Coaching your guest users through the External Sharing Experience.
Published Apr 13 2018 06:58 PM 94.6K Views
Microsoft

 

Here is a resource to which you can point those users you collaborate with using the guest user experiences on SharePoint Online.  There are three possible experiences a user can encounter when being invited to SharePoint Online.  We will deal with each of those in turn.  

To use this post, you can select one of the links below and send that to your guest user based on the type of invitation you want to send.  Here are the links to copy:

 

Classic SharePoint Invitations 

When you are invited at the list or site level, or added to a SharePoint group, you will receive a classic SharePoint Invitation.  The classic invitation experience begins with an email: 

 

001.png

 

The link in the email will point you to AcceptInvite.aspx.  By clicking on that, you will then land on a screen that will ask you what type of account you have: 

 

If you are using a consumer email account, such as those from Hotmail.com, gmail.com, outlook.com, yahoo.com, etc., then you will want to choose Microsoft Account. If you are using your email from work, or school, choose Organizational Account.  If you choose a Microsoft Account, you’ll see the following interface: 

002.png

 Note: if you do not already have a Microsoft Account, and you enter your email, you’ll see the following dialog: 

 004.png 

Click “Get a New One” or “Create One!” to register a new Microsoft account: 
  005.png

 

Provide a password: 
 

006.png

 

Then enter your first and last name: 
 

007.png

 

And provide your Birthday: 

 

008.png

 

Check your email.  Microsoft will send you a code to verify you own the email address.  Enter the code: 
 

009.png

 

Once you enter the code and click next, it will bring you to the Keep Me Signed In dialog: 

 

010.png

 

If you are accessing from a shared computer, you should choose No.  Once you select this, you will then get access to the site. 

 

New Sharing Experience 

The New Sharing Experience, also called ad hoc, is received when a user shares a file or folder in a SharePoint Online or OneDrive Library.  If the user already exists in the directory, or if a site or list is shared with the user, it will fall back to the classic experience. Like the classic experience, it begins with an invitation: 

  

011.png

 

Clicking on the link, however, is a little different: 

 

012.png

 

Click the send code, and you will generate the one time code, which will be sent to your email: 
 

013.png

 

Enter the code in the following screen: 

 

014.png

 

 

Once you enter the valid code, and then you’ll have access to the resource. 

 

 

Azure B2B Invitations 

This process is a little harder to illustrate uniformly, because one of the strengths of the feature is that organizations can customize the look and feel of the invitation.  From the text displayed in the message, to the location you are sent after acceptance, down to the email address used for invitations.   

 

Here is what a sample invitation could look like: 
 015.png
 

You will then be asked to confirm the invitation and that you grant the inviting institution to know your email address and name information: 

 

016.png

 

You will then be directed to authenticate, either with Microsoft or, in the case that your organization also has an Office Account, the Identity Provide we have on record.  Once you authenticate in that manner, you are a guest user in the inviting party’s tenant. 

26 Comments
Bronze Contributor

Why so many different experiences for external users?  You did not even include the experience of when you add an external user to an Office 365 Group to give them access to the files in a modern team site.  The invitation email that comes from that experience is different from the experiences shown in this post.  

 

While I really appreciate this post, I think it highlights the challenge it currently is to giving external users access to a SharePoint Online site because there are so many different invitations and experiences for external users.  

Microsoft

Hi @Eric Davis, thanks for your comment.  

I understand that all these different channels for invitations can be frustrating; but it helps, I think, or at least it helps me, to keep the sheer breadth of Office 365 and SharePoint Online, and not only in the number of tenants (millions) or the number of users (tens of millions), or even the breadth of size (from single user tenancies to hundred thousand seat behemoths), but also the magnitude of different businesses and organizations, in every single industry, in education, health care, government, tourism, services, manufacturing, research and engineering, to non profits and charitable work; Office 365 is the largest enterprise cloud in the world.  And so we approach things like external users the way a mechanic approaches any other tool.  Is it absolutely necessary to have 4 or 5 different ways to invite a guest user?  Probably not, if you're talking about a single tenant, or even a handful of tenants.  But each method was introduced because it was vitally important for a number of customers in that vast ecosystem.  Simpler is preferable to complexity, you are absolutely right.  But as the creator of tooling, we have to make sure the right tool lands in the right hand for the right job.  And that's what we're trying to do here, provide you with the correct tools, and help give you the best information to empower you to make the right decision on which tools you'll need to employ.  If all you work is on your personal car, you probably don't need multiple thousand piece ratchet sets in order to work on your car.  But if you are supplying tools to all the mechanics working on all the cars across the world, it makes sense that you want to have the right tool for the right job and get it to the right person.

