Home
Microsoft

Coaching your guest users through the External Sharing Experience.

 

Here is a resource to which you can point those users you collaborate with using the guest user experiences on SharePoint Online.  There are three possible experiences a user can encounter when being invited to SharePoint Online.  We will deal with each of those in turn.  

To use this post, you can select one of the links below and send that to your guest user based on the type of invitation you want to send.  Here are the links to copy:

 

Classic SharePoint Invitations 

When you are invited at the list or site level, or added to a SharePoint group, you will receive a classic SharePoint Invitation.  The classic invitation experience begins with an email: 

 

001.png

 

The link in the email will point you to AcceptInvite.aspx.  By clicking on that, you will then land on a screen that will ask you what type of account you have: 

 

If you are using a consumer email account, such as those from Hotmail.com, gmail.com, outlook.com, yahoo.com, etc., then you will want to choose Microsoft Account. If you are using your email from work, or school, choose Organizational Account.  If you choose a Microsoft Account, you’ll see the following interface: 

002.png

 Note: if you do not already have a Microsoft Account, and you enter your email, you’ll see the following dialog: 

 004.png 

Click “Get a New One” or “Create One!” to register a new Microsoft account: 
  005.png

 

Provide a password: 
 

006.png

 

Then enter your first and last name: 
 

007.png

 

And provide your Birthday: 

 

008.png

 

Check your email.  Microsoft will send you a code to verify you own the email address.  Enter the code: 
 

009.png

 

Once you enter the code and click next, it will bring you to the Keep Me Signed In dialog: 

 

010.png

 

If you are accessing from a shared computer, you should choose No.  Once you select this, you will then get access to the site. 

 

New Sharing Experience 

The New Sharing Experience, also called ad hoc, is received when a user shares a file or folder in a SharePoint Online or OneDrive Library.  If the user already exists in the directory, or if a site or list is shared with the user, it will fall back to the classic experience. Like the classic experience, it begins with an invitation: 

  

011.png

 

Clicking on the link, however, is a little different: 

 

012.png

 

Click the send code, and you will generate the one time code, which will be sent to your email: 
 

013.png

 

Enter the code in the following screen: 

 

014.png

 

 

Once you enter the valid code, and then you’ll have access to the resource. 

 

 

Azure B2B Invitations 

This process is a little harder to illustrate uniformly, because one of the strengths of the feature is that organizations can customize the look and feel of the invitation.  From the text displayed in the message, to the location you are sent after acceptance, down to the email address used for invitations.   

 

Here is what a sample invitation could look like: 
 015.png
 

You will then be asked to confirm the invitation and that you grant the inviting institution to know your email address and name information: 

 

016.png

 

You will then be directed to authenticate, either with Microsoft or, in the case that your organization also has an Office Account, the Identity Provide we have on record.  Once you authenticate in that manner, you are a guest user in the inviting party’s tenant. 

18 Comments
Contributor

Why so many different experiences for external users?  You did not even include the experience of when you add an external user to an Office 365 Group to give them access to the files in a modern team site.  The invitation email that comes from that experience is different from the experiences shown in this post.  

 

While I really appreciate this post, I think it highlights the challenge it currently is to giving external users access to a SharePoint Online site because there are so many different invitations and experiences for external users.  

Microsoft

Hi @Eric Davis, thanks for your comment.  

I understand that all these different channels for invitations can be frustrating; but it helps, I think, or at least it helps me, to keep the sheer breadth of Office 365 and SharePoint Online, and not only in the number of tenants (millions) or the number of users (tens of millions), or even the breadth of size (from single user tenancies to hundred thousand seat behemoths), but also the magnitude of different businesses and organizations, in every single industry, in education, health care, government, tourism, services, manufacturing, research and engineering, to non profits and charitable work; Office 365 is the largest enterprise cloud in the world.  And so we approach things like external users the way a mechanic approaches any other tool.  Is it absolutely necessary to have 4 or 5 different ways to invite a guest user?  Probably not, if you're talking about a single tenant, or even a handful of tenants.  But each method was introduced because it was vitally important for a number of customers in that vast ecosystem.  Simpler is preferable to complexity, you are absolutely right.  But as the creator of tooling, we have to make sure the right tool lands in the right hand for the right job.  And that's what we're trying to do here, provide you with the correct tools, and help give you the best information to empower you to make the right decision on which tools you'll need to employ.  If all you work is on your personal car, you probably don't need multiple thousand piece ratchet sets in order to work on your car.  But if you are supplying tools to all the mechanics working on all the cars across the world, it makes sense that you want to have the right tool for the right job and get it to the right person.

