Hi Juan.

External sharing must be enabled at the tenant level AND at the Group site collection level (which BTW is the default) in order to allow access to guest members.

Thanks. We have external sharing disabled at the tenant level, are only enabling for specific sites.  I added my personal external email to a Group I created, was able to conversate okay but got an access denied when trying to access the site.  Sounds like then that would be expected?  Until I turned on external sharing at the site collection level?

AFAIK if you have external sharing disabled at the tenant level, guests will be unable to access Groups sites, whatever the Group site collection setting is.

Yes, the flu this year is really terrible...

Best wishes!

It seems settings are contained in quite a few places related to external sharing!  This is what we currently have:

• In the Global Admin, Settings->Security & Privacy->Sharing, 'let users add new guests to the org' is turned ON.
• In the Global Admin, Settings->Service & add-ins->Sites, let users share content with external users who sign in' is turned ON
• In the Global Admin, Settings->Service & add-ins->Office 365 Groups, both 'Let group members outside the organization access group content' and 'Let group owners add people outside the organization to groups' are turned ON.

In the SharePoint Admin Center, under Sharing we have 'allow users to invite and share with authenticated external users' turned ON.

I tried to access again, and my phone redirected to a different account then what I had shared with.  I tried again and could access the site no problem

Glad it worked!

Currently we don't have self-service site creation, it goes through a request process (that's why I was mentioning we don't enabled external sharing by default).  If we move to self-service, but don't want external sharing of sites enabled by default (only allowed by a Global Admin), would we turn off external sharing at the SharePoint Admin center or the Global Amdin Center?  Assuming that setting would flow through like I was originally descirbing with Groups Site access, external users could only have access to  conversations, not access site unless we specifcially enabled on that site collection?

1. The settings in the Office 365 Admin Center and the settings in the SharePoint Admin Center are both at tenant level. The two UIs are "interconnected", meaning that when you change a setting in the former, the corresponding setting changes in the latter and viceversa. So it is not important which UI you use. (Of course in SharePoint Admin Center there are also settings that are not present in Office 365 Admin Center...)
2. If you completely disable external sharing at tenant level, then external users will not be able to access SPO resources, regardless of the settings at site collection level. So, specifically enabling sharing on individual site collections will have no effect.

We've been experimenting a lot with Guest Access in Office 365 Groups the past few days and have made what we think are some interesting discoveries on how this all works and what is actually going on there, although our testing is still underway.

If you read the Guest Access Documentation carefully, it seems there is no intention for the guest user to actually access the Group's Team Site in the way we all understand from External Sharing in a standard SharePoint Online Team Site if the external sharing settings for that site are left default and not modified via PowerShell.

Instead, it looks like the intention is for all external access to files to occur via email. Very specifically, look at this section in the documentation I linked above:

All of the guest member's interactions occur through their email inbox. They can't access the group site but can receive calendar invitations, participate in email conversations, and, if the tenant admin has enabled it, open shared files using a link or attachment.

All group emails and calendar invitations the guest receives will include a reminder to use "reply all" in responses to the group, along with links to view group files and leave or unsubscribe from the group.

If you follow that view group files link, you'll arrive at a page with instructions for how to share group files with guests. Those instructions very specifically guide you to attach the file(s) to a conversation within the Group.

I am not a fan of this method or experience at all. For sharing a one off file with a guest it might be ok, but for longer term guest access it becomes very unwieldly when they have to manage everything through their own inbox as opposed to a central collaboration point that external access to the Group's Team Site or a shared folder within that Team Site would offer.

We have uncovered a couple ways around this, although I'm not sure this is supported by Microsoft which makes me nervous to begin using it in a production scenario.

1. You can flip the setting in PowerShell on the Group's site itself that allows these guest users to log in to the site. This setting was mentioned previously in this thread. This can only be done retro, as there appears to be no way currently to change the default setting that is applied at creation. I am not a fan of manually or automatically having to go change this setting in this manner, as that is another bit of complexity that has potential to stop running, needs to be monitored, human factors, etc.
2. You can use some sort of Azure B2B solution to add these external users into AD beforehand so they "exist" and are not blocked by the default setting on these types of sites.

@Christophe Fiessinger Any chance we could get a comment from you or someone on your team on whether what we're all talking about in this thread is correct and working as intended, or have we missed something completely? Thanks!

adding @Sahil Arora

Thank you Sahil! This is a great update that will address a lot of the issues we've been seeing hopefully. Looking forward to seeing these changes roll out.

Thanks for this great update @Sahil Arora do you have an ETA about when this will be rolled out?

@Sahil Arora

Thanks Sahil.

About #2, my understanding is that today, by default, files can be shared with all existing external users, and not only with group members. Am I wrong?