Again, I'm not denying the frustration that can accompany the size and scope of the tooling that is just SharePoint Online, let alone the entire Office365 suite!  I just wanted to highlight some of the broader influences on why such a huge ecosystem requires a certain level of complexity.

On a personal note, thank you for mentioning invitations to Unified Groups.  I'll work on that this week and update the document.  I apologize for the oversight.

Deleted
Not applicable

One drawback of the new experience is that whenever I share a file or folder, there is no guest user created in Azure AD. Therefore, you have no clue from admin perspective which whom files and folders are shared externally. 

Sure, there are other means for that. 

However, I really like the new experience as it is more convenient for the end user and guest user and great for a temporary file sharing.

But as an admin, I need to know which guest users have access to the tenant. 

Brass Contributor

Toby, thanks for the recap.  Is there or will there be an easier way to share between multiple tenants?  We are a holding company and trying to create an intranet in one tenant to share news and collaborate across two other tenants.

 

Thanks!

Larry

Microsoft

Hi @Deleted, thanks for taking the time to comment on my blog!

If you go to the User Information List for the site collection in question, you will see entries for the users invited using the new experience in the form of their email address.  Traditional guest users -- that is, users who are invited using Azure B2B or SharePoint classic experiences and have traditional guest user objects in your directory -- will show up first name last name and have #ext# in their upns.  You can then track on a site collection basis who has access to your tenant.  

Another way is to use the Unified Audit log to pull external sharing invitation events out and keeping track of those events for reporting purposes.

But yes, I agree, the experience is not as simple as it was in classic mode.

Microsoft

Thanks for the question @Larry Corley

The short answer is, not really.  The longer answer is probably best solved through B2B or using a single tenant.  O365 Scales very well.  I suggest you reach out to your Account team and they can help line up resources to guide you through such a design.  Our focus is on technical support and I feel like I am not the best resource to help you with such questions.

Deleted
Not applicable

@Toby Bianchi: yes I know. However, wouldn't it be nice if we could have a security group, which is allowed to share files and folders directly. And whenever a file or folder is shared with a new external user, he needs to go through the account creation process and thereby self create a new user which visible in Azure AD. Not the site collection level. 

This is the major issue I face at the moment. 

If you share files or folders directly, those users do not show up as guest users in Azure AD. 

Furthermore, I experienced that if I want to get a list of all guest users in my tenant, I need several different Cmdlets, as it seems to a difference whether I for instance grant external access by sharing a site or whether I use Azure AD B2B Collaboration and invite through the Azure Portal. 

Both ways lead to an guest user showing up in Azure AD. 

Not so in PowerShell. Why that (?)

I'd like to connect to Azure AD and write one cmdlet to get all external guest users. No matter how they have been invited to our tenant. 

Is that possible? 

Copper Contributor

The invitation process often goes wrong, as many users are already logged into Microsoft or Office365 tenant and simply click the invite link in the email. They will not see all the screens to create an guest account, as a valid account is already present in their browser!

 

The only thing that helps here is to open the invitation link in a private browser session.

I hope this can be improved, as even a seasoned IT expert easily forgets this essential step.

Hope you can comment.

Copper Contributor

Hi,

External sharing a new modern SharePoint site works fine / with verification code (adding guest from Outlook (

The users after accepting the invitation become a members / they can contribute to the document library - add, delete, edit files.

I couldn’t find way to do the external sharing with verification, but the guest to be readonly -  only visitor

 

How can this be done?

