Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collections

Microsoft

[UPDATE] - Per feedback recieved here and elsewhere, our plan is to only turn on the external sharing setting for a group's site collection ONLY IF the tenant allows for Office 365 Groups to have guest members.  I've made changes to this post below to capture, and added emphasis to call them out.  Your feedback is welcome.

 

Hi all,

We would like to inform you of an upcoming change we are planning on making to the default value of the external sharing setting for Office 365 Group connected SPO site collections.  Currently, the default sharing setting for these site collections is to allow sharing with external users already in your organization's directory.

 

Since Office 365 Groups allow for guest members by default, we heard feedback from many customers that it was odd to allow for the addition of external guests as group members but not allow for external sharing of SharePoint resources.

 

Based on your feedback, we are updating the external sharing setting to allow sharing with authenticated external users ONLY IF the tenant allows for Office 365 Groups to have guest members.

 

Once updated in a tenant, all new group site collections will be created with the setting for external sharing enabled ONLY IF the tenant allows for Office 365 Groups to have guest members.  No change to default external sharing will occur if guests in Office 365 groups are not permitted.  We will not retroactively change the setting for existing site collections.

 

To change the value of the sharing capability for older site collections, you can use the following PowerShell cmdlet:

 

Set-SPOSite -Identity https://contoso.sharepoint.com/sites/site1 -SharingCapability ExternalUserSharingOnly

Of course as always, SharePoint will always respect the more restrictive sharing setting when comparing the site collection's setting with that of the tenant.  For example, if you disable external sharing at the tenant level, sharing with external users will be blocked for a group's site even if its sharing setting allows for external sharing.

 

I'll update this post when we start rolling this update out, but wanted to solicit feedback or concerns from anyone about this change.  Please post below - we're happy to answer your questions.

 

Thanks
Tejas

54 Replies

Thanks David and sorry for being a bit of an arse. I appreciate you pointing me in a better direction.

 

Its been 3 days of dealing with Tech support that dont keep the same hours as me and have no clue yet as to why all of a sudden half my site no longer works online and what does work online doesnt work as it did. 

 

It seems just about every month something changes behind the scenes and that causes soemthing not to work as it did on our site. Its been minor up to now. I just wish they would leave well enough alone.

Hi @Tina A Garavaglia. I have seen issues too with external guests accepting invites to a shared document. 


 

1. Was that automatic when they signed up for the free Microsoft Live account and accepted the invite?

 

Yes. When someone accepts an invite using either a Microsoft or Office 365 account, a guest account is created in Azure AD. You should recognize the format when you see it. 

[EmailName]_[domain]_com@[tenantname].onmicrosoft.com. 

 


2. If you set the option for users in the Organization Directory, who adds them? The tenant admin?


The invite process adds them. When they accept the invite, the account is created by Azure AD. At least that's what should happen.


3. Why would external users not be able to accept invitations to site collections if they sign up for the free account--but are no listed in our Organizational Directory?


Sounds like this process is not working correctly at the moment. Just to confirm, which setting are you using in your site collection? 

1, 2 or 3 in the picture below? 

ext-sharing-site-collection.jpg

 

There appears to be a health message in the tenants now. At least in relation to excel files not opening in the browser. Not sure if that is the problem you we seeing. Looks like MSFT are doing a code rollback.

We are using option #2 because we want them to sign in and be "authenticated" versus anonymous. It used to work great. Now something is different, and we cannot get some people in (I understand there is a problem with GMail accounts, but these are not GMail). Thank you for taking the time to reply. Very much appreciated.

Thanks for the heads up Phillip! 

 

Its back up and running!

@Tina A Garavaglia

Your questions have been answered in many other threads.

For example, give a look to this thread: https://techcommunity.microsoft.com/t5/SharePoint/External-Sharing/td-p/23667. Read carefully the answers by @Stephen Rice.

Hope it helps...

I like the direction of making it easier to share with external users for document collaboration, but seems like a VERY wide setting to be the default.  A suggestion might be to allow admins the ability to set this via a sharing policy for values set in the ClassificationList property that you can set via Azure policies when creating the group (e.g. Internal or Private = leave as ExternalUserSharingOnly, External or Partner = use ExistingExternalUserSharingOnly)

@Salvatore Biscari Thanks for the reply! I guess this is a little light reading for a rainy day. I'll have to review the articles with our O365 Tenant Admins.

