Forum Discussion
MicrosoftUpcoming change:Updating default sharing setting for Office 365 Group connected SPO site collections
[UPDATE] - Per feedback recieved here and elsewhere, our plan is to only turn on the external sharing setting for a group's site collection ONLY IF the tenant allows for Office 365 Groups to have guest members. I've made changes to this post below to capture, and added emphasis to call them out. Your feedback is welcome.
Hi all,
We would like to inform you of an upcoming change we are planning on making to the default value of the external sharing setting for Office 365 Group connected SPO site collections. Currently, the default sharing setting for these site collections is to allow sharing with external users already in your organization's directory.
Since Office 365 Groups allow for guest members by default, we heard feedback from many customers that it was odd to allow for the addition of external guests as group members but not allow for external sharing of SharePoint resources.
Based on your feedback, we are updating the external sharing setting to allow sharing with authenticated external users ONLY IF the tenant allows for Office 365 Groups to have guest members.
Once updated in a tenant, all new group site collections will be created with the setting for external sharing enabled ONLY IF the tenant allows for Office 365 Groups to have guest members. No change to default external sharing will occur if guests in Office 365 groups are not permitted. We will not retroactively change the setting for existing site collections.
To change the value of the sharing capability for older site collections, you can use the following PowerShell cmdlet:
Set-SPOSite -Identity https://contoso.sharepoint.com/sites/site1 -SharingCapability ExternalUserSharingOnly
Of course as always, SharePoint will always respect the more restrictive sharing setting when comparing the site collection's setting with that of the tenant. For example, if you disable external sharing at the tenant level, sharing with external users will be blocked for a group's site even if its sharing setting allows for external sharing.
I'll update this post when we start rolling this update out, but wanted to solicit feedback or concerns from anyone about this change. Please post below - we're happy to answer your questions.
Thanks
Tejas
54 Replies
Hi Tejas,
I now have multiple if not all of my external users locked out and being asked to authenticate with a username and password that doesn't accept their email and password for those values. How do I stop this as it is creating havoc! My technical abilities are very limited regarding Sharepoint. Please can you point me in the right direction.
Thanks
Allan
- Hi Allan,
Are external users getting a message saying this file was shared with john.smith@externalcompany.com but js123@externalcompany.com is trying to open this file? Whereby this is actually the same person? 
Tejas MehtaHi Allen - not sure the issue you are experiencing is related to the update described in this thread. Is this issue happening to existing sites? Or new ones? All sites? What is the external sharing setting on these?
Might be challenging to debug on this thread - please open a support ticket if the issue persists.
Thanks,
Tejas
- A much more involved set of discussions not withstanding, when is SPO going to version their changes rather than arbitrarily impose them and the sometimes considerably significant impacts on customer organization, process, and investments? Purchasers of cloud services were never made aware of risks nor realized expectations of stability and manageable change were fallacy. Microsoft must realize one thing purchased need remain that thing and differences then are in fact now a different thing that they must choose or reject, not forcibly be confronted with risks and implied responsibilities requiring address.
- David Rosenthal
I must say I'm puzzled by the handful of people complaining about this change. All this is doing is making the default value of the external sharing setting for Office 365 Group connected SharePoint Online site collections THE SAME as standalone SharePoint Online site collections that we were all used to before Office 365 Groups even came along.
This is not something new, they are simply aligning the two types of sites to the setting that makes things more seamless for users to get to files and folders that are shared with them.
Before this change you had to either flip the setting manually via PowerShell, use the wonky email based sharing (that I never saw anyone use or like), or send your external users through an Azure B2B step to get their external user account added into AAD first and then share the file/folder with them.
Now you can simply share like normal and get on with your life. Productivity gained :)
I like the direction of making it easier to share with external users for document collaboration, but seems like a VERY wide setting to be the default. A suggestion might be to allow admins the ability to set this via a sharing policy for values set in the ClassificationList property that you can set via Azure policies when creating the group (e.g. Internal or Private = leave as ExternalUserSharingOnly, External or Partner = use ExistingExternalUserSharingOnly)
- Tejas Mehta
Brian Caauwe wrote:
I like the direction of making it easier to share with external users for document collaboration, but seems like a VERY wide setting to be the default. A suggestion might be to allow admins the ability to set this via a sharing policy for values set in the ClassificationList property that you can set via Azure policies when creating the group (e.g. Internal or Private = leave as ExternalUserSharingOnly, External or Partner = use ExistingExternalUserSharingOnly)
Brian, you are reading our minds. :) We are definitely moving to a model where Classification of a group/site has policies attached. Stay tuned on this front. :)
- Tejas Mehta
Hi everyone - we've received great feedback here as well as from other channels. We seem to have two clear camps with opposing points of view. We've added a feature to our backlog that would allow for admins to specify the default sharing setting for site collections in a tenant. However, that work is not yet prioritized or scheduled so I don't have an ETA for when that would be available.
So, another question for all of you. What if we tied the external sharing setting for a group's site collection to the group's guest membership setting at site creation time? In other words, we would enable external sharing for a group site collection ONLY if the group allows for guests to be added (at time of creation). The settings would remain decoupled post-creation and would still be separately manageable. Would this approach be acceptable until we have an admin control to set the default?
