SOLVED

Sharing to an external Office 365 Group

Microsoft

Came across an interesting scenario today and wanted to get this group's opinion (and perhaps yours @Christophe Fiessinger)

 

The relevant configuration items:  We have external sharing requiring authentication (no anonymous guest links) turned on in our tenant, and our allow/whitelist configured for a very small number of external domains.  We also have Set-SPOTenant RequireAcceptingAccountMatchInvitedAccount set to True (https://technet.microsoft.com/en-us/library/fp161390.aspx), requiring external invitations be accepted by only the email address to which they were sent.

 

The scenario:  If a user wants to share a file via SharePoint Online/OneDrive for Business with an external Office 365 Group, I don't believe this will work properly with our current setup.  A user would want to do this to provide permissions to files to this external Office 365 Group that they trust in an automated fashion even as members of this external Office 365 Group join and leave over time.

 

I realize we could probably change our settings and/or reduce our security posture to enable this scenario, but chances of our security team allowing that are basically nonexistent.  This would also technically not be granting permissions to just the members of this external Group, but instead allowing anyone who got the link to the file to access it.

 

Also, to be clear, I'm not asking for full blown cross-tenant federation.  Although I would gladly accept it if offered. Smiley Happy

13 Replies
Mmm...the main issue here is the concept of "External Office 365 Group"...I don't see how this scenario can be supported in any way...I only see you could share information with the Group e-mail but them when the group receive the invitation, group members are not going to be able to sign in
Office 365 Groups are internal only ... at the moment!
So I'm guessing what you are referring to as an External Office 365 Group, is really a group that's on a different Office 365 tenant (and so external to you).
Let's say that an Office 365 Group is an Azure AD Object that I don't see how could be used in another Office 365 tenant...
best response confirmed by Jeff Medford (Community Manager)
Solution

There's a specific Guest feature coming for Groups.  Guests are invited and must confirm with matching account.

 

On http://fasttrack.microsoft.com/roadmap, searching for "guest", under In development:

"Guest access support will enable teams using Office 365 Groups to easily collaborate with external team members (members that are not part of their organization/tenant). Guest users will have access to all of the groups assets: inbox, files, calendar and notebook. We'll introduce a number of administration controls to help you manage guests in Groups."

But we are talking here about "Groups guest"..is this a feature that you are thinking about it?

Thanks for all the replies everyone!

 

Really looking forward to the guest features coming to Office 365 Groups, but that isn't quite the use case I was referring to in the original post.

 

I want to share a file via the Office 365 external sharing mechanism with an external Office 365 Group - A Group that exists in a completely separate tenant.  I want to do this to take advantage of automated permissions based on Group membership, as well as all the collaboration features that come with the sharing mechanism in Office 365 (co-authoring, version control, permissions control, etc etc) as compared to simply attaching a file to an email.

 

I understand all the technical reasons why this doesn't work currently, but as more and more separate companies that may be partners onboard to Office 365 this could become a powerful feature to help ease EXTERNAL collaboration with dynamic groups of people instead of just individuals.

I see.  You want to keep the file in your tenant and share to people in another tenant by specifying only a Group that is controlled by the other tenant.  If that tenant changes the Group's membership, you want the updated list of members to be who can access the file in your tenant.

 

The Guests feature will let you put the file in a Group in your tenant and specifically list individuals (by email address) in the other tenant.  If the list of people in the other tenant changes, you have to edit the membership in your Group.

 

Or, the Guests feature will also let the other tenant create a Group and add you as the guest.  Then you can add the file to their Group and they can change the Group's membership (and thus permissions to the file).  You still have an independent copy of the file in your tenant.

 

Does either Guest scenario work for you?  I can get feedback to the engineering team if you need the summary of what I think you're asking.

Thanks @Jim Knibb, I think we're on the same page.  I want to retain control of the file and ensure that only one version exists for version control purposes, but I want to move permissions control of this file's external users from a certain domain to the admin of an Office 365 Group in that external domain that I trust.  

 

As an example, say I'd hired a consulting firm to work on some assets of mine and expect the project to last for a long enough period of time that I expect quite a bit of staff churn.  I'd rather not store my assets on their infrastructure/tenant, but I trust their leadership to only permission the proper people to view/edit all the associated files.  Being able to share to an external Office 365 Group allows them to move staff around as needed without involving me or my team at all.  The right people can get the right access quickly and efficiently, while the assets/files stay controlled and protected in my tenant.  I can turn off access at any time to this external group if I wish without having to individually remove people or stop sharing completely which would break access to my own internal people who were shared with.

 

Your 1st option takes away the automation of the external permissions that Groups would offer.

 

Your 2nd option moves the file to the external Group's tenant, which is less secure from an intellectual property perspective (they now have my files, how do I know what they are doing with them or where they are going when our engagement ends?).  This option could also cause some version conflicts as the files would exist in two places simultaneously.

 

Probably more of a niche case for now, but the automated aspect and usage of the powerful collaboration features that Office 365 offers are very appealing.

 

Cross-tenant federation, if that ever becomes a thing, would actually solve this I believe, but I would need to trust this external partner very much in order to fully federate with them.  Instead of one Group getting access to some files, their tenant and my tenant would see each other's users as the same and allow access to anything as long as proper permissions were granted.

The interesting thing is whether an external group can be a guest user in the way that an individual is. As I understand the situation, a guest user is identified by an email address. An Office 365 Group in an external tenant has an email address. Therefore, it should be possible to create a guest user to point to that Office 365 Group and share with them. Wouldn't that solve the problem?

 

TR

Exactly what I thought as well @Tony Redmond , but it doesn't work if you have Set-SPOTenant RequireAcceptingAccountMatchInvitedAccount set to True, since no one member of the group can take action on the invitation link as if they were the group itself in order to accept it and have the permission officially granted.  The permission is not actually granted until authentication has happened.

 

We could set that parameter to False of course, but then we are less secure as anyone who got hold of that link would be able to accept the invitation even with a simple and free Microsoft Account.

While investigating this topic, I came accross this Microsoft article that seems to indicate it is possible to share externally.  Am I interpreting this incorrectly, or maybe the article is meant for the future release of the feature?

 

https://support.office.com/en-us/article/Guest-access-in-Office-365-Groups-bfc7a840-868f-4fd6-a390-f...

 

Eric while the documentation is live the features has not been rolled out yet but should imminently in early September, expect a blog post on the Office blog and a message center announcement within your tenant once the rollout starts so thanks for your patience and please stay tune. 

Announced today: Introducing guest access for Office 365 Groups https://blogs.office.com/2016/09/08/introducing-guest-access-for-office-365-groups/