Forum Discussion
How to share two (or more) site collections with an external user, without sending multiple invites?
Hi,
we're trying to use SPOnline as an extranet. And while we can live with the auto-generated (often unreliable) invites and the limitation of having to have an O365 or MS account, we're struggling with how to impliment best practice security (separate site collections), with the external user invitation process.
Because an external user only turns up in Azure AD (and SPOnline) once they've accepted an invitation, you can't add them to another site collection without triggering another invitation - which is just confusing to users.
Why do we need multiple site collections? Well two main reasons:
- There's the root site collection, which is used to provide a consistent experience to all users (internal and external), agregating the content they have access to (thanks security trimming on search!) and providing generic tools (request help, contact details, etc)
- Project/Client specific sites collections - which a user may have access to more than one of. Because site collections are strong logical security boundaries, along with sizing/scaling/backup/managing/etc boundaries, it makes sense to split these out.
I'm thinking we're going to need to send the initial invitation through the UI (as you don't have a choice for externals) to a particular project/client site collection and then have some system that monitors the O365 Audit logs, looking for "accepted sharing invitation" events, at which time it adds them to the root site collection (and probably emails one of our admins, so that if the user needs access to other site collections, they can now be added).
Does this sound like it will work?
Are other people doing it differently?
Thanks
Craig
8 Replies
@Craig Humphrey Sounds good. But it is micro requirement which your organization looking for. Microsoft provided the feature in SPO that Sharing concept. As a site collection administrator can have the control to add them in to 2nd site collection as per your requirement. Then what is the purpose of monitor the audit log and accept the invitaion again. I feel it waste of effort.
My suggestion would be to enable the sharing to external users to both site collections. Once user accept the external invitation only once , he is a global external user. Probally he/she user id will resolve by people picker to add into any external sharing site collections.
external sharing option in SPO
Hi Vadivelu,
thanks for responding, but I think something has gotten lost in translation.
If an external user is added to a second site collection, before they accept the invitiation (click the link in the email) to the first site collection, they will always receive an invitation. Which means they get two invitations. Which is uncessary and confusing.
Hopefully that clarifys things.
Regards
Craig
Choose the 2nd option on the screen shot above,
This allows SPO to use accounts already invited into the tenant using B2B and prevents users sending their own SPO generated invites.
Generally with SPO, I’d recommend inviting users into AAD Groups using B2B and then permissioning into SharePoint using the Azure AD group.