Thanks for your feedback!
Tejas
My question is really about the differences between needing to have someone in the organization directory, and authenticated external users. Currently, we set our external sharing site collections to authenticated external users indicating they either work for our company and have their email address, or they are an extenal user who needs to set up a Microsoft Account if they do not already have one that they are using with the email address. We have found that recently, external users are having issues accepting invites to external sharing site collections if they are not already in our directory--not sure how they got into our directory in the first place since we did not add them.
1. Was that automatic when they signed up for the free Microsoft Live account and accepted the invite?
2. If you set the option for users in the Organization Directory, who adds them? The tenant admin?
3. Why would external users not be able to accept invitations to site collections if they sign up for the free account--but are no listed in our Organizational Directory?
- StephenRice
Prior to the change Tejas mentioned, Group connected team sites were set to only allow sharing with external users who were already in the directory. This might explain why sharing was failing. You will need to have the correct external sharing at both the tenant level and at the site collection level (which can only be set using PowerShell as described above).
Hope that helps!
Stephen Rice
OneDrive Program Manager II
Your questions have been answered in many other threads.
For example, give a look to this thread: https://techcommunity.microsoft.com/t5/SharePoint/External-Sharing/td-p/23667. Read carefully the answers by StephenRice.
Hope it helps...
Salvatore Biscari Thanks for the reply! I guess this is a little light reading for a rainy day. I'll have to review the articles with our O365 Tenant Admins.
Hi Tina A Garavaglia. I have seen issues too with external guests accepting invites to a shared document.
1. Was that automatic when they signed up for the free Microsoft Live account and accepted the invite?
Yes. When someone accepts an invite using either a Microsoft or Office 365 account, a guest account is created in Azure AD. You should recognize the format when you see it.
[EmailName]_[domain]_com@[tenantname].onmicrosoft.com.
2. If you set the option for users in the Organization Directory, who adds them? The tenant admin?
The invite process adds them. When they accept the invite, the account is created by Azure AD. At least that's what should happen.
3. Why would external users not be able to accept invitations to site collections if they sign up for the free account--but are no listed in our Organizational Directory?
Sounds like this process is not working correctly at the moment. Just to confirm, which setting are you using in your site collection?
1, 2 or 3 in the picture below?
We are using option #2 because we want them to sign in and be "authenticated" versus anonymous. It used to work great. Now something is different, and we cannot get some people in (I understand there is a problem with GMail accounts, but these are not GMail). Thank you for taking the time to reply. Very much appreciated.
I am having major issues with Online edit of Excel documents. As of this Tuesday about 30 of my Excel workbooks are no longer even viewable online let alone editable. The Excel workbooks that are can no longer scroll to the left or right other than with arrow keys. I have spent hours on the phone with Microsoft tech support with no results or answers. Was there any update done this monday or early Tuesday?
- There appears to be a health message in the tenants now. At least in relation to excel files not opening in the browser. Not sure if that is the problem you we seeing. Looks like MSFT are doing a code rollback.
Thanks for the heads up Phillip!
Its back up and running!
- David Rosenthal
Allan, you might have better luck in the Excel community here, but really should continue working with Microsoft support to resolve this issue. Derailing every thread you see a Microsoft employee on with your unrelated question/issue is probably not in the spirit of this community at all.
- Hi David,
I appreciate your point but I disagree that it's unrelated. This is not an excel problem and that has been established. It's due to some change made behind the scene to SharePoint. I apologies that this may not be the best place to get answers to the problem but it's as close as I can get to speaking with someone with knowledge or access to what is occurring behind the scenes in sharepoint. If you can point me in a better direction in terms of speaking to someone involved in the development/updates to sharepoint I would appreciate it?
As for derailing every thread... as far as I know this is the only thread I have "derailed", if you have knowlege of anyone else using my log in I would appreciate being pointed in that direction as well.
- Jianhua Shi
Our premium Customer wants option to select from current behavior and the coming changed behavior.
Actually they are pushing on a HotFix to do this.
The current behavior meets there needs
- Tejas Mehta
Jianhua Shi wrote:
Our premium Customer wants option to select from current behavior and the coming changed behavior.
Actually they are pushing on a HotFix to do this.
The current behavior meets there needs
Hi Jianhua - I am not sure I understand your question. Are you asking for the ability to have the default changed sooner? Or are you asking to have the option to set the default for group site collections in your tenancy?
- Tejas Mehta
Deleted wrote:
Hi Tejas,
Have a query here. In SP admin center settings if the "Sharing outside your organization" is set to 'Don't allow sharing outside your organization', whether this will be overwritten when this change is in place.
Thanks And Regards,
Shinu
Hi Shinu - if you have set the tenant level sharing setting to 'Don't allow sharing outside your organization', we will continue to respect that. We will apply the most restrictive setting based on the combination of tenant and site level for this attribute. We will also not change any existing values set at the tenant level or site collection level.
Hope that helps
You stated that this is for group sites in SP. What about those group sites created via Teams & Planner? Does Teams and Planner get the external access as well?
- Essentially classed as the same thing in the background, so yes I believe Teams and Planner get the external access as well?
