Home

Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collections

Tejas Mehta
Microsoft

Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collections

[UPDATE] - Per feedback recieved here and elsewhere, our plan is to only turn on the external sharing setting for a group's site collection ONLY IF the tenant allows for Office 365 Groups to have guest members.  I've made changes to this post below to capture, and added emphasis to call them out.  Your feedback is welcome.

 

Hi all,

We would like to inform you of an upcoming change we are planning on making to the default value of the external sharing setting for Office 365 Group connected SPO site collections.  Currently, the default sharing setting for these site collections is to allow sharing with external users already in your organization's directory.

 

Since Office 365 Groups allow for guest members by default, we heard feedback from many customers that it was odd to allow for the addition of external guests as group members but not allow for external sharing of SharePoint resources.

 

Based on your feedback, we are updating the external sharing setting to allow sharing with authenticated external users ONLY IF the tenant allows for Office 365 Groups to have guest members.

 

Once updated in a tenant, all new group site collections will be created with the setting for external sharing enabled ONLY IF the tenant allows for Office 365 Groups to have guest members.  No change to default external sharing will occur if guests in Office 365 groups are not permitted.  We will not retroactively change the setting for existing site collections.

 

To change the value of the sharing capability for older site collections, you can use the following PowerShell cmdlet:

 

Set-SPOSite -Identity https://contoso.sharepoint.com/sites/site1 -SharingCapability ExternalUserSharingOnly

Of course as always, SharePoint will always respect the more restrictive sharing setting when comparing the site collection's setting with that of the tenant.  For example, if you disable external sharing at the tenant level, sharing with external users will be blocked for a group's site even if its sharing setting allows for external sharing.

 

I'll update this post when we start rolling this update out, but wanted to solicit feedback or concerns from anyone about this change.  Please post below - we're happy to answer your questions.

 

Thanks
Tejas

54 Replies

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Thanks for this update Tejas!!

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect


@Tejas Mehta wrote:

[..] Currently, the default sharing setting for these site collections is to allow sharing with external users already in your organization's directory.

 

Since Office 365 Groups allow for guest members by default, we heard feedback from many customers that it was odd to allow for the addition of external guests as group members but not allow for external sharing of SharePoint resources.

 

Based on your feedback, we are updating the external sharing setting to allow sharing with authenticated external users. [..]

 

 


I am totally not getting it. Quoted above (emphasis mine):

You say that by default it is already set to allow sharing with external users. Then you say that it is odd that it doesn't allow sharing. And then you are updating the setting to allow sharing with external users!!

 

Am I missing something entirely here?

 

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Very interesting change! 

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

@Abhimanyu Singh

The current default is 

ExistingExternalUserSharingOnly

The new default will be

ExternalUserSharingOnly

This means that you will be able to invite new external users while sharing.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Ahh.. Thanks @Salvatore.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

I'm afraid no one setting is going to work for every customer. After this we will have to add switching it back to external sharing with people in our directory. 

 

For Groups sites we already have concerns at the lack of customisation options. . 

 

 

Being able to specify a template to a Sharepoint site when it is created by groups looks to be a required feature. To allow each organisation to configure the sites as it requires. Obviously there are reasons certain things cannot be configured or they will break. Having some options would be useful though. 

 

For example

Giving group owners full control permission to a site and not allowing a restruiction in permission levels. I realise they need full control to add members permissions. However it also gives them the ability to modify the site away from corporate settings and worse add infopath forms.

 

Just my $00.02.  

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Thank you @Tejas Mehta, I've been bugging @Sahil Arora about this for some time now :)

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

really(!!!) wish you would bring back anonymous access to SP sites!!! This seriously hampers many ability to use my tenant as a means of providing information to my local, non-technical, community, most (if not all) do not and will not ever have a Microsoft account.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

I don't think this is going to happen when providing access to a full SPO Site...you can shared anonymously files and folders, but IMHO it's enough....justs remember SPO Sites are not websites in the sense that anyone from the Internet can access them

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

You stated that this is for group sites in SP. What about those group sites created via Teams & Planner?  Does Teams and Planner get the external access as well?

