Looking to confirm my understanding. If you add a guest to an O365 from OWA, they will only have access to the associated SharePoint site if external sharing for that site has been turned on (or if external sharing was turned on a the tenant level)? Since sites created off of groups don't show up in the SharePoint Admin center, you'd have to run PowerShell to enable external sharing on that site? Is there any other way to grant external member access to a Groups SharePoint site besides PowerShell?

We've been experimenting a lot with Guest Access in Office 365 Groups the past few days and have made what we think are some interesting discoveries on how this all works and what is actually going on there, although our testing is still underway. If you read the Guest Access Documentation carefully, it seems there is no intention for the guest user to actually access the Group's Team Site in the way we all understand from External Sharing in a standard SharePoint Online Team Site if the external sharing settings for that site are left default and not modified via PowerShell. Instead, it looks like the intention is for all external access to files to occur via email. Very specifically, look at this section in the documentation I linked above: All of the guest member's interactions occur through their email inbox. They can't access the group site but can receive calendar invitations, participate in email conversations, and, if the tenant admin has enabled it, open shared files using a link or attachment. All group emails and calendar invitations the guest receives will include a reminder to use "reply all" in responses to the group, along with links to view group files and leave or unsubscribe from the group. If you follow that view group files link, you'll arrive at a page with instructions for how to share group files with guests. Those instructions very specifically guide you to attach the file(s) to a conversation within the Group. I am not a fan of this method or experience at all. For sharing a one off file with a guest it might be ok, but for longer term guest access it becomes very unwieldly when they have to manage everything through their own inbox as opposed to a central collaboration point that external access to the Group's Team Site or a shared folder within that Team Site would offer. We have uncovered a couple ways around this, although I'm not sure this is supported by Microsoft which makes me nervous to begin using it in a production scenario. You can flip the setting in PowerShell on the Group's site itself that allows these guest users to log in to the site. This setting was mentioned previously in this thread. This can only be done retro, as there appears to be no way currently to change the default setting that is applied at creation. I am not a fan of manually or automatically having to go change this setting in this manner, as that is another bit of complexity that has potential to stop running, needs to be monitored, human factors, etc.You can use some sort of Azure B2B solution to add these external users into AD beforehand so they "exist" and are not blocked by the default setting on these types of sites. cfiessinger Any chance we could get a comment from you or someone on your team on whether what we're all talking about in this thread is correct and working as intended, or have we missed something completely? Thanks!

Thanks guys for the feedback! Couple of things, we have been working internally to rationalize this settings & this is the plan of record as of now. 1. By-default Groups have guest access enabled & the corresponding team site as well. 2. Currently by default files cannot be shared with new guests unless they are member group. We are planning to *change* this default with full guest access enabled, so that you can share indivudal files with new guest users through SPO. 3. The way we want SPO settings & Groups settings for short-term is to be decoupled with the right messaging in the admin portal so that admins are clearly aware of what do they need to do to fully disable guest access.

Jens Skov "By default, all SharePoint site collections that are part of an Office 365 Group have the sharing setting set to Allow sharing only with the external users that already exist in your organization’s directory. To change this setting, you can use the Set-SPOSite Windows PowerShell cmdlet." from https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-c8a462eb-0723-4b0b-8d0a-70feafe4be85?ui=en-US&rs=en-US&ad=US Hence, to share with unauthenticated users, it is enough to change the default by powershell.

Hi David, We totally understand the gravity of this issue & we are actively working on to support this item. Thanks, Sahil

Hi Salvatore, Well I am happy to say that I figured out how to get External Sharing for Guests working for my groups Office 365 Team Site. Scenario- Unable to Share a Group Folder or File with External Users (Guest) Guest Sharing Enabled at the Tenant Level - Yes Executing Set-SPOSite -SharingCapability ExternalUserAndGuestSharing - Did not work, message still indicated I needed to EnableGuestSharing at the Tenant Level (Although it already was). What worked for me was executing the following command from PS to enable guest sharing. set-spotenant -SharingCapability ExternalUserAndGuestSharing then running this against the site I want to enable guest sharing set-sposite https://site.sharepoint.com/teams/development -SharingCapability ExternalUserAndGuestSharing Long story short, although guest sharing was enabled in the Admin Center, for whatever reason, PS still saw this setting as "off". By enabling this setting using SET-SPOTenant worked.

Groups Guest access and SharePoint access

Jens Skov
Copper Contributor
Mar 30, 2017
As I understand my issue is not exactely what you are discussing, but I will chime in anyway.

We have the need to create links to files in a group library for unauthenticated access. Do I understand the thread right in assuming that this is not possible?
This means that right now the users are creating files structures in their own OneDrive that they are sharing with the Group and using the Shared With Us view.
What is very messy and takes away a lot of the advantages of the group, bus the external sharinng links are crucials for this organisation.