Again, I'm not denying the frustration that can accompany the size and scope of the tooling that is just SharePoint Online, let alone the entire Office365 suite!  I just wanted to highlight some of the broader influences on why such a huge ecosystem requires a certain level of complexity.

On a personal note, thank you for mentioning invitations to Unified Groups.  I'll work on that this week and update the document.  I apologize for the oversight.

Anonymous
Not applicable

One drawback of the new experience is that whenever I share a file or folder, there is no guest user created in Azure AD. Therefore, you have no clue from admin perspective which whom files and folders are shared externally. 

Sure, there are other means for that. 

However, I really like the new experience as it is more convenient for the end user and guest user and great for a temporary file sharing.

But as an admin, I need to know which guest users have access to the tenant. 

New Contributor

Toby, thanks for the recap.  Is there or will there be an easier way to share between multiple tenants?  We are a holding company and trying to create an intranet in one tenant to share news and collaborate across two other tenants.

 

Thanks!

Larry

Microsoft

Hi @Anonymous, thanks for taking the time to comment on my blog!

If you go to the User Information List for the site collection in question, you will see entries for the users invited using the new experience in the form of their email address.  Traditional guest users -- that is, users who are invited using Azure B2B or SharePoint classic experiences and have traditional guest user objects in your directory -- will show up first name last name and have #ext# in their upns.  You can then track on a site collection basis who has access to your tenant.  

Another way is to use the Unified Audit log to pull external sharing invitation events out and keeping track of those events for reporting purposes.

But yes, I agree, the experience is not as simple as it was in classic mode.

Microsoft

Thanks for the question @Larry Corley

The short answer is, not really.  The longer answer is probably best solved through B2B or using a single tenant.  O365 Scales very well.  I suggest you reach out to your Account team and they can help line up resources to guide you through such a design.  Our focus is on technical support and I feel like I am not the best resource to help you with such questions.

Anonymous
Not applicable

@Toby Bianchi: yes I know. However, wouldn't it be nice if we could have a security group, which is allowed to share files and folders directly. And whenever a file or folder is shared with a new external user, he needs to go through the account creation process and thereby self create a new user which visible in Azure AD. Not the site collection level. 

This is the major issue I face at the moment. 

If you share files or folders directly, those users do not show up as guest users in Azure AD. 

Furthermore, I experienced that if I want to get a list of all guest users in my tenant, I need several different Cmdlets, as it seems to a difference whether I for instance grant external access by sharing a site or whether I use Azure AD B2B Collaboration and invite through the Azure Portal. 

Both ways lead to an guest user showing up in Azure AD. 

Not so in PowerShell. Why that (?)

I'd like to connect to Azure AD and write one cmdlet to get all external guest users. No matter how they have been invited to our tenant. 

Is that possible? 

Occasional Visitor

The invitation process often goes wrong, as many users are already logged into Microsoft or Office365 tenant and simply click the invite link in the email. They will not see all the screens to create an guest account, as a valid account is already present in their browser!

 

The only thing that helps here is to open the invitation link in a private browser session.

I hope this can be improved, as even a seasoned IT expert easily forgets this essential step.

Hope you can comment.

Occasional Contributor

Hi,

External sharing a new modern SharePoint site works fine / with verification code (adding guest from Outlook (

The users after accepting the invitation become a members / they can contribute to the document library - add, delete, edit files.

I couldn’t find way to do the external sharing with verification, but the guest to be readonly -  only visitor

 

How can this be done?

