Forum Discussion

Teemu Strand's avatar
Teemu Strand
Iron Contributor
Oct 20, 2016

External Sharing

I have a project site which I want to share with some external user. External Sharing is enabled in site collection level and the new setting "External users must accept sharing invitations using the...
SharePoint Online
Salvatore Biscari's avatar
Salvatore Biscari
Silver Contributor
May 25, 2017

Teemu Strand

Have you instructed the recipient to use a browser InPrivate session?

Many problems are due to the invite being accepted behind the scenes with a different user.

In any case, I am sure that StephenRice can help here. ;-)

  • StephenRice's avatar
    StephenRice
    Icon for Microsoft rankMicrosoft
    May 25, 2017

    Oof, it's threads like this that make me really sad!

     

    Let me start off by describing how this all is supposed to work. External sharing continues to be a huge focus for us so it's possible that there is documentation or support resources that are not as up to date as they need to be. We're working on overhauling a lot of this behind the scenes but it's never as fast as we'd like. 

     

    For this example, let's pretend that I am a member of Contoso and I am sharing to Eugene, who is a member of Fabrikam. No one at Contoso has ever shared with Eugene prior to this.

     

    When I share a resource to Eugene, we send an e-mail containing an external sharing invitation link. This is a one time use link that will grant Eugene access to the content. When Eugene clicks on the link, he is given an option to choose how we wants to authenticate. He can choose to use an O365 account, an existing Microsoft account (MSA), or he can create a new MSA from scratch. Unless the "require invited account match accepted account" feature is enabled, Eugene can choose any of these options to authenticate. Let's say he chooses to log-in with his MSA. In that case, he is redirected to the MSA sign-in page where he authenticates, and is then redirected back to the Contoso tenant. At that point, we create a stub account in the Contoso directory (that is set up to use his actual MSA as authentication) and then direct him to the document which he can now access. Subsequent shares to Eugene just permission his Contoso stub account directly. 

     

    Now, Teemu Strand, it sounds like you are seeing access denied errors in the scenario above. In this case, is the MSA account configured as an EASI ID? This is the case where I own the domain contoso.com and create an MSA as Stephen@Contoso.com instead of Stephen@outlook.com. There are some weird edge cases where things may break if contoso.com is registered as both a Microsoft account and as an O365 account. 

     

    There's another wrinkle on the example flow as well. If you are already signed into your MSA or O365 account, when you get asked to choose an account, the system will detect that you are already logged in and redeem the invitation immediately (instead of checking to see what account you want to use). 

     

    I think that covers all the questions that came up in the thread but feel free to ask more if this doesn't make sense. The other thing that I can tell you is that even at Microsoft, we know that everything I just described to you is far more complicated than we would prefer it to be. As I said at the top, improving external sharing is one of our main focuses right now and we're working towards what I am going to call Good Things. We'll have more to share in the future! Thanks!

     

    Stephen Rice

    OneDrive Program Manager II

     

     

     

    • Polley Snelson's avatar
      Polley Snelson
      Copper Contributor
      Jul 08, 2018

      I am an external user and need to access the tenant site without using the link in the invitation and generating a code each time.

       

      I used the link in the invitation, then used the generated code to access the tenant's site. I am able to see and use everything I should. 

       

      I am unable to sign in to the tenant site without using the link in the invitation email.

       

      My microsoft account signed in with a different email than the email the invitation was sent to.  I have cancelled the microsoft account with the different email.  I now have a microsoft account using the email that the invitation was sent to.

       

      I need to be able to sign in to the tenant site without using the link in the invitation email.

       

      Thank you!

    • Teemu Strand's avatar
      Teemu Strand
      Iron Contributor
      May 30, 2017

      Thanks StephenRice for your excellent answer! Nice to hear that the external sharing experience and functionality is one of your top focuses. Can't wait for the Good Things! I hope that the sharing experience will be consistent when sharing individual files, folders, document libraries or whole sites.

       

      I think in our case the MSA user account was configured as an EASI ID and that is why it was giving error. In one of the cases the user had Office 365 in use in their org but didn't realize it and created MSA user account by using the work email as an user name. I think this is not possible anymore which is good, but still there are a lot of early adopter users who have 2 identities (MSA and work account) with the same user name (email address).

      • StephenRice's avatar
        StephenRice
        Icon for Microsoft rankMicrosoft
        May 30, 2017

        Hi Teemu Strand,

         

        Glad you were able to identify the root cause! We've been working with the AAD team on a few incidents related to the EASI ID MSA/AAD snafu so I'll be sure to pass this feedback along to the right folks. Let me know if you have any questions!

    • Salvatore Biscari's avatar
      Salvatore Biscari
      Silver Contributor
      May 26, 2017

      Thanks StephenRice !

      It is always a pleasure to read your ultra-clear explanations!

Resources