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Does this mean when I share a single document with an external user, they become a member of the Office 365 Group? Does this mean they will also receive conversations? Or is it that the document and only the document is shared with the external user?

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect


@Darrell Webster wrote:
Does this mean when I share a single document with an external user, they become a member of the Office 365 Group?

No. A Group member can be designated only using the relevant UI or PowerShell.

 


@Darrell Webster wrote:
Does this mean they will also receive conversations?

No. Only members receive conversations.

 


@Darrell Webster wrote:
 Or is it that the document and only the document is shared with the external user?

Exactly. Moreover, not only Group documents can be shared with external users, but also folders and even the whole associated site.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Hi Tejas,

 

Have a query here. In SP admin center settings if the "Sharing outside your organization" is set to 'Don't allow sharing outside your organization', whether this will be overwritten when this change is in place.

 

Thanks And Regards,

Shinu

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Our premium Customer wants option to select from current behavior and the coming changed behavior.

Actually they are pushing on a HotFix to do this. 

The current behavior meets there needs

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

I am having major issues with Online edit of Excel documents. As of this Tuesday about 30 of my Excel workbooks are no longer even viewable online let alone editable. The Excel workbooks that are can no longer scroll to the left or right other than with arrow keys. I have spent hours on the phone with Microsoft tech support with no results or answers. Was there any update done this monday or early Tuesday? 

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Allan, you might have better luck in the Excel community here, but really should continue working with Microsoft support to resolve this issue. Derailing every thread you see a Microsoft employee on with your unrelated question/issue is probably not in the spirit of this community at all.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Hi David,

I appreciate your point but I disagree that it's unrelated. This is not an excel problem and that has been established. It's due to some change made behind the scene to SharePoint. I apologies that this may not be the best place to get answers to the problem but it's as close as I can get to speaking with someone with knowledge or access to what is occurring behind the scenes in sharepoint. If you can point me in a better direction in terms of speaking to someone involved in the development/updates to sharepoint I would appreciate it?

As for derailing every thread... as far as I know this is the only thread I have "derailed", if you have knowlege of anyone else using my log in I would appreciate being pointed in that direction as well.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

My question is really about the differences between needing to have someone in the organization directory, and authenticated external users. Currently, we set our external sharing site collections to authenticated external users indicating they either work for our company and have their email address, or they are an extenal user who needs to set up a Microsoft Account if they do not already have one that they are using with the email address. We have found that recently, external users are having issues accepting invites to external sharing site collections if they are not already in our directory--not sure how they got into our directory in the first place since we did not add them.

 

1. Was that automatic when they signed up for the free Microsoft Live account and accepted the invite?

2. If you set the option for users in the Organization Directory, who adds them? The tenant admin?

3. Why would external users not be able to accept invitations to site collections if they sign up for the free account--but are no listed in our Organizational Directory?

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Pretty large leap to say that SharePoint Online is broken on all Excel files when you're the only one reporting the issue ;) If support is not helping, I would encourage you to escalate or look at the higher level support services like Premier Support: https://www.microsoft.com/en-us/microsoftservices/support.aspx

 

Not trying to call you out, but this thread is not about your issue and randomly demanding Microsoft Product Group employees help you on your individual issue is just going to convince them to come here less when we would all prefer they come here and share with us more. If you feel this community is in fact the best place to discuss your issue, I would encourage you to start a new thread specifically about your issue and see if anyone else has experienced this or can help you.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Thanks David and sorry for being a bit of an arse. I appreciate you pointing me in a better direction.

 

Its been 3 days of dealing with Tech support that dont keep the same hours as me and have no clue yet as to why all of a sudden half my site no longer works online and what does work online doesnt work as it did. 

 

It seems just about every month something changes behind the scenes and that causes soemthing not to work as it did on our site. Its been minor up to now. I just wish they would leave well enough alone.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Hi @Tina A Garavaglia. I have seen issues too with external guests accepting invites to a shared document. 