Can anyone help?
- Salvatore Biscari
  Silver Contributor
  Mar 30, 2017
  Jens Skov
  
  "By default, all SharePoint site collections that are part of an Office 365 Group have the sharing setting set to Allow sharing only with the external users that already exist in your organization’s directory. To change this setting, you can use the Set-SPOSite Windows PowerShell cmdlet." from https://support.office.com/en-us/article/Manage-external-sharing-for-your-SharePoint-Online-environment-c8a462eb-0723-4b0b-8d0a-70feafe4be85?ui=en-US&rs=en-US&ad=US
  
  Hence, to share with unauthenticated users, it is enough to change the default by powershell.
  - David Slight
    Iron Contributor
    Jul 24, 2017
    I am still having issues (and lots of support tickets) as Guest members of a new Group cannot access the Groups SharePoint files. Referring to the article mentioned below:
    
    The article says: By default, all SharePoint site collections that are part of an Office 365 Group have the sharing setting set to Allow sharing only with the external users that already exist in your organization’s directory. To change this setting, you can use the Set-SPOSite Windows PowerShell cmdlet.
    
    Q: If I change the Tenant (global) settings, do I still have to change the settings for the site collections related to the Office 365 Groups with the SPO cmdlet?
    
    NB: I ask this as I do not see an obvious Site Collection in the list of Site Collections that is related to my Office 365 Groups (for example storage used is zero when there are many files in the Group site) - related, where do I see the storage used for the SharePoint files associated with a group?
Sahil Arora
Microsoft
Mar 20, 2017
Thanks guys for the feedback! Couple of things, we have been working internally to rationalize this settings & this is the plan of record as of now.

1. By-default Groups have guest access enabled & the corresponding team site as well.

2. Currently by default files cannot be shared with new guests unless they are member group. We are planning to *change* this default with full guest access enabled, so that you can share indivudal files with new guest users through SPO.

3. The way we want SPO settings & Groups settings for short-term is to be decoupled with the right messaging in the admin portal so that admins are clearly aware of what do they need to do to fully disable guest access.
- David Rosenthal
  Microsoft
  May 01, 2017
  Any updates to this Sahil Arora? I'm starting to get a lot of users trying to share individual files from their modern team sites that are created as part of an Office 365 Group, who are getting the error which makes it look like external sharing is disabled when it actually isn't. This is generating a lot of tickets and complaints to our support function as users are used to external sharing in SharePoint and would like to share individual files that way as opposed to sharing the file contents of their entire Group.
  - Bobby Cruz
    Brass Contributor
    Dec 02, 2017
    Hey Dave,
    
    Run this first after you are authenticated with your tenant using PS.
    
    when using connect-sposervice the -Url switch should point to your group team site not your SharePoint Admin Url
    
    set-spotenant -SharingCapability ExternalUserAndGuestSharing
    
    then
    
    set-sposite https://yoursite.sharepoint.com/teams/development -SharingCapability ExternalUserAndGuestSharing
    
    Although External Sharing is enabled in the Admin Center, running SPOSite -SharingCapability ExternalUserAndGuestSharing never worked.
    
    Enabling External Sharing via PS using SPOTenant level worked.
    
    I hope this works for you.
    
    Best,
    
    Bobby
- Salvatore Biscari
  Silver Contributor
  Mar 20, 2017
  Sahil Arora
  Thanks Sahil.
  About #2, my understanding is that today, by default, files can be shared with all existing external users, and not only with group members. Am I wrong?
- jcgonzalezmartin
  MVP
  Mar 20, 2017
  Thanks for this great update Sahil Arora do you have an ETA about when this will be rolled out?
jcgonzalezmartin
MVP
Mar 01, 2017
My understanding is that is enough with enabling external guest at the tenant level so you don't need to run any PowerShell to configure Group sites
- Salvatore Biscari
  Silver Contributor
  Mar 01, 2017
  Hi Juan.
  External sharing must be enabled at the tenant level AND at the Group site collection level (which BTW is the default) in order to allow access to guest members.
  - escupham
    Steel Contributor
    Mar 01, 2017
    Thanks. We have external sharing disabled at the tenant level, are only enabling for specific sites. I added my personal external email to a Group I created, was able to conversate okay but got an access denied when trying to access the site. Sounds like then that would be expected? Until I turned on external sharing at the site collection level?
Salvatore Biscari
Silver Contributor
Mar 01, 2017
The default setting for sites associated to Groups is ExistingExternalUserSharingOnly and you don't need to change it in order to add external members.
If you want to change it, though, you can do it only by PowerShell.

Forum Discussion

Groups Guest access and SharePoint access

Resources