Forum Discussion
External Sharing
I have a project site which I want to share with some external user. External Sharing is enabled in site collection level and the new setting "External users must accept sharing invitations using the same account that the invitations were sent to" is disabled:
Now I share the site with external user with his/hers work email address firstname.lastname@company.com
The external user receives invitation email to his/hers work email address and clicks the link. He/she uses (personal) Microsoft Account firstname.lastname@outlook.com to login the site and gives the username and password.
Then the external user is getting error "User is not found in the directory"
This article describes the issue but is somehow misleading when it says "if the user who accepts the invitation signs up by using an account other than the email address to which the invitation was sent, you may encounter an access denied message."
Does that mean that the external user has to use MS account, which has the same email address as where the invitation was sent to, to login? This all is a source of big confusion and in large customer projects it adds high management overhead to us and for our clients/customer. Microsoft, make it more simple!
Have you instructed the recipient to use a browser InPrivate session?
Many problems are due to the invite being accepted behind the scenes with a different user.
In any case, I am sure that StephenRice can help here. ;-)
- StephenRice
Microsoft
Oof, it's threads like this that make me really sad!
Let me start off by describing how this all is supposed to work. External sharing continues to be a huge focus for us so it's possible that there is documentation or support resources that are not as up to date as they need to be. We're working on overhauling a lot of this behind the scenes but it's never as fast as we'd like.
For this example, let's pretend that I am a member of Contoso and I am sharing to Eugene, who is a member of Fabrikam. No one at Contoso has ever shared with Eugene prior to this.
When I share a resource to Eugene, we send an e-mail containing an external sharing invitation link. This is a one time use link that will grant Eugene access to the content. When Eugene clicks on the link, he is given an option to choose how we wants to authenticate. He can choose to use an O365 account, an existing Microsoft account (MSA), or he can create a new MSA from scratch. Unless the "require invited account match accepted account" feature is enabled, Eugene can choose any of these options to authenticate. Let's say he chooses to log-in with his MSA. In that case, he is redirected to the MSA sign-in page where he authenticates, and is then redirected back to the Contoso tenant. At that point, we create a stub account in the Contoso directory (that is set up to use his actual MSA as authentication) and then direct him to the document which he can now access. Subsequent shares to Eugene just permission his Contoso stub account directly.
Now, Teemu Strand, it sounds like you are seeing access denied errors in the scenario above. In this case, is the MSA account configured as an EASI ID? This is the case where I own the domain contoso.com and create an MSA as Stephen@Contoso.com instead of Stephen@outlook.com. There are some weird edge cases where things may break if contoso.com is registered as both a Microsoft account and as an O365 account.
There's another wrinkle on the example flow as well. If you are already signed into your MSA or O365 account, when you get asked to choose an account, the system will detect that you are already logged in and redeem the invitation immediately (instead of checking to see what account you want to use).
I think that covers all the questions that came up in the thread but feel free to ask more if this doesn't make sense. The other thing that I can tell you is that even at Microsoft, we know that everything I just described to you is far more complicated than we would prefer it to be. As I said at the top, improving external sharing is one of our main focuses right now and we're working towards what I am going to call Good Things. We'll have more to share in the future! Thanks!
Stephen Rice
OneDrive Program Manager II
I am an external user and need to access the tenant site without using the link in the invitation and generating a code each time.
I used the link in the invitation, then used the generated code to access the tenant's site. I am able to see and use everything I should.
I am unable to sign in to the tenant site without using the link in the invitation email.
My microsoft account signed in with a different email than the email the invitation was sent to. I have cancelled the microsoft account with the different email. I now have a microsoft account using the email that the invitation was sent to.
I need to be able to sign in to the tenant site without using the link in the invitation email.
Thank you!
I have encountered the same issue but with a small twist. I send the sharing invitation to a user's email, that user doesnt' have a MS account so it forces them to create one. Once the account is created they are taken directly to the shared FOLDER. However, if the user goes back to the sharing invitation and clicks the link they no longer have access to the folder. The only way to grant them access again is to resend the invitation, then it will work over and over. But why do I need to send it twice after the account has been made? This makes no sense since the MS account that was created is using the same email address the invite was orginially sent to? Were you able to figure your situation out? Maybe if you found anything it would help me.
The first sharing invitation for external users is a special one-time use link. It allows the user to associate the invitation with any user account they wish (unless the Office 365 Tenant is configured to require the email addresses match).
I think that second link that you are sending isn't the special one time use, it's merely a link to the document since that user account already has access to the file.
That would explain the behavior you're seeing.
I can't believe how convoluted this is. Clients and consultants are going to be very unhappy with us if they can't just see the file when they click the link.
I just want to send files with "View Only" priviliges like with Google Drive.
They should be able to click the link and view the file and download it if they want. They are not going to want to log in to anything just to see the file/folder.
Is there any way around this?
I've been reading up on external sharing recently. If you have a lot of external sharing going on, have a look at Azure B2B Collaboration which allows you to manage it in a more controlled way using AAD.
Here's the recent Ignite demo and slidedeck
Another short video
Learn all about the Azure AD B2B Collaboration Preview
Here's another guide to sharing with SP Online using AAD
http://blog.ciaops.com/2015/11/using-azure-ad-b2b-sharing-with.html
- Yes, you are correct. The user has to login using the email address to which the invitation was sent. From the security perspective, this was correct because the user to whom the invite was sent alone can access it. If you want to allow the user to login with any email address, then you have to opt for Anonymous access which is considered less secure.
SanthoshB1 - That's actually not correct -- the optional requirement that someone accepts an invitation with an account that has the same email address that it was sent to was something new added in 2015 (IIRC), but based on the screen shot, it looks like this tenant is configured to not enforce that requirement.
So basically it is possible to share a site with any email address and then the email receiver chooses which Microsoft account he/she is using when logging in to the site? And this MS account which he/she uses does not have to be associated with the email address where the invitation was sent to? An other way to phrase it: Invitation sent to identity A can be accepted by identity B?
This is how I have experienced how it works. But still, some external users are getting this error while using https://support.microsoft.com/en-us/kb/3026478
I openend support case to Micsofot support and first the support engineer told that the sharing and logging in needs to be done with the same email address.. This is conflicting with the support articles.
Thanks,
But MS support articles say explicitly "An external user invitation doesn't require that it be accepted by the email address to which it was first sent. It is a one-time invite"
In this article it pretty clearly says that invitations can be forwarded and someone else can use other account:
"Only one person may log in to access your site or document using an invitation you send. However, the person who gets your invitation may decide to not use it, and instead forward the invitation to someone else who can then log in using their Microsoft account or work account to access the site or document."
This is what bothers me now, because if I recall correctly, previously it worked in a way that you could send the invitation to any email address, and then the receiver could use one of his/hers Microsoft Accounts (Office 365 from work, private outlook.com or private Office 365 account).
I might only know external user's work email address and share the site using that email. I cannot know if that email address is tied or not to any MS accounts.
- I recommend first to have a look at the sharing settings at the tenant level...just remember that what you configure at the tenant level is what rules the sharing stuff
I have checked the settings from tenant level and everything works fine when sharing with other Office 365 tenants and if I share site site with firstname.lastname@outlook.com and users logs in with MS account withthe same email address. But it does not work if I share site with firstname.lastname@work.com and users logs in with MS account that uses email address firstname.lastname@outlook.com.
Check out the great whitepaper from 2ToLead on External sharing http://www.2tolead.com/whitepapers/