 

1. Was that automatic when they signed up for the free Microsoft Live account and accepted the invite?

 

Yes. When someone accepts an invite using either a Microsoft or Office 365 account, a guest account is created in Azure AD. You should recognize the format when you see it. 

[EmailName]_[domain]_com@[tenantname].onmicrosoft.com. 

 


2. If you set the option for users in the Organization Directory, who adds them? The tenant admin?


The invite process adds them. When they accept the invite, the account is created by Azure AD. At least that's what should happen.


3. Why would external users not be able to accept invitations to site collections if they sign up for the free account--but are no listed in our Organizational Directory?


Sounds like this process is not working correctly at the moment. Just to confirm, which setting are you using in your site collection? 

1, 2 or 3 in the picture below? 

ext-sharing-site-collection.jpg

 

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

There appears to be a health message in the tenants now. At least in relation to excel files not opening in the browser. Not sure if that is the problem you we seeing. Looks like MSFT are doing a code rollback.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

We are using option #2 because we want them to sign in and be "authenticated" versus anonymous. It used to work great. Now something is different, and we cannot get some people in (I understand there is a problem with GMail accounts, but these are not GMail). Thank you for taking the time to reply. Very much appreciated.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Thanks for the heads up Phillip! 

 

Its back up and running!

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

@Tina A Garavaglia

Your questions have been answered in many other threads.

For example, give a look to this thread: https://techcommunity.microsoft.com/t5/SharePoint/External-Sharing/td-p/23667. Read carefully the answers by @Stephen Rice.

Hope it helps...

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

I like the direction of making it easier to share with external users for document collaboration, but seems like a VERY wide setting to be the default.  A suggestion might be to allow admins the ability to set this via a sharing policy for values set in the ClassificationList property that you can set via Azure policies when creating the group (e.g. Internal or Private = leave as ExternalUserSharingOnly, External or Partner = use ExistingExternalUserSharingOnly)

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

@Salvatore Biscari Thanks for the reply! I guess this is a little light reading for a rainy day. I'll have to review the articles with our O365 Tenant Admins.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

I must say I'm puzzled by the handful of people complaining about this change. All this is doing is making the default value of the external sharing setting for Office 365 Group connected SharePoint Online site collections THE SAME as standalone SharePoint Online site collections that we were all used to before Office 365 Groups even came along.

 

This is not something new, they are simply aligning the two types of sites to the setting that makes things more seamless for users to get to files and folders that are shared with them.

 

Before this change you had to either flip the setting manually via PowerShell, use the wonky email based sharing (that I never saw anyone use or like), or send your external users through an Azure B2B step to get their external user account added into AAD first and then share the file/folder with them.

 

Now you can simply share like normal and get on with your life. Productivity gained :)

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Hi @Tina A Garavaglia,

 

Prior to the change Tejas mentioned, Group connected team sites were set to only allow sharing with external users who were already in the directory. This might explain why sharing was failing. You will need to have the correct external sharing at both the tenant level and at the site collection level (which can only be set using PowerShell as described above). 

 

Hope that helps! 

 

Stephen Rice

OneDrive Program Manager II

 

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect


@Shinu P S wrote:

Hi Tejas,

 

Have a query here. In SP admin center settings if the "Sharing outside your organization" is set to 'Don't allow sharing outside your organization', whether this will be overwritten when this change is in place.

 

Thanks And Regards,

Shinu


Hi Shinu - if you have set the tenant level sharing setting to 'Don't allow sharing outside your organization', we will continue to respect that.  We will apply the most restrictive setting based on the combination of tenant and site level for this attribute.  We will also not change any existing values set at the tenant level or site collection level.  

 

Hope that helps

 

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect


@Jianhua Shi wrote:

Our premium Customer wants option to select from current behavior and the coming changed behavior.

Actually they are pushing on a HotFix to do this. 

The current behavior meets there needs


Hi Jianhua - I am not sure I understand your question.  Are you asking for the ability to have the default changed sooner?  Or are you asking to have the option to set the default for group site collections in your tenancy?

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Hi Allan, the change outlined in this thread has not been rolled out to customers yet.  I posted as a heads up notification and to provide opportunity for customers to provide feedback (which is happening, and we're very thankful for!). 

