Forum Discussion
Sharing to an external Office 365 Group
- Jul 20, 2016
There's a specific Guest feature coming for Groups. Guests are invited and must confirm with matching account.
On http://fasttrack.microsoft.com/roadmap, searching for "guest", under In development:
"Guest access support will enable teams using Office 365 Groups to easily collaborate with external team members (members that are not part of their organization/tenant). Guest users will have access to all of the groups assets: inbox, files, calendar and notebook. We'll introduce a number of administration controls to help you manage guests in Groups."
Thanks for all the replies everyone!
Really looking forward to the guest features coming to Office 365 Groups, but that isn't quite the use case I was referring to in the original post.
I want to share a file via the Office 365 external sharing mechanism with an external Office 365 Group - A Group that exists in a completely separate tenant. I want to do this to take advantage of automated permissions based on Group membership, as well as all the collaboration features that come with the sharing mechanism in Office 365 (co-authoring, version control, permissions control, etc etc) as compared to simply attaching a file to an email.
I understand all the technical reasons why this doesn't work currently, but as more and more separate companies that may be partners onboard to Office 365 this could become a powerful feature to help ease EXTERNAL collaboration with dynamic groups of people instead of just individuals.
I see. You want to keep the file in your tenant and share to people in another tenant by specifying only a Group that is controlled by the other tenant. If that tenant changes the Group's membership, you want the updated list of members to be who can access the file in your tenant.
The Guests feature will let you put the file in a Group in your tenant and specifically list individuals (by email address) in the other tenant. If the list of people in the other tenant changes, you have to edit the membership in your Group.
Or, the Guests feature will also let the other tenant create a Group and add you as the guest. Then you can add the file to their Group and they can change the Group's membership (and thus permissions to the file). You still have an independent copy of the file in your tenant.
Does either Guest scenario work for you? I can get feedback to the engineering team if you need the summary of what I think you're asking.
- TonyRedmondJul 22, 2016MVP
The interesting thing is whether an external group can be a guest user in the way that an individual is. As I understand the situation, a guest user is identified by an email address. An Office 365 Group in an external tenant has an email address. Therefore, it should be possible to create a guest user to point to that Office 365 Group and share with them. Wouldn't that solve the problem?
TR
- David RosenthalJul 22, 2016Microsoft
Exactly what I thought as well TonyRedmond , but it doesn't work if you have Set-SPOTenant RequireAcceptingAccountMatchInvitedAccount set to True, since no one member of the group can take action on the invitation link as if they were the group itself in order to accept it and have the permission officially granted. The permission is not actually granted until authentication has happened.
We could set that parameter to False of course, but then we are less secure as anyone who got hold of that link would be able to accept the invitation even with a simple and free Microsoft Account.
- David RosenthalJul 21, 2016Microsoft
Thanks Jim Knibb, I think we're on the same page. I want to retain control of the file and ensure that only one version exists for version control purposes, but I want to move permissions control of this file's external users from a certain domain to the admin of an Office 365 Group in that external domain that I trust.
As an example, say I'd hired a consulting firm to work on some assets of mine and expect the project to last for a long enough period of time that I expect quite a bit of staff churn. I'd rather not store my assets on their infrastructure/tenant, but I trust their leadership to only permission the proper people to view/edit all the associated files. Being able to share to an external Office 365 Group allows them to move staff around as needed without involving me or my team at all. The right people can get the right access quickly and efficiently, while the assets/files stay controlled and protected in my tenant. I can turn off access at any time to this external group if I wish without having to individually remove people or stop sharing completely which would break access to my own internal people who were shared with.
Your 1st option takes away the automation of the external permissions that Groups would offer.
Your 2nd option moves the file to the external Group's tenant, which is less secure from an intellectual property perspective (they now have my files, how do I know what they are doing with them or where they are going when our engagement ends?). This option could also cause some version conflicts as the files would exist in two places simultaneously.
Probably more of a niche case for now, but the automated aspect and usage of the powerful collaboration features that Office 365 offers are very appealing.
Cross-tenant federation, if that ever becomes a thing, would actually solve this I believe, but I would need to trust this external partner very much in order to fully federate with them. Instead of one Group getting access to some files, their tenant and my tenant would see each other's users as the same and allow access to anything as long as proper permissions were granted.