 

Regards,

Tzvetan

Microsoft

 

ShareOption1.pngHi @Tzvetan Yakimov

You can adjust the permissions when you create the link in the Modern UI by unchecking the "allow editing" check box, as seen on in the screen shot above.  If you are looking to change the default behavior for *ALL* links in your organization, both internal and external, you can go to the SPO Tenant Admin Portal (https://[tenantprefix]-admin.sharepoint.com) and go to Sharing > Default Link Permission.

Again, this changing it at the tenant admin level changes all links generated in the service, so be aware of that when making the change.

Copper Contributor

Hi Toby

 

Thank you for the answer

Toby, your suggestion is valid if you share file (maybe folder?)

 

What I want to achieve is to share the entire document library externally with login - verification code

The new  modern SharePoint Team site

 

How can this be done?

 

@Toby Bianchi, is there a way to share a site with all users of a specific external domain without having to manually invite each of their hundreds of staff? In our B2B scenarios that requirement comes up quite often. 

 

Ideas appreciated.

Brass Contributor

 I echo Ingeborg's question. Is there a way to share a site with all users of a specific external domain without having to manually invite them??

Copper Contributor

@Toby Bianchi

In the New Sharing Experience, verification code indicated that it is good for 15 minutes.  It was actually longer than 15 minutes. My users' questions are:

1.  In 'Enter Verification Code' box, if the recipient checked 'Keep me Signed in', how long will the recipient be able to view the document without having to request new verification code?

2. In 'Enter Verification Code' box, if the recipient did not check 'Keep me Signed in', how long will the recipient be able to view the document without having to request new verification code?

 

I found a link  'Session times for Office 365 services' posted in support.office.com  but I don't think it is related to SharePoint external link sharing.  Is there a document link that I document Session times for this?

 

Thank you.

Microsoft

Hi @k h,

The 15 minute timeout is specific to the lifetime of the Verification Code, not the login session.  Once you log in, if you check 'Keep Me Signed In', your authentication token will be written to disk and kept between sessions.  You will not be prompted to verify again until the cookie is deleted, or is not renewed for more than 5 days.  Administrators can limit the amount of time that those who choose 'Keep Me Signed In' can go before having to verify again through the use of a Verification Code. To configure this, navigate to your SharePoint Admin portal (https://[TENANTPREFIX]-admin.sharepoint.com) and select Sharing.  Under 'Additional Settings' you will see an check box for "Require Recipients to continually prove account ownership when they access shared items." The default once selected is thirty days.

If a user chooses to not select the 'Keep Me Signed In' option, their access will last until the end of the browser session, whereupon they will be required to verify their identity again to get access to the file.

I hope this helps!

Copper Contributor

Hi,

 

I have a user, who seems to have accepted the invite by selecting "Microsoft" option, instead of "Organizational". Now he's getting " user not there in the directory error. In the Azure AD, he's listed as Guest and "Source as Microsoft Account". i don't have access to delete this guest user. i am sure deleting this guest user and sending a new invite would resolve the issue.

 

Is there any other way i can resolve this?

 

Thanks

Copper Contributor

Hi Toby

Feedback I'm getting from any external guest user using the classic SharePoint invitation, its' during the initial invitation process but more about the ability to access the SharePoint again. Is the only way via the invitation email link only? Our external user are login onto their authericated Microsoft accounts either new or existing and the collaboration SharePoint they have been invited to is not evident? 

Copper Contributor

If I add an external guest (that does not currently have a Microsoft Account) as a member of an O365 Group, why doesn't the Sign in page have the "No account? Create one!" link?  They are stuck - they don't know what they should be using because nothing on that page is saying to use a Microsoft account or create one if they don't already have it.

 

Even if I email the O365 group - which sends an email to all members - they'll get the email sent to them because they are members - but then if they click a link like "Add to the team site" or "share files" it brings them to the Sign in page - where there isn't any ability for them to create the necessary Microsoft account.

 

I swore I used to see that page you have above (the white one with the option) but all it is is the Microsoft sign in page with just the field for their username and the "Can't Access your account?" which only recovers a lost password, still no "don't have an account, create one!"

