Forum Discussion
External Sharing
MicrosoftOof, it's threads like this that make me really sad!
Let me start off by describing how this all is supposed to work. External sharing continues to be a huge focus for us so it's possible that there is documentation or support resources that are not as up to date as they need to be. We're working on overhauling a lot of this behind the scenes but it's never as fast as we'd like.
For this example, let's pretend that I am a member of Contoso and I am sharing to Eugene, who is a member of Fabrikam. No one at Contoso has ever shared with Eugene prior to this.
When I share a resource to Eugene, we send an e-mail containing an external sharing invitation link. This is a one time use link that will grant Eugene access to the content. When Eugene clicks on the link, he is given an option to choose how we wants to authenticate. He can choose to use an O365 account, an existing Microsoft account (MSA), or he can create a new MSA from scratch. Unless the "require invited account match accepted account" feature is enabled, Eugene can choose any of these options to authenticate. Let's say he chooses to log-in with his MSA. In that case, he is redirected to the MSA sign-in page where he authenticates, and is then redirected back to the Contoso tenant. At that point, we create a stub account in the Contoso directory (that is set up to use his actual MSA as authentication) and then direct him to the document which he can now access. Subsequent shares to Eugene just permission his Contoso stub account directly.
Now, Teemu Strand, it sounds like you are seeing access denied errors in the scenario above. In this case, is the MSA account configured as an EASI ID? This is the case where I own the domain contoso.com and create an MSA as Stephen@Contoso.com instead of Stephen@outlook.com. There are some weird edge cases where things may break if contoso.com is registered as both a Microsoft account and as an O365 account.
There's another wrinkle on the example flow as well. If you are already signed into your MSA or O365 account, when you get asked to choose an account, the system will detect that you are already logged in and redeem the invitation immediately (instead of checking to see what account you want to use).
I think that covers all the questions that came up in the thread but feel free to ask more if this doesn't make sense. The other thing that I can tell you is that even at Microsoft, we know that everything I just described to you is far more complicated than we would prefer it to be. As I said at the top, improving external sharing is one of our main focuses right now and we're working towards what I am going to call Good Things. We'll have more to share in the future! Thanks!
Stephen Rice
OneDrive Program Manager II
I am an external user and need to access the tenant site without using the link in the invitation and generating a code each time.
I used the link in the invitation, then used the generated code to access the tenant's site. I am able to see and use everything I should.
I am unable to sign in to the tenant site without using the link in the invitation email.
My microsoft account signed in with a different email than the email the invitation was sent to. I have cancelled the microsoft account with the different email. I now have a microsoft account using the email that the invitation was sent to.
I need to be able to sign in to the tenant site without using the link in the invitation email.
Thank you!