New feature: Per Group Sharing Controls
Published Jun 02 2017 01:13 PM 15.4K Views
Microsoft

The per-group sharing controls are a new Office 365 feature that allows SharePoint Online administrators to limit the ability to share with external users to those in specified security groups. These controls affect OneDrive for Business and SharePoint Online in Office 365.

 

Per-group sharing controls will appear in two phases. First, you will notice a new setting that allows users to specify a set of security groups that are allowed to share to authenticated external users and via anonymous links. Second, another option will appear that allows admins to specify a set of security groups that are allowed to share to authenticated external users only.

 

  • Let only users in selected security groups share with authenticated external users - With this option, you can specify one or more Office 365 security groups which contain the users who you want to allow to share with authenticated external users. Users in these security groups will not be able to send anonymous links.
  • Let only users in selected security groups share with authenticated external users and using anonymous links - With this option, you can specify one or more Office 365 security groups which contain the users who you want to allow to share with authenticated external users and by using anonymous links. (This option doesn't appear unless you have enabled anonymous access links for the tenant.)

GRAPHIC.png

We'll be gradually rolling this out to First Release customers in early June, and then continue the roll-out to all other tenants over the following weeks.

 

What do I need to do to prepare for this change?

There is nothing you need to do to prepare for this change

22 Comments

Does it apply also to Office 365 Groups?

Microsoft

Hi @Juan Carlos González Martín,

 

This applies to sharing in SPO and ODB only. Thanks!

 

Stephen Rice

OneDrive Program Manager II

:) what I meant is if you can configure an Office 365 Group or it's strictly required  to use a Security Group. By the way, do you mean that this setting is not going to apply to the Office 365 Groups Sites (same for Microsoft Teams Sites)?

Microsoft

Whoops! No, it must be a security group. And it will apply to the team site of an O365 group, just not to the membership management of that group :)

 

Stephen

Interesting...this is something I want to test and see how it fits with the membership management in Groups and Teams...May I ask with only Security Groups bearing in mind the promotion of Office 365 Groups done by the Groups Team?

Copper Contributor

This sounds interesting. Couple of questions:

 

  1. If a user isn't in a security group specified for either of the options, presumably they cannot share externally at all?
  2. Is this a tenant-scoped setting or something that can be changed on a per site collection basis?
Iron Contributor

Is this possible to stop external sharing and annonymous link to external sharing if we have two different type of user group i.e. corporate users and contracted users. Can we stop sharing with external user just assigning corporate users ad group?

 

We dont want if we share any information with contracted user group, then can further with the MS authenticated users?

 

Microsoft

@Juan Carlos González Martín, I'm having a little trouble parsing your question but I assume you're asking why we are using security groups instead of O365? We tend to use SG's for policy related features as they don't have any associations for other apps (for example, showing up in Outlook or seeing other people in the group). Do you have a case in mind where you would rather use an O365 group? 

 

@Nathan Wells, to answer your questions:

1) Correct. If the checkbox for this feature is checked and the user is not in one of the security groups, they cannot share externally.

2) This is scoped to the tenant only.

 

@Avian 1, what this feature will let you do is only allow people in the "corporate users" security group share externally. They will still be able to share externally to any user.

 

Hope that helps!

 

Stephen Rice

OneDrive Program Manager II

Ey @Stephen Rice yeap, this is what I was asking :-). Thanks for the clarification!

 

Microsoft

@Juan Carlos González Martín, my pleasure! Let me know if you have any other questions!

Copper Contributor

Thanks @Stephen Rice

Copper Contributor

Another question @Stephen Rice:

 

How do these new options fit in with the existing settings you can apply at the tenant/site collection level? I.e. External sharing is disabled completely; external sharing with anonymous links is enabled; external sharing with only authenticated users is enabled; and sharing with users who already exist in your organisation’s directory (AKA the Azure B2B option)?

 

If a group of users is allowed to share anonymous links via the per-group sharing controls, but the site collection disables anonymous links, which setting takes precedence?

Microsoft

Hi @Nathan Wells,

 

The site collection policy will always take precendence. If anonymous sharing is disabled, even users who are in the group that is allowed to create anonymous links will not be able to. Hope that helps!

 

Stephen RIce

OneDrive Program Manager II

Copper Contributor

Hi Stephen

 

Is nested security groups supported?, (aka Groups in Groups) So the user is not a direct member of the security groups.

 

Best regards

Copper Contributor
When I click on the box to add a group, no user/groups show as available. How can I get it to show the groups (preferably the ones that are federated from AD)?
Microsoft

@Ulrik Skadhauge Jensen, I just gave this a try and nested security groups should work.

 

@Aaron Berk, can you try typing the security group into the text box directly and then hitting Ctrl+K? Does the SG resolve? Thanks!

 

Stephen Rice

OneDrive Program Manager II

Copper Contributor

I have this request from a customer, that this new feature be scriptable.  Has the SP Online PowerShell module been updated to include this command?  Please provide the cmdlet name if available.

Microsoft

Hi @Jerry Cote,

 

We do not have PowerShell available for this feature yet unfortunately. Thanks!

 

Stephen Rice

Copper Contributor

Is this feature fully rolled out to all tenants? We seems to be missing these options in OneDrive Admin Center sharing controls ?

 

René Mortensen

Microsoft

Hi @Rene Østergaard Mortensen,

 

The feature is fully rolled out but it is only available in the SharePoint Admin Center, not in OneDrive admin center. Thanks!

 

Stephen Rice

OneDrive Program Manager II

Iron Contributor

I would like to restrict access to sharing the identical way for OneDrive and SPO.

 

I have an on premise AD and use AD Connect for syncing.

 

Q.

Can I use an on premise AD Security Group instead of an Office 365 Security Group?

 

Q.

Are Global Admins always allowed to share externally irrespective of any restrictions based on security group membership?

 

Q.

I have applied a setting to prevent the ability to externally share unless part of a security group to provide a degree of control. Because I need my OneDrive settings to be the same as the SPO ones, I have applied the following settings.OneDrive SettingsOneDrive SettingsSPO External Sharing Settings.png

Does this look about right?

Microsoft

Hi @Chris Yue,

 

Hope this helps!

 

Q.

Can I use an on premise AD Security Group instead of an Office 365 Security Group?

 

Yes, I believe this works. Let me know if you see something different.

 

Q.

Are Global Admins always allowed to share externally irrespective of any restrictions based on security group membership?

No, they are subject to policy as well.

 

Q.

I have applied a setting to prevent the ability to externally share unless part of a security group to provide a degree of control. Because I need my OneDrive settings to be the same as the SPO ones, I have applied the following

 

Yes, that looks right to me! Only people in the security group will be allowed to share with external users or share via anonymous links.

Version history
Last update:
‎Jun 02 2017 01:14 PM
Updated by: