Forum Discussion
SPO restricting accounts to specific site document folders
Hi
I wonder if someone might be able advise an O365 admin new to SharePoint admin. I have a standard SPO site document library which is available to everyone except externals and specific folders needed by externals are shared with them as required. We have two (internal) O365 accounts to be used by external companies for O365 but we need to restrict their access to the site documents and provide access only to a couple of specific folders (like we do with the externals).
What is the best approach to achieve this for SPO? There appears to be no easy way and I have read that either an Azure security group or SharePoint Group might be needed? Can you highlight how to do this?
Thanks in advance
Nick
5 Replies
I typically like to recommend using separate site collections for content that needs to be shared externally. Since external sharing is enabled on a site by site basis, this helps to make it easier to identify and manage content and permissions. It also makes it easy to share content with external users and provides them the ability to use their own accounts, so that you don't have to. This article should be helpful https://support.office.com/en-us/article/manage-external-sharing-for-your-sharepoint-online-environment-c8a462eb-0723-4b0b-8d0a-70feafe4be85
Thank you everyone for your expertise and suggestions.
To explain further the two 'internal-external' accounts are used by contracted companies on my organsisations behalf to perform organisation work but don't have O365 themselves. Giving them accounts allows them to send email via shared mailboxes in the name of the organisation, use SfB and stored documents on SPO.
Taking your combined advice I have setup O365 groups and migrated the particular folders they need to these groups. This in effect gives those accounts seperate site collections O365 group sharepoint site and those internal accounts needing to access the documentscan become a member of the O365 groups .
This leaves me with the issue of excluding the two 'internal-external' accounts from the main SPO site collection which contains confidential information to the organsisation.
Being a SPO admin newbie can someone explain the steps need to achieve this?
Many thanks to you all
Nick- Typically I would recommend putting Everyone Except External Users into the visitors group of your main site collection, but that will included the "internal" accounts for your contractors which may not be what you want. To work around this, I would recommend creating a AD group that includes all actual employee accounts and excludes the contractors. You can then put this AD group into the SP Members or Visitors group in a site collection
- Is there a reason that you are having that company use an internal account? By doing that it’s making this a whole lot more complicated as opposed to just sharing with them like you do normal sharing. Because once you make them internal you can no longer use the everyone security option so unless Only those companies and a few select people can access those folders breaking inheritance won’t do anything if you still need the whole org to access the files.
You would have to have something like an internal employee type group with everyone in it to use in your site instead of everyone then add the other users onto those folders or just share with specific people too. Multiple ways but you will have to either do the group for all internal excluding those that can’t see their stuff or use external sharing with accounts not inside your org. - In terms of governance, best advice here is to create a Security Group in your Azure AD for this internal accounts, map it either to a SharePoint Group or a permission level and then break security inheritance in the folders you want to share with them...once you do that, add the SharePoint Group or the Security Group to security scope you have just created in those folders
