Mar 01 2017 07:02 AM
Mar 01 2017 07:02 AM
Looking to confirm my understanding. If you add a guest to an O365 from OWA, they will only have access to the associated SharePoint site if external sharing for that site has been turned on (or if external sharing was turned on a the tenant level)? Since sites created off of groups don't show up in the SharePoint Admin center, you'd have to run PowerShell to enable external sharing on that site? Is there any other way to grant external member access to a Groups SharePoint site besides PowerShell?
Mar 01 2017 07:45 AM - edited Mar 01 2017 07:48 AM
The default setting for sites associated to Groups is ExistingExternalUserSharingOnly and you don't need to change it in order to add external members.
If you want to change it, though, you can do it only by PowerShell.
Mar 01 2017 07:45 AM
Mar 01 2017 07:51 AM
External sharing must be enabled at the tenant level AND at the Group site collection level (which BTW is the default) in order to allow access to guest members.
Mar 01 2017 07:53 AM
Thanks. We have external sharing disabled at the tenant level, are only enabling for specific sites. I added my personal external email to a Group I created, was able to conversate okay but got an access denied when trying to access the site. Sounds like then that would be expected? Until I turned on external sharing at the site collection level?
Mar 01 2017 07:56 AM
Mar 01 2017 08:04 AM - edited Mar 01 2017 08:06 AM
AFAIK if you have external sharing disabled at the tenant level, guests will be unable to access Groups sites, whatever the Group site collection setting is.
Mar 01 2017 08:08 AM
Mar 01 2017 08:37 AM
It seems settings are contained in quite a few places related to external sharing! This is what we currently have:
In the SharePoint Admin Center, under Sharing we have 'allow users to invite and share with authenticated external users' turned ON.
I tried to access again, and my phone redirected to a different account then what I had shared with. I tried again and could access the site no problem
Mar 01 2017 08:56 AM
Currently we don't have self-service site creation, it goes through a request process (that's why I was mentioning we don't enabled external sharing by default). If we move to self-service, but don't want external sharing of sites enabled by default (only allowed by a Global Admin), would we turn off external sharing at the SharePoint Admin center or the Global Amdin Center? Assuming that setting would flow through like I was originally descirbing with Groups Site access, external users could only have access to conversations, not access site unless we specifcially enabled on that site collection?
Mar 01 2017 11:02 AM
Mar 01 2017 03:03 PM
We've been experimenting a lot with Guest Access in Office 365 Groups the past few days and have made what we think are some interesting discoveries on how this all works and what is actually going on there, although our testing is still underway.
If you read the Guest Access Documentation carefully, it seems there is no intention for the guest user to actually access the Group's Team Site in the way we all understand from External Sharing in a standard SharePoint Online Team Site if the external sharing settings for that site are left default and not modified via PowerShell.
Instead, it looks like the intention is for all external access to files to occur via email. Very specifically, look at this section in the documentation I linked above:
All of the guest member's interactions occur through their email inbox. They can't access the group site but can receive calendar invitations, participate in email conversations, and, if the tenant admin has enabled it, open shared files using a link or attachment.
All group emails and calendar invitations the guest receives will include a reminder to use "reply all" in responses to the group, along with links to view group files and leave or unsubscribe from the group.
If you follow that view group files link, you'll arrive at a page with instructions for how to share group files with guests. Those instructions very specifically guide you to attach the file(s) to a conversation within the Group.
I am not a fan of this method or experience at all. For sharing a one off file with a guest it might be ok, but for longer term guest access it becomes very unwieldly when they have to manage everything through their own inbox as opposed to a central collaboration point that external access to the Group's Team Site or a shared folder within that Team Site would offer.
We have uncovered a couple ways around this, although I'm not sure this is supported by Microsoft which makes me nervous to begin using it in a production scenario.
@Christophe Fiessinger Any chance we could get a comment from you or someone on your team on whether what we're all talking about in this thread is correct and working as intended, or have we missed something completely? Thanks!
Mar 20 2017 11:49 AM
Thanks guys for the feedback! Couple of things, we have been working internally to rationalize this settings & this is the plan of record as of now.
1. By-default Groups have guest access enabled & the corresponding team site as well.
2. Currently by default files cannot be shared with new guests unless they are member group. We are planning to *change* this default with full guest access enabled, so that you can share indivudal files with new guest users through SPO.
3. The way we want SPO settings & Groups settings for short-term is to be decoupled with the right messaging in the admin portal so that admins are clearly aware of what do they need to do to fully disable guest access.
Mar 20 2017 12:41 PM
Thank you Sahil! This is a great update that will address a lot of the issues we've been seeing hopefully. Looking forward to seeing these changes roll out.
Mar 30 2017 11:23 AM
As I understand my issue is not exactely what you are discussing, but I will chime in anyway.
We have the need to create links to files in a group library for unauthenticated access. Do I understand the thread right in assuming that this is not possible?
This means that right now the users are creating files structures in their own OneDrive that they are sharing with the Group and using the Shared With Us view.
What is very messy and takes away a lot of the advantages of the group, bus the external sharinng links are crucials for this organisation.
Can anyone help?