SOLVED

Shared Channel in a Team with external sharing turned off! HELP please!

Iron Contributor

Hi all - confusing conundrum which I'm not sure how best to solve!  Here's the overview:

  1. We've created a Shared Channel with external participants and they can join in conversations fine.
  2. However, they can't upload any docs or access the Shared Channel's SharePoint site.  They get a "That didn't work.  External Sharing is disabled" error.
  3. The parent Team's SharePoint site does indeed have external sharing turned off.
  4. When I go to the channel site (for the Shared Channel, in the SharePoint Admin Center) it says "This site can't be shared externally", but doesn't give me any options to turn it on!
  5. All Azure AD B2B direct connect settings are as they should be.

Does this mean that for shared channels to work, we have to turn on external sharing for the whole parent site???  This seems counter-intuitive from a security perspective as we've setup the shared channel so external people will only ever have the option of accessing that - we don't want any accidents where something elsewhere in the Team is shared with them!

... or am I missing something else?  I thought the external sharing settings above were only for Guest users, and external users in Shared Channels aren't treated as Guest users.

I really hope you can help me solve this puzzle!

16 Replies
Hi, you can't toggle to "only people in my organization" as direct connect users aren't in your organization.
Hi Christian - I'm not trying to set it to only people in my org. It's setup for us to work with external users in the shared channel - they can access the Posts tab, but not the Files tab.

How are you supposed to share files in the shared channels SharePoint library (Files tab) if your organization is not allowing external sharing? You have to look at both the org-wide settings and the site sharing settings in general. And then keep in mind that membership to the site owner and member groups are kept in sync with the membership of the shared channel. Site permissions for a shared channel site can't be managed independently through SharePoint.

 

Forgot this Shared channels in Microsoft Teams - Microsoft Teams | Microsoft Docs

Thanks Christian. I think we've hit on a few issues here:
1. If a shared channel requires the whole Team / SharePoint site to have external access turned on for it to work, why doesn't the system check and provide an alert if it's turned off when you're creating a shared channel (e.g. "You won't be able to share this shared channel externally as external sharing is turned off").

2. I read all of Microsoft's support documentation before testing Shared Channels and nowhere did I see anything about external sharing having to be turned on for the Team's SharePoint site.
3. I've tested and found that if you subsequently change the parent site to allow external sharing, the shared channel doesn't pick up the change so it will never be able to be shared externally.
4. The whole concept is confusing! The idea of shared channels is to be able to easily collaborate with external users in just one part of a Team. So having to turn on external sharing for the WHOLE Team, with the associated risk of accidental sharing information from other channels, is counterintuitive!

Not sure what you're doing but it ain't right. It's very straightforward to set up really. What I meant, when looking at SharePoint in general you have the org-wide settings in SharePoint admin (you drag the two up and down from Anyone to Only people in your org.) That's the overall sharing setting. Then you have the site settings themselves, as an example a Classic site always has the default sharing setting of Only people in my org and OneDrive have Anyone, a modern site has New and existing guest as default. Those are good to know about overall. And can be tricky to keep in mind, but one can always use sensitivity labels for containers to control that.

Now, I have in my org-wide setting in SharePoint admin for external sharing put it to the second least permissive option "Existing guests" and OneDrive is turned off for sharing externally. When I go to one of my Teams team with shared channels, still in SharePoint admin, I can select one of those and choose another sharing permission, so I changed it to "No external sharing allowed" for the entire group/site. In my shared channels in that team I can still share files and my direct connect external users can access the Files tab as well.

Again, site permissions for a shared channel site can't be managed independently through SharePoint.
I understand all of that thanks Christian, but