Sep 27 2021
02:49 AM
- last edited on
Jan 14 2022
04:44 PM
by
TechCommunityAP
Sep 27 2021
02:49 AM
- last edited on
Jan 14 2022
04:44 PM
by
TechCommunityAP
Hi!
I got some scenarios I'd love your input on:
Configuration 1:
- Whitelisting/allow list used in Azure AD
- SPO and OD Azure AD B2B integration activated (and OTP)
- SharePoint/OneDrive external sharing settings set to New and Existing guests
Question:
- This setup will block sharing from SPO and OD with any external not included in the whitelist, as the integration will try to add the recipient to AAD as a guest?
Configuration 2:
- Whitelisting/allow list used in Azure AD
- SPO and OD Azure AD B2B integration and OTP disabled
- SharePoint/OneDrive external sharing settings set to New and Existing guests
Questions:
- The whitelist will not prevent sharing with any externals, as SPO and OD will still be using the old ad-hoc external sharing solution?
- Is this the only possible setup if you want whitelisting on guest access but don't want to limit external sharing from OD and SPO using the "Specific people" option?
Sep 27 2021 04:57 AM - edited Sep 27 2021 05:28 AM
@Ellefs1 Hello, I hate and love these questions 🙂
Not doing any testing so just replying how I think it will work.
Config 1: I believe you're right. When opting in for AAD B2B SPO/OD integration you'll leave ad-hoc external SharePoint sharing so all external users will be added as guest users during the sharing process. So for ex. when I start to enter the verification code with a new user, in the next prompt I have to agree to join the resource org. and have my guest account created. That should be a no-go if not being allowed.
Config 2: You can control the "sharing prompt" as I understand you already do for the Anyone-links. The "specific people" will create a secure direct sharing link that will bypass the whitelist in AAD and the SharePoint external sharing settings will apply. Ad-hoc external sharing doesn't get verified by AAD CA access policies.
I must recommend using sensitivity labels instead of trying to adjust permissions by using legacy sharing permissions or AAD B2B integration. So opt-in to the latter as that's the way going forward and then set up guest access to 'containers' (groups, sites, teams) using sensitivity labels.
To the left you have more info about them as well.
Btw, if using MCAS you can be very granular combining filters etc.
Sep 27 2021 12:24 PM
Hi @ChristianJBergstrom. Haha, I can understand the love/hate feelings towards these types of questions. Appreciate you taking the time to provide your thoughts.
I'm aware of how we can use sensitivity labels on containers to control guest access (among other things). But one thing is controlling which teams/sites that will allow guests, another thing is controlling who can be invited in the first place. If an organization can control which domains they allow their employees to invite external users from by using whitelisting, along with the rest of "Configuration 2". Would you say that is a troublesome setup? I understand the limitations of the SP ad-hoc external recipient solution (no CA etc.) and of course the possibility of end users being blocked from adding certain users. What would be the other downsides, if any?
Sep 27 2021 12:52 PM - edited Oct 01 2021 12:35 AM
Hello again, I thought you'd settle for the previous one! Just kidding. I kind of understood you are aware of the options as how the initial question was asked, but had to put it out there.
@Ellefs1 Doing a edit here because when opting in using AADB2B integration it doesn't take precedence (as previously said) but rather invitations in SharePoint are also subject to any domain restrictions configured in Azure AD. In other words, when not using AADB2B the AAD list works independently from OneDrive for Business and SharePoint Online allow/block list.
So, now it feels better 🙂
Sep 27 2021 01:14 PM
Sep 27 2021 01:17 PM
Oct 01 2021 12:52 AM
"Doing a edit here because when opting in using AADB2B integration it doesn't take precedence (as previously said) but rather invitations in SharePoint are also subject to any domain restrictions configured in Azure AD. In other words, when not using AADB2B the AAD list works independently from OneDrive for Business and SharePoint Online allow/block list."
Yes, this is aligned with my testes as well (I think). To be sure, this is how I experienced it without AADB2B integration:
- Guest Access to Teams and SharePoint will be controlled by the whitelist in AAD
- External Sharing will not be. So with SharePoint/OneDrive External sharing set to "New and existing guests" you can share any file/folder with any external using the "Specific people" option
This is at least what I experienced within my sandbox.
Oct 21 2022 01:31 AM