Forum Discussion
Azure AD B2B SPO and OD integration + Whitelisting in AAD
Ellefs1 Hello, I hate and love these questions 🙂
Not doing any testing so just replying how I think it will work.
Config 1: I believe you're right. When opting in for AAD B2B SPO/OD integration you'll leave ad-hoc external SharePoint sharing so all external users will be added as guest users during the sharing process. So for ex. when I start to enter the verification code with a new user, in the next prompt I have to agree to join the resource org. and have my guest account created. That should be a no-go if not being allowed.
Config 2: You can control the "sharing prompt" as I understand you already do for the Anyone-links. The "specific people" will create a secure direct sharing link that will bypass the whitelist in AAD and the SharePoint external sharing settings will apply. Ad-hoc external sharing doesn't get verified by AAD CA access policies.
I must recommend using sensitivity labels instead of trying to adjust permissions by using legacy sharing permissions or AAD B2B integration. So opt-in to the latter as that's the way going forward and then set up guest access to 'containers' (groups, sites, teams) using sensitivity labels.
To the left you have more info about them as well.
Btw, if using MCAS you can be very granular combining filters etc.
Hi ChristianJBergstrom. Haha, I can understand the love/hate feelings towards these types of questions. Appreciate you taking the time to provide your thoughts.
I'm aware of how we can use sensitivity labels on containers to control guest access (among other things). But one thing is controlling which teams/sites that will allow guests, another thing is controlling who can be invited in the first place. If an organization can control which domains they allow their employees to invite external users from by using whitelisting, along with the rest of "Configuration 2". Would you say that is a troublesome setup? I understand the limitations of the SP ad-hoc external recipient solution (no CA etc.) and of course the possibility of end users being blocked from adding certain users. What would be the other downsides, if any?
Hello again, I thought you'd settle for the previous one! Just kidding. I kind of understood you are aware of the options as how the initial question was asked, but had to put it out there.
Ellefs1 Doing a edit here because when opting in using AADB2B integration it doesn't take precedence (as previously said) but rather invitations in SharePoint are also subject to any domain restrictions configured in Azure AD. In other words, when not using AADB2B the AAD list works independently from OneDrive for Business and SharePoint Online allow/block list.
So, now it feels better 🙂
- Right, I believe we got that covered. As you can understand we're still at the drawing board here.
The following is written on the "Allow list" documentation: "If you want to use an allow list, make sure that you spend time to fully evaluate what your business needs are."
So here I am, spending time evaluating this! 🙂
Takk for hjelpen! 🙂
