Forum Discussion
External Sharing Difficulties (SharePoint)
I have an external sharing site collection set up with several sub-sites. My understanding is this
1. Anyone can create a Microsoft Account off any non-O365 email and then they can be authenticated on an external site. They must click the invitation link
2. If the person you are external sharing with has an O365 Work Account that they can use that to login to the shared site after clicking on the invitation
This has worked about 80% of the time.
Some users I just cannot seem to provide external sharing to. There are 4 sites in our external sharing enabled site collection.
I just made a gmail account, turned the email into a MSFT account and it worked great.
I have several external users that I just cannot seem to get into the system.
Today one user received a "This invitation isn't valid anymore because a policy change in the senders organization" message. That would only be me and I made no changes.
All insights are much appreciated.
Hi Eric Adler,
Do you have the "require recipients to authenticate with the same account that was invited"? If not, then you don't need to create an MSA with the same e-mail address as the account that was invited (gmail). Also, with the new external sharing flow that is rolling out, users who do not have an account will no longer be required to create an account. Instead they can authenticate via a one time code. Hope that helps!
Stephen Rice
OneDrive Program Manager II
7 Replies
- StephenRice
Microsoft
Hi Eric Adler,
Do you have the "require recipients to authenticate with the same account that was invited"? If not, then you don't need to create an MSA with the same e-mail address as the account that was invited (gmail). Also, with the new external sharing flow that is rolling out, users who do not have an account will no longer be required to create an account. Instead they can authenticate via a one time code. Hope that helps!
Stephen Rice
OneDrive Program Manager II
- This was it!
By removing this check from the SG and adding the SG to the SP Site Collection I was to utilize 2013 SharePoint workflows to send the emails.
w00t!!
Notes: We have hybrid Exchange set up and this setting was changed in the on-prem Exchange Admin (if there is a similar setting in EXO, we didn't find it) - We do not have that set.
So that means someone can authenticate using any Microsoft Account from that link?
Assuming MSA = Microsoft Account?
The key driver in external sharing for me is knowing who the user is that is making edits and accessing content (opposed to sending an anonymous"Edit link)". I am guessing with the way I have it set up I can only know the email address of the person. I guess that is true with any Microsoft Account that is "Personal". There is no verification of ownership with a Microsoft Account with the email that I am aware of.- StephenRice
Eric Adler, that's correct, yes. Without that setting enabled, you know that:
A) The e-mail address that was entered was the only one to receive the invitation link
B) The user who accepted the invitation either is the person who received the invitation link or was forwarded the link from that person.
With the new external sharing flow, we can strengthen that second piece by requiring the owner of the e-mail address to verify all access in a configurable manner (i.e. they must verify every 24 hours, or 1 week, etc.)
Hope that helps!
Stephen Rice
OneDrive Program Manager II
- Did you change anything in regards of external sharing in your tenant? Have you tried to add those users as guests directly in Azure AD? Sometimes I have had to do this so some external users can access to my SPO sites
- I have not tried to add them to Azure AD directly. In this model would I set their password and send it to them?
- If the person you are external sharing with has an O365 work account, and their system is a hybrid or entirely on-premises system that uses ADFS, but their ADFS is turned off or (more likely) ADFS-proxy is not configured properly, your system will not be able to authenticate the external user. See https://msdn.microsoft.com/en-us/library/bb897402.aspx and https://serverfault.com/questions/708669/what-is-adfs-active-directory-federation-services
