Home
Microsoft

New feature: Per Group Sharing Controls

The per-group sharing controls are a new Office 365 feature that allows SharePoint Online administrators to limit the ability to share with external users to those in specified security groups. These controls affect OneDrive for Business and SharePoint Online in Office 365.

 

Per-group sharing controls will appear in two phases. First, you will notice a new setting that allows users to specify a set of security groups that are allowed to share to authenticated external users and via anonymous links. Second, another option will appear that allows admins to specify a set of security groups that are allowed to share to authenticated external users only.

 

  • Let only users in selected security groups share with authenticated external users - With this option, you can specify one or more Office 365 security groups which contain the users who you want to allow to share with authenticated external users. Users in these security groups will not be able to send anonymous links.
  • Let only users in selected security groups share with authenticated external users and using anonymous links - With this option, you can specify one or more Office 365 security groups which contain the users who you want to allow to share with authenticated external users and by using anonymous links. (This option doesn't appear unless you have enabled anonymous access links for the tenant.)

GRAPHIC.png

We'll be gradually rolling this out to First Release customers in early June, and then continue the roll-out to all other tenants over the following weeks.

 

What do I need to do to prepare for this change?

There is nothing you need to do to prepare for this change

16 Comments

Does it apply also to Office 365 Groups?

Microsoft

Hi @Juan Carlos González Martín,

 

This applies to sharing in SPO and ODB only. Thanks!

 

Stephen Rice

OneDrive Program Manager II

:-) what I meant is if you can configure an Office 365 Group or it's strictly required  to use a Security Group. By the way, do you mean that this setting is not going to apply to the Office 365 Groups Sites (same for Microsoft Teams Sites)?

Microsoft

Whoops! No, it must be a security group. And it will apply to the team site of an O365 group, just not to the membership management of that group :)

 

Stephen

Interesting...this is something I want to test and see how it fits with the membership management in Groups and Teams...May I ask with only Security Groups bearing in mind the promotion of Office 365 Groups done by the Groups Team?

New Contributor

This sounds interesting. Couple of questions:

 

  1. If a user isn't in a security group specified for either of the options, presumably they cannot share externally at all?
  2. Is this a tenant-scoped setting or something that can be changed on a per site collection basis?
Contributor

Is this possible to stop external sharing and annonymous link to external sharing if we have two different type of user group i.e. corporate users and contracted users. Can we stop sharing with external user just assigning corporate users ad group?

 

We dont want if we share any information with contracted user group, then can further with the MS authenticated users?

 

Microsoft

@Juan Carlos González Martín, I'm having a little trouble parsing your question but I assume you're asking why we are using security groups instead of O365? We tend to use SG's for policy related features as they don't have any associations for other apps (for example, showing up in Outlook or seeing other people in the group). Do you have a case in mind where you would rather use an O365 group? 

 

@Nathan Wells, to answer your questions:

1) Correct. If the checkbox for this feature is checked and the user is not in one of the security groups, they cannot share externally.

2) This is scoped to the tenant only.

 

@Avian 1, what this feature will let you do is only allow people in the "corporate users" security group share externally. They will still be able to share externally to any user.

 

Hope that helps!

 

Stephen Rice

OneDrive Program Manager II

Ey @Stephen Rice yeap, this is what I was asking :-). Thanks for the clarification!

 

Microsoft

@Juan Carlos González Martín, my pleasure! Let me know if you have any other questions!

New Contributor

Thanks @Stephen Rice

New Contributor

Another question @Stephen Rice:

 

How do these new options fit in with the existing settings you can apply at the tenant/site collection level? I.e. External sharing is disabled completely; external sharing with anonymous links is enabled; external sharing with only authenticated users is enabled; and sharing with users who already exist in your organisation’s directory (AKA the Azure B2B option)?

 

If a group of users is allowed to share anonymous links via the per-group sharing controls, but the site collection disables anonymous links, which setting takes precedence?

Microsoft

Hi @Nathan Wells,

 

The site collection policy will always take precendence. If anonymous sharing is disabled, even users who are in the group that is allowed to create anonymous links will not be able to. Hope that helps!

 

Stephen RIce

OneDrive Program Manager II

Regular Visitor

Hi Stephen

 

Is nested security groups supported?, (aka Groups in Groups) So the user is not a direct member of the security groups.

 

Best regards

Occasional Visitor
When I click on the box to add a group, no user/groups show as available. How can I get it to show the groups (preferably the ones that are federated from AD)?
Microsoft

@Ulrik Skadhauge Jensen, I just gave this a try and nested security groups should work.

 

@Aaron Berk, can you try typing the security group into the text box directly and then hitting Ctrl+K? Does the SG resolve? Thanks!

 

Stephen Rice

OneDrive Program Manager II