Introducing guest access for Office 365 Groups!

Thanks David Rosenthal for the feedback! We take this feedback and include this datapoint in our planning.

Thanks TonyRedmond and Sahil Arora !

While having the PowerShell is nice, there is still some exposure there if a user shares something externally to a domain we do not allow. During that time period between the share occurring and some sort of automated job or utility running to scan all guest users to identify their domains and remove the ones we don't want, whatever was shared is exposed to the outside world. This will scare many IT departments into turning guest access off completely, or at best putting data sensitivity restrictions on what a Group is allowed to be used for. I'm assuming either of those scenarios is not the ultimate goal of Groups.

It would be much simpler, more effective, and less risky to simply query the tenant level whitelist or blacklist when the guest access sharing action occurs to see if the domain is allowed or not. If allowed, proceed as normal. If not allowed, throw the same error message that SharePoint does now when you attempt to share to a domain that is not allowed. I'm obviously not familiar with the exact inner workings of everything on your side of the fence, but this seems like a fairly simple and straighforward requirement that functionality already exists for - the connection is just not being made right now.

I personally love Groups, and I clearly see the vision of where it is headed and how it will make things better across the board in Office 365. Not having this sort of integration from the start makes this almost a non-starter to large enterprises that have a risk averse security department, which is becoming almost the norm these days. Even if added later, then it becomes a Change issue since I'll then have a huge battle to relocate teams who started using other solutions since Groups was not ready yet to fit their needs.

Thanks David for the feedback! Currently we don't honour Sharepoint Allow-List, that list for external sharing of SharePoint items not linked with Guests in groups, but as TonyRedmond has mentioned you should be able to remove the guests with black-listed domains with the Powershell script.

Those whitelists (defined in the Sharing section of the SharePoint Online Admin Center) control invitations for individual SharePoint items and not the addition of guest members to Office 365 Groups. However, it's easy to scan the membership of groups to find guests from forbidden domains and remove them. I have the PowerShell code to do that and will talk about it at Ignite (but you can figure it out yourself)!

cfiessinger TonyRedmond

Does Guest Access respect the tenant-level Allowlist (whitelist)?

We are seeing evidence that it does not, which our security team will not love at all. :(

This is VERY helpful - thanks darrellaas. I was getting a little tired of downloading every pic...  :smileyhappy:

And while I'm here, back onto the thread topic - we've hit the ground running and have set up private Outlook Groups with external members for about four projects just today. Conversations are flowing, files are being saved into the group folder and plans are being made in Planner. Loving. It. 

The stupid avatar makes my ear look pretty though...

So I shall chalk my frustrating experience with Photos to the list of other issues with this new network.... Tant pis.

I'm using Chrome too and it has happily eaten the photos I spoon-fed it. Your screenshot wasn't too big a mouthful for Chrome to swallow. 

Good theory, but I tried to add the screenshot as a photo and the browser (Chrome) barfed. So I didn't.

Hi Brian Mather and TonyRedmond. Here's a tip aside of the conversation topic that will help when sharing screenshots. Add "Photos" rather than "Choose Files". Photos will appear in the the body of the post. "Choose Files" is more suited to attaching documents.

(I'm catching up with the conversation and wanted to offer this to help future conversations.)

Thanks Tony, definitely not happy about that bit though. We did indeed discuss it back on the OTN in the context of "every user in the company being able to delete files from any Public Group". Now it's the same all over, even though the MSFT folks seemed to agree at the time that some changes might be for the best... 

While standardization is good, Office 365 Groups are a rather special construct where a central idea is that all members of a group - including guest users - share a common level of access to group resources. Now this isn't strictly true for guest users because they don't have direct access to the group mailbox, but it holds valid for the SharePoint resources. Unlike permissions that are granted to an individual user who has a specific and recognizable identity, you'd have to be able to go to a lower level and support different permissions within members who hold a common identity - and that is where the problem lies.

I appreciate your careful approach and I agree with you.

Nevertheless, as pointed out by VasilMichev, I think that, for example, restricting guests to be visitors and not full members, will be a common requirement.

Hence I hope that with the introduction of Group team sites MS will eliminate any "specialness" from Group access, rendering it completely "standard" as in SharePoint.

I don't want to avoid answering the question, but I do think that we need to wait and see what is possible after the full roll-out of team sites for groups is completed. The issue right now is that group access is "special" and very different to SharePoint-style access. When groups have the full functionality of team sites available, it might be possible to play with permissions. So I think we have to wait a little while longer and then see whether it is possible to assign different document-level permissions to different members within a group.

Tony, I remember that some time ago (still in the Yammer network) you advised against fiddling with permissions in a Group doclib. Do you still think the same?

IMHO, with the introduction of guests and team sites to Groups, in many cases it will be really necessary to customize the permissions. Don't you think so?

Delighted to clarify... A guest user is a group member. Apart from group owners, who can administer the group, there is no distiction between the rights of different group members. A guest user has exactly the same level of access to group files and the notebook as possessed by other group members. And yes, this means that a guest user can delete files from the library should they feel so inclined. Basically, don't invite guest users whom you don't trust - or segregrate documents that guest users need to access into specific groups.

The Guests tab appeared in my tenant, but now I get error saying to ask my admin for help :) Guests are enabled in the settings, guess I have to wait a bit more.

In the meantime, can anyone clarify what kind of access Guests get to Files, and are we able to modify this? By default I mean, so we can avoid the "Guest deleted all the group files" scenario.

I think I am half way there - see attached screenshot - am seeing the SHARING panel in Security & Privacy but still getting an error when I try ro add someone. Wait a bit more I suppose ...