Forum Discussion
Groups Guest access and SharePoint access
We've been experimenting a lot with Guest Access in Office 365 Groups the past few days and have made what we think are some interesting discoveries on how this all works and what is actually going on there, although our testing is still underway.
If you read the Guest Access Documentation carefully, it seems there is no intention for the guest user to actually access the Group's Team Site in the way we all understand from External Sharing in a standard SharePoint Online Team Site if the external sharing settings for that site are left default and not modified via PowerShell.
Instead, it looks like the intention is for all external access to files to occur via email. Very specifically, look at this section in the documentation I linked above:
All of the guest member's interactions occur through their email inbox. They can't access the group site but can receive calendar invitations, participate in email conversations, and, if the tenant admin has enabled it, open shared files using a link or attachment.
All group emails and calendar invitations the guest receives will include a reminder to use "reply all" in responses to the group, along with links to view group files and leave or unsubscribe from the group.
If you follow that view group files link, you'll arrive at a page with instructions for how to share group files with guests. Those instructions very specifically guide you to attach the file(s) to a conversation within the Group.
I am not a fan of this method or experience at all. For sharing a one off file with a guest it might be ok, but for longer term guest access it becomes very unwieldly when they have to manage everything through their own inbox as opposed to a central collaboration point that external access to the Group's Team Site or a shared folder within that Team Site would offer.
We have uncovered a couple ways around this, although I'm not sure this is supported by Microsoft which makes me nervous to begin using it in a production scenario.
- You can flip the setting in PowerShell on the Group's site itself that allows these guest users to log in to the site. This setting was mentioned previously in this thread. This can only be done retro, as there appears to be no way currently to change the default setting that is applied at creation. I am not a fan of manually or automatically having to go change this setting in this manner, as that is another bit of complexity that has potential to stop running, needs to be monitored, human factors, etc.
- You can use some sort of Azure B2B solution to add these external users into AD beforehand so they "exist" and are not blocked by the default setting on these types of sites.
cfiessinger Any chance we could get a comment from you or someone on your team on whether what we're all talking about in this thread is correct and working as intended, or have we missed something completely? Thanks!
adding Sahil Arora