I must say I'm puzzled by the handful of people complaining about this change. All this is doing is making the default value of the external sharing setting for Office 365 Group connected SharePoint Online site collections THE SAME as standalone SharePoint Online site collections that we were all used to before Office 365 Groups even came along.

 

This is not something new, they are simply aligning the two types of sites to the setting that makes things more seamless for users to get to files and folders that are shared with them.

 

Before this change you had to either flip the setting manually via PowerShell, use the wonky email based sharing (that I never saw anyone use or like), or send your external users through an Azure B2B step to get their external user account added into AAD first and then share the file/folder with them.

 

Now you can simply share like normal and get on with your life. Productivity gained :)

Hi @Tina A Garavaglia,

 

Prior to the change Tejas mentioned, Group connected team sites were set to only allow sharing with external users who were already in the directory. This might explain why sharing was failing. You will need to have the correct external sharing at both the tenant level and at the site collection level (which can only be set using PowerShell as described above). 

 

Hope that helps! 

 

Stephen Rice

OneDrive Program Manager II

 


@Deleted wrote:

Hi Tejas,

 

Have a query here. In SP admin center settings if the "Sharing outside your organization" is set to 'Don't allow sharing outside your organization', whether this will be overwritten when this change is in place.

 

Thanks And Regards,

Shinu


Hi Shinu - if you have set the tenant level sharing setting to 'Don't allow sharing outside your organization', we will continue to respect that.  We will apply the most restrictive setting based on the combination of tenant and site level for this attribute.  We will also not change any existing values set at the tenant level or site collection level.  

 

Hope that helps

 


@Jianhua Shi wrote:

Our premium Customer wants option to select from current behavior and the coming changed behavior.

Actually they are pushing on a HotFix to do this. 

The current behavior meets there needs


Hi Jianhua - I am not sure I understand your question.  Are you asking for the ability to have the default changed sooner?  Or are you asking to have the option to set the default for group site collections in your tenancy?

Hi Allan, the change outlined in this thread has not been rolled out to customers yet.  I posted as a heads up notification and to provide opportunity for customers to provide feedback (which is happening, and we're very thankful for!). 

 

It sound like the issue you are experiencing is related to editing of Exel files in Excel Online only - is that correct?  Or are you having problems editing in Excel app as well?

Just saw this, glad you have everything resolved.


@Brian Caauwe wrote:

I like the direction of making it easier to share with external users for document collaboration, but seems like a VERY wide setting to be the default.  A suggestion might be to allow admins the ability to set this via a sharing policy for values set in the ClassificationList property that you can set via Azure policies when creating the group (e.g. Internal or Private = leave as ExternalUserSharingOnly, External or Partner = use ExistingExternalUserSharingOnly)


Brian, you are reading our minds. :)  We are definitely moving to a model where Classification of a group/site has policies attached.  Stay tuned on this front. :)

Essentially classed as the same thing in the background, so yes I believe Teams and Planner get the external access as well?

Hi everyone - we've received great feedback here as well as from other channels.  We seem to have two clear camps with opposing points of view.  We've added a feature to our backlog that would allow for admins to specify the default sharing setting for site collections in a tenant.  However, that work is not yet prioritized or scheduled so I don't have an ETA for when that would be available.

 

So, another question for all of you.  What if we tied the external sharing setting for a group's site collection to the group's guest membership setting at site creation time?  In other words, we would enable external sharing for a group site collection ONLY if the group allows for guests to be added (at time of creation).  The settings would remain decoupled post-creation and would still be separately manageable.  Would this approach be acceptable until we have an admin control to set the default?

 

Thanks for your feedback!

Tejas 

Yes.

 

In effect, you're saying if you have Guest Access turned on at site creation time you get the ability to externally share to those not yet in AAD via the standard invitation and authentication method for that site. If Guest Access is turned off at site creation time, nothing changes compared to what is happening today.

 

Am I understanding you correctly?

Yes, that is correct.  Would this approach appease concerns in the interim?

Yes, that would work for us. We already have external sharing turned on and limited via whitelist in both SharePoint and now Office 365 Groups with the PowerShell that was released a couple days ago, so removing that extra step of either admins having to add the external users into AAD, or the users themselves having to use Azure B2B to get created in AAD first is a win.