Jan 21 2017 08:12 AM
Jan 21 2017 08:12 AM
As we know, "Allow sharing only with the external users that already exist in your organization's directory" is the default for Groups.
Given that a customer of mine doesn't want to change such default (and in general doesn't want to use PowerShell), which is the best practice for them to create in advance external users in their organization's directory before sharing items with such external users?
I guess that they must in any case use the AAD portal, but while they could directly create external users having MS accounts, they should use instead B2B in order to create external users having O365 accounts. Am I correct?
Jan 21 2017 02:54 PM
Jan 22 2017 03:22 AM
Unfortunately, when they add users manually (using Azure AD Portal) it appears that while they can add directly individual MS accounts, they are instead forced to use the B2B procedure (i.e. the CSV) even to add a single O365 (external) account.
In other words, they have not found a way in the AAD portal to add manually just one (f.e.) O365 external account without having to create a CSV for the B2B procedure.
Can you confirm?
Jan 22 2017 05:28 AM
Jan 23 2017 04:04 AM
Hi Juan. The problem is not with hotmail.com (and similar MSA) users, the problem is with O365 accounts.
How do I manually add to AAD an O365 account (from another tenant) as external user?
Jan 23 2017 04:36 AMSolution
Jan 26 2017 11:54 PM
Well this is changing for B2B.
The CSV option is being replaced with an API which is part of the Office Graph.
It was announced at Ignite and still in beta but good to know it is there for testing and a way forward with B2B.
Jan 27 2017 02:07 AM
Good to know.
Nevertheless, I would rather like to have a UI for manually creating O365 external users, one by one, like it is already possible (and mandatory) to do today for MSA external users.
This would be a boon for small organizations that need to create only a handful of external users and don't even know what a CSV is (let alone an API...).
Feb 02 2017 03:18 PM
I coded up a quick UI in my developer-oriented playground app. It does add the users in AAD, but I have to admit that the sharing experience is sub-optimal. Seems the external user can only see site & files. Can't see conversations or calendar. Am I doing it wrong?
Feb 03 2017 04:10 AM
You are correct, external users can see only SPO resources and not EXO resources.
This is due to the strict licensing enforcement for EXO: external users by definition have no EXO licenses and therefore they cannot access EXO resources in the tenant.
On the other side, external users can access SPO resources in the tenant also if they have not SPO licenses: in other words, SPO licensing is substantially not enforced.
All this said, for external users that are mere "sharing targets" of SPO items this behaviour should be obvious: they can access only the SPO items that have been shared with them.
Unfortunately, though, also external members of Office 365 Groups (which can indeed acces all the SPO resources of the Group) cannot access the EXO resources of the Group (they can only receive email notifications for every message posted to the Group conversation area, to which they can also post by email).
(BTW, there are great news about B2B in AAD. Please see the following thread: https://techcommunity.microsoft.com/t5/Azure-Active-Directory-B2B/Azure-AD-B2B-New-updates-make-cros...)