Forum Discussion
Site Collection external sharing option -ExternalUserSharingOnly not working as expected for folder
MicrosoftDeleted,
Can you send a screenshot of the error that you are seeing? Thanks!
Stephen Rice
Hi,
sorry for the late response.
Here's a screenshot of the error message. I tried this with another user (my personal Gmail account) but the error message I receive is the same.
Please be advised that this is in German. The translation is:
Access denied.
"emailAddress" has no permission to access this resource.
-> Authenticate with the account that your employer or school has provided you in order to use Office 365 or other Microsoft servies.
Testing further I found out that once my external user received the "access denied" message, sharing another folder (same library) immediately results in the error message. No code will be sent anymore.
The same happens on another site collection.
Next, I tried to paste the link in the sharing invitation email into a private session.
I received this error message:
It translates to:
Sharing link verification
You have received a secure link to:
Folder 1 (icon)
emailAddress exists within the list of people for which this link is secured but you must first login with urn:spo:guest#emailAddress. Login with urn:spo:guest#emailAddress. and we will grant you access instantly.
Next (button)
So when I klick next, I'm redirected to the Microsoft sign-in page.
Obviously, entering urn:spo:guest#emailAddress. won't work so I entered my the regular one (a Gmail address). Then I was prompted to enter my password. I was able to do this but only because in the past I had already linked my Gmail account to an Outlook.com account so I used those credentials.
After that I was asked if I wanted to remain loggin in and the next message was:
Translation (not everything):
Unfortunately, this has not worked.
Unfortunately "emailAddress" was not found in the directory "tenantName". Please try again later. In the meantime we're trying to fix the problem automatically.
Here're a couple of ideas...
So this suggests that the user has to be in the tenant's directory.
Hope that helps.
Thanks.
- Yeah this is happening because that logged in address has been associated before with another account in the tenant. You'll have to basically remove that user and re invite and login with that MSA to be able to use that account. It can be rather annoying for users especially when they are already logged in with another MSA and hit a link that they don't have access too because they have been invited more than once on different e-mails associating different accounts. I've seen it happen a few times in my org where one person invites to a site, then another later uses a different e-mail to invite that same person.
- Hi,
what you descibed also sometimes happens with external users in our tenant. removing and re-inviting them usually helps. However, I have a feeling that this issue is slightly different as it seems to pertain to folders only.- StephenRice
Hi Deleted,
Thanks for getting back to me. This is definitely odd. I want to make sure I have this right. You are:
1) Sharing a site with a net-new guest user (never been shared with before)
2) As that guest user, you click on the invitation link in an incognito window
3) Guest user sees access denied
Does 3 happen before or after login? Do you see the invitation acceptance page? Thanks!
Stephen Rice
OneDrive Program Manager II
- StephenRice
Hi Deleted,
Thanks, it looks like you're seeing a mis-mash of different error experiences which is definitely not good.
Can you help me understand what all has happened before this?
1) Has this user ever been shared with before? Via what path (Sharing a site? Sharing a file/folder? Adding them to a Group?)
2) What are you sharing in this case? Some of those experiences look like you are sharing a file/folder, others imply a site, which is weird.
3) Can you repro this with a fresh guest account?
Thanks!
Stephen Rice
OneDrive Program Manager II
Hi,
thanks so far. The user in this scenario is my personal Gmail account. This user used to exist in our tenant multiple times but should've been completely removed each time.
I created a PowerShell script for this that removes the user from SPO and AzureAD via "Remove-SPOExternalUser". Each time this user did not appear in the people picker in the sharing dialog anymore I assumed it got removed properly.
Usually, this user was added through sharing the whole site collection dialog and as I initially mentioned, this way works properly because it enforces creation of a SPO user profile within our tenant.
The method of sharing a file or folder does not enforce such thing but, like I said before, the process works for files but not folders. With the case I documented in my previous post I only tried to share a folder, not a file or the site.
I have just tried the process with another external user that has never existed in our tenant.
The result was exactly the same as before. Then I tried pasting the invitation link into a private Chrome session. Like documented before, I was getting different error messages this way. Not this time, though. After being sent the code I immediately get the same access denied message.
Please let me know if you need anything else documented.
Thanks a lot.