 

I'm lost with how it is expected to create one for someone that doesn't already have one.

 

 

Microsoft

Hi everyone.  I'm going to tackle your questions in reverse order:

 

@Karen Zbierski 

Once a user enters their email address, the system performs a look up based on their domain.  If no domain is found, or the user is using a commercial email address (such as outlook.com, gmail.com, yahoo.com), they will be prompted to create a Microsoft Account.  If this behavior isn't as intuitive as you would like or expect, consider opening a request on https://sharepoint.uservoice.com.  I did a quick search, and did not see this specific issue called out.  If you decide to make the UserVoice request, please update this thread so others may vote on it.

@Peter Morgan
If the user is using Ad-Hoc invitations, that is, the invitations that include a One Time Code as part of the authentication process, then yes, they will have to access the link from the email every time.  If they have signed in as a Classic Sharing or Azure B2B user, then they should be able to access the item through a direct link.

@Maria Prani B
Without deleting the user object in your tenant and starting the invitation process, your collaborator's best bet is to access the file using an In-Private or Incognito mode browser, or any browser that is not currently logged in to their Organizational ID.  If you can engage your organizations global O365 admins and get them to delete the user, make sure to also delete the entry in the user information list.

Go to your Site > Gear > Site Settings > People and Groups.  Change the URL query parameter ?Membership= to say ?Membership=0, which will expose all users on the site.  Find your external user in the site and delete them. 

Once that is done, you can reinvite, and make sure the external user knows which account type to select.

=============

Thanks, everyone for being patient as I get out these replies, and don't hesitate to follow up with any additional questions or comments!

Copper Contributor

Nice write up @Toby Bianchi, thank you. I came here looking for more details about inviting external users to Modern Team Sites/Office 365 Groups. This would still be helpful to add as you mentioned in an above post. Also, I would like to echo the comments of @Carry4IT Megens above regarding users who are already logged into a Microsoft account on a browser when the click the email invite. There is no graceful way to allow a user to select which Microsoft account they want to link to the Office 365 Group or create a new one, and often they don't even know which account they enrolled with if their passwords are the same between multiple accounts. This presents a problem when the user needs to log in fresh, they don't know their account and you can't help them reset the password to access your site. Using a private browser session seem to be the only way to cleanly do this, but communicating this to the external user you are inviting is difficult because the invite email is generic. It am sad to see this issue carry over from the classic experience, hoping it can be addressed.

 

Suggestion for how it could work: when the external user clicks the invite link they are presented with all the possible Microsoft accounts used on that browser (like how you can switch between gmail accounts) to enroll with, and an option to create a brand new account. This way a user could decide if they want to use their work account, personal account, or neither and create a new one.

 

The features and benefits of the guest access are amazing once you get past the registration part, but the way invites are currently architected it only works for small teams that you can manage through the invite process. I currently dread the requests for a new Team Site that needs to have 20+ external users to share files...

Copper Contributor
 

How do I setup an expiration date for an authenticated user without a Microsoft Account ?

Anonymous users can be setup with an expiration date but this method cannot be applied to invited authenticated user.

 https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview

 Your advice is appreciated.

 Regards,

 Grant Hurley

Very useful article with visuals. Thanks for sharing.

Copper Contributor
Has anyone tried adding the guest user via azure ad vs initiating a Classic SharePoint Invitation. Is there any documentation on what this experience looks like or what it accomplishes?
Copper Contributor

thanks

Copper Contributor

Am I right that users with the new experience are not controllable with Conditional Access? 

Brass Contributor

I have a situation where there are external users whom Sharepoint sites were shared with quite some time ago.  The external users created an account and are now unable to sign into that account, unable to remember password and apparently unable to retreive/recover their account; i.e., new password being sent to phone but external user does not receive anything on their phone.  

Is there any other way to recover external user account?
If external user account cannot be recovered is there any way to create new account with the same email - email is a work email so that has not changed?
Thanks for any help.

Version history
Last update:
‎Dec 27 2018 12:21 PM
Updated by: