have been created. You can click Disable on this dialog box to disable one or both links.
FIGURE 2-15 Get A Link
Removing external user access
You can revoke external user access to a site only after a user has accepted their invitation. You can revoke access by removing the external user’s permission to the site. To revoke access, perform the following steps:
- Sign in to Office 365 with an account that has permission to share the site and select Sites from the list of My Apps.
- In the list of sites, select the site that you want to share.
Select Settings, which is represented as a cogwheel, and then click Site Settings, as shown in Figure 2-16.
FIGURE 2-16 Site Settings
Under Users And Permissions, click People And Groups, as shown in Figure 2-17.
FIGURE 2-17 Site Settings
Select the external user from whom you want to revoke access. Figure 2-18 shows the Orin Thomas external user selected.
FIGURE 2-18 People And Groups
From the Actions menu, click Remove Users From Group, as shown in Figure 2-19.
FIGURE 2-19 Remove Users From Group
When prompted about removing users from the group, as shown in Figure 2-20, click OK.
FIGURE 2-20 Confirmation message
There is no way, at the SharePoint Online tenancy level, to determine all of the sites to which an external user has been granted access. It is necessary to view the settings for individual sites to determine if a specific external user has been granted access to the site. There is also no method, at the SharePoint Online tenancy level, to determine which documents have been shared externally.
Objective summary
- External users are people with whom Office 365 SharePoint Online content can be shared.
- External users can authenticate with a Microsoft account, including an Office 365 account that is not part of the organization’s tenancy.
- At the global level, you can configure an option for block sharing to external users, allow external users who have authenticated with Microsoft, or allow users who have authenticated with a Microsoft account and who have been provided with an anonymous link.
- Site owners and users who have Full Control permissions on a site are able to share sites with external users.
- Invitations sent to external users remain valid for seven days.
- Sharing settings configured at the SharePoint Online tenancy level determine the sharing options available at the site collection level. If sharing is blocked at the tenancy level, it is not available at the site collection level.
- Sharing settings configured at the site collection level determine the sharing options available at the document level.
Objective review
Answer the following questions to test your knowledge of the information in this objective. You can find the answers to these questions and explanations of why each answer choice is correct or incorrect in the “Answers” section at the end of this chapter.
How many days does an invitation to access shared content sent to an external user from an Office 365 SharePoint Site collection remain valid before it expires?
- 7 days
- 14 days
- 21 days
- 28 days
You want to block users sharing links and require all external users accessing shared content to authenticate using a Microsoft account. Which of the following steps can you take to accomplish this goal with a minimum amount of administrative effort?
- Disable sharing at the SharePoint Online tenancy level
- Restrict sharing to authenticated users at the SharePoint Online tenancy level
- Restrict sharing to authenticated users in each site collection
- Disable sharing in each site collection
You want to allow users in your organization’s Office 365 tenancy to email links that will allow anonymous access to specific documents hosted in a specific site collection. Which of the following settings must be configured to allow this to occur? (Choose two. Each answer forms part of a complete solution.)
- Configure the Allow Both External Users Who Accept Sharing Invitations And Anonymous Guest Links option at the site collection level
- Configure the Allow External Users Who Accept Sharing Invitations And Sign In As Authenticated Users option at the site collection level
- Configure the Allow External Users Who Accept Sharing Invitations And Sign In As Authenticated Users option at the SharePoint Online tenancy level
- Configure the Allow Both External Users Who Accept Sharing Invitations And Anonymous Guest Links option at the SharePoint Online tenancy level
In most circumstances, you want to allow users in your organization to be able to send anonymous links to people outside your organization to documents hosted in site collections in your organization’s Office 365 SharePoint Online tenancy. However, you want to ensure that anonymous links can’t be used for documents hosted in a specific site collection. Documents in the site collection should be able to be shared with external users who have authenticated with a Microsoft account. With this in mind, which of the following settings should be configured to accomplish this goal? (Choose two. Each answer forms part of a complete solution.)
- Configure the Allow Both External Users Who Accept Sharing Invitations And Anonymous Guest Links option at the SharePoint Online tenancy level
- Configure the Allow External Users Who Accept Sharing Invitations And Sign In As Authenticated Users option at the SharePoint Online tenancy level
- Configure the Allow External Users Who Accept Sharing Invitations And Sign In As Authenticated Users option at the site collection level for the specific site collection where you want to block anonymous links
- Configure the Allow Both External Users Who Accept Sharing Invitations And Anonymous Guest Links option at the site collection level for the specific site collection where you want to block anonymous links
After sensitive documents were leaked from your organization, you want to block all sharing of content hosted in SharePoint Online to people external to your organization. Which of the following steps could you take to accomplish this goal with a minimum amount of administrative effort?
- Configure the Don’t Allow Sharing Outside Your Organization option in the sharing settings of each site collection
- Configure the Allow External Users Who Accept Sharing Invitations And Sign In As Authenticated Users at the SharePoint Online tenancy level
- Configure the Allow Both External Users Who Accept Sharing Invitations And Anonymous Guest Links at the SharePoint Online tenancy level
- Configure the Don’t Allow Sharing Outside Your Organization option at the SharePoint Online tenancy level