Forum Discussion
Security between O365, Sharepoint Online, OneDrive and TEAMS
Until I started looking into TEAMS, we were able to have SharePoint Online be set to not allow external users and OneDrive for Business for anyone, including external users outside of our network. As we started delving into TEAMS, a setting was updated to try and allow external users to be invited to a TEAM, but this somehow broke OneDrive and no one could share their files outside of our network.
In order to fix OneDrive, we had to allow any external users in O365, which then changed SharePoint Online.
Is there not a SIMPLE way to:
1. Leave O365 as it is ie just our employees in AD Azure.
2. Only have SharePoint Online be internal only and no way to share with anyone external.
2. Have OneDrive for Business to be shared with Anyone.
3. Have Microsoft TEAMS have members that are inernal and external?
With the settings we have now, both SP and OD are somehow anyone but I still can't add any members to a TEAM that are external. It's very confusing having every setting affect every other tool. These are very different tools and need to be able to secure differently.
I've gone through many different KBs etc and this is now why we're in the whole mess to begin with.
You don't need to modify external sharing settings in Admin Center for all these apps. If you can add external users without assigning any product licenses to Azure AD you can share content from any app with these users without modifying settings for each app. I found it to be useful but make sure you perform extensive testing for all your external sharing scenarios before going this route.
Hi Mercedes!
This is probably not that bad (or messy) if one just distinguish between SharePoint and SharePoint. Because each Team has an associated SharePoint site, you can not block SharePoint from sharing with external users (if you want to share Teams with external users). But, without knowing your full background environment and all needs, I think spontaneously that this should be possible to solve.
It's all about how you planned / plan your structure and access rights in SharePoint. If it's open to all users to create both classic SharePoint sites and Office 365 Groups, then it can be a little (or a lot) messy in the long run. However, if you have set access rights and limitations correctly, it does not have to be so complicated. If you have an intranet based on SharePoint, you can configure/restrict sharing settings and Access Request Settings at the Site Collection level. Then the intranet can be internal and the site collections belonging to the teams created can be shared even with external ones. OneDrive for Business can be set to be shared to / with anyone (if you wish).Many roads lead to Rome and i hope this was a little help along the way.
Best regards, Magnus
If I change the Site Collection Sharing for https://MYDOMAIN.sharepoint.com (which we currently use as as our main classic sites for now) to NOT allow external sharing, I assume this will NOT affect TEAMS (since it's not in that site collection?) NOR OneDrive, since OneDrive is https://MYDOMAIN-my.sharepoint.com ?
If You want do disable the possibility to share a Site Collection you just go to SharePoint Admin Center. Select https://yourname.sharepoint.com and "click Sharing. There You choose "Dont allow sharing outside your organization".
More detailed info here: https://support.office.com/en-us/article/external-sharing-overview-c8a462eb-0723-4b0b-8d0a-70feafe4be85