 

Regards,

Tzvetan

Microsoft

 

ShareOption1.pngHi @Tzvetan Yakimov

You can adjust the permissions when you create the link in the Modern UI by unchecking the "allow editing" check box, as seen on in the screen shot above.  If you are looking to change the default behavior for *ALL* links in your organization, both internal and external, you can go to the SPO Tenant Admin Portal (https://[tenantprefix]-admin.sharepoint.com) and go to Sharing > Default Link Permission.

Again, this changing it at the tenant admin level changes all links generated in the service, so be aware of that when making the change.

Occasional Contributor

Hi Toby

 

Thank you for the answer

Toby, your suggestion is valid if you share file (maybe folder?)

 

What I want to achieve is to share the entire document library externally with login - verification code

The new  modern SharePoint Team site

 

How can this be done?

 

@Toby Bianchi, is there a way to share a site with all users of a specific external domain without having to manually invite each of their hundreds of staff? In our B2B scenarios that requirement comes up quite often. 

 

Ideas appreciated.

New Contributor

 I echo Ingeborg's question. Is there a way to share a site with all users of a specific external domain without having to manually invite them??

k h
Occasional Contributor

@Toby Bianchi

In the New Sharing Experience, verification code indicated that it is good for 15 minutes.  It was actually longer than 15 minutes. My users' questions are:

1.  In 'Enter Verification Code' box, if the recipient checked 'Keep me Signed in', how long will the recipient be able to view the document without having to request new verification code?

2. In 'Enter Verification Code' box, if the recipient did not check 'Keep me Signed in', how long will the recipient be able to view the document without having to request new verification code?

 

I found a link  'Session times for Office 365 services' posted in support.office.com  but I don't think it is related to SharePoint external link sharing.  Is there a document link that I document Session times for this?

 

Thank you.

Microsoft

Hi @k h,

The 15 minute timeout is specific to the lifetime of the Verification Code, not the login session.  Once you log in, if you check 'Keep Me Signed In', your authentication token will be written to disk and kept between sessions.  You will not be prompted to verify again until the cookie is deleted, or is not renewed for more than 5 days.  Administrators can limit the amount of time that those who choose 'Keep Me Signed In' can go before having to verify again through the use of a Verification Code. To configure this, navigate to your SharePoint Admin portal (https://[TENANTPREFIX]-admin.sharepoint.com) and select Sharing.  Under 'Additional Settings' you will see an check box for "Require Recipients to continually prove account ownership when they access shared items." The default once selected is thirty days.

If a user chooses to not select the 'Keep Me Signed In' option, their access will last until the end of the browser session, whereupon they will be required to verify their identity again to get access to the file.

I hope this helps!

Hi,

 

I have a user, who seems to have accepted the invite by selecting "Microsoft" option, instead of "Organizational". Now he's getting " user not there in the directory error. In the Azure AD, he's listed as Guest and "Source as Microsoft Account". i don't have access to delete this guest user. i am sure deleting this guest user and sending a new invite would resolve the issue.

 

Is there any other way i can resolve this?

 

Thanks

Occasional Visitor

Hi Toby

Feedback I'm getting from any external guest user using the classic SharePoint invitation, its' during the initial invitation process but more about the ability to access the SharePoint again. Is the only way via the invitation email link only? Our external user are login onto their authericated Microsoft accounts either new or existing and the collaboration SharePoint they have been invited to is not evident? 

Frequent Visitor

If I add an external guest (that does not currently have a Microsoft Account) as a member of an O365 Group, why doesn't the Sign in page have the "No account? Create one!" link?  They are stuck - they don't know what they should be using because nothing on that page is saying to use a Microsoft account or create one if they don't already have it.

 

Even if I email the O365 group - which sends an email to all members - they'll get the email sent to them because they are members - but then if they click a link like "Add to the team site" or "share files" it brings them to the Sign in page - where there isn't any ability for them to create the necessary Microsoft account.

 

I swore I used to see that page you have above (the white one with the option) but all it is is the Microsoft sign in page with just the field for their username and the "Can't Access your account?" which only recovers a lost password, still no "don't have an account, create one!"

 

I'm lost with how it is expected to create one for someone that doesn't already have one.