 

It sound like the issue you are experiencing is related to editing of Exel files in Excel Online only - is that correct?  Or are you having problems editing in Excel app as well?

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Just saw this, glad you have everything resolved.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect


@Brian Caauwe wrote:

I like the direction of making it easier to share with external users for document collaboration, but seems like a VERY wide setting to be the default.  A suggestion might be to allow admins the ability to set this via a sharing policy for values set in the ClassificationList property that you can set via Azure policies when creating the group (e.g. Internal or Private = leave as ExternalUserSharingOnly, External or Partner = use ExistingExternalUserSharingOnly)


Brian, you are reading our minds. :)  We are definitely moving to a model where Classification of a group/site has policies attached.  Stay tuned on this front. :)

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Essentially classed as the same thing in the background, so yes I believe Teams and Planner get the external access as well?

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Hi everyone - we've received great feedback here as well as from other channels.  We seem to have two clear camps with opposing points of view.  We've added a feature to our backlog that would allow for admins to specify the default sharing setting for site collections in a tenant.  However, that work is not yet prioritized or scheduled so I don't have an ETA for when that would be available.

 

So, another question for all of you.  What if we tied the external sharing setting for a group's site collection to the group's guest membership setting at site creation time?  In other words, we would enable external sharing for a group site collection ONLY if the group allows for guests to be added (at time of creation).  The settings would remain decoupled post-creation and would still be separately manageable.  Would this approach be acceptable until we have an admin control to set the default?

 

Thanks for your feedback!

Tejas 

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Yes.

 

In effect, you're saying if you have Guest Access turned on at site creation time you get the ability to externally share to those not yet in AAD via the standard invitation and authentication method for that site. If Guest Access is turned off at site creation time, nothing changes compared to what is happening today.

 

Am I understanding you correctly?

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Yes, that is correct.  Would this approach appease concerns in the interim?

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Yes, that would work for us. We already have external sharing turned on and limited via whitelist in both SharePoint and now Office 365 Groups with the PowerShell that was released a couple days ago, so removing that extra step of either admins having to add the external users into AAD, or the users themselves having to use Azure B2B to get created in AAD first is a win.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Great, thanks!  Any others with feedback on this slightly tweaked approach?

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

 

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Hi Tejas,

Can you confirm that if my tenant's settings are set to: Allow users to invite and share with authenticated external users.

Then my newly created groups will be set to this when this change comes through to us.

Thanks.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

AFAIK you still need to do the PowerShell stuff, I have not seen / heard anything about changing this behavior yet

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

A much more involved set of discussions not withstanding, when is SPO going to version their changes rather than arbitrarily impose them and the sometimes considerably significant impacts on customer organization, process, and investments? Purchasers of cloud services were never made aware of risks nor realized expectations of stability and manageable change were fallacy. Microsoft must realize one thing purchased need remain that thing and differences then are in fact now a different thing that they must choose or reject, not forcibly be confronted with risks and implied responsibilities requiring address.

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Only the document

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Hello everyone, apologies for the delay.  We are beginning to roll out the changes to First Release customers this week, and will follow with broader expansion to production tenants worldwide.

 

Thanks,
Tejas

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Hi Tejas,

 

I now have multiple if not all of my external users locked out and being asked to authenticate with a username and password that doesn't accept their email and password for those values. How do I stop this as it is creating havoc! My technical abilities are very limited regarding Sharepoint. Please can you point me in the right direction.

 

Thanks

Allan

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Hi Allen - not sure the issue you are experiencing is related to the update described in this thread.  Is this issue happening to existing sites?  Or new ones?  All sites?  What is the external sharing setting on these?

 

Might be challenging to debug on this thread - please open a support ticket if the issue persists.

 

Thanks,

Tejas

Re: Upcoming change:Updating default sharing setting for Office 365 Group connected SPO site collect

Hi Allan,

Are external users getting a message saying this file was shared with john.smith@externalcompany.com but js123@externalcompany.com is trying to open this file? Whereby this is actually the same person?