Introducing guest access for Office 365 Groups!

Thanks David Rosenthal for the feedback! We take this feedback and include this datapoint in our planning.

Thanks TonyRedmond and Sahil Arora !

While having the PowerShell is nice, there is still some exposure there if a user shares something externally to a domain we do not allow. During that time period between the share occurring and some sort of automated job or utility running to scan all guest users to identify their domains and remove the ones we don't want, whatever was shared is exposed to the outside world. This will scare many IT departments into turning guest access off completely, or at best putting data sensitivity restrictions on what a Group is allowed to be used for. I'm assuming either of those scenarios is not the ultimate goal of Groups.

It would be much simpler, more effective, and less risky to simply query the tenant level whitelist or blacklist when the guest access sharing action occurs to see if the domain is allowed or not. If allowed, proceed as normal. If not allowed, throw the same error message that SharePoint does now when you attempt to share to a domain that is not allowed. I'm obviously not familiar with the exact inner workings of everything on your side of the fence, but this seems like a fairly simple and straighforward requirement that functionality already exists for - the connection is just not being made right now.

I personally love Groups, and I clearly see the vision of where it is headed and how it will make things better across the board in Office 365. Not having this sort of integration from the start makes this almost a non-starter to large enterprises that have a risk averse security department, which is becoming almost the norm these days. Even if added later, then it becomes a Change issue since I'll then have a huge battle to relocate teams who started using other solutions since Groups was not ready yet to fit their needs.

Thanks David for the feedback! Currently we don't honour Sharepoint Allow-List, that list for external sharing of SharePoint items not linked with Guests in groups, but as TonyRedmond has mentioned you should be able to remove the guests with black-listed domains with the Powershell script.

Those whitelists (defined in the Sharing section of the SharePoint Online Admin Center) control invitations for individual SharePoint items and not the addition of guest members to Office 365 Groups. However, it's easy to scan the membership of groups to find guests from forbidden domains and remove them. I have the PowerShell code to do that and will talk about it at Ignite (but you can figure it out yourself)!

cfiessinger TonyRedmond

Does Guest Access respect the tenant-level Allowlist (whitelist)?

We are seeing evidence that it does not, which our security team will not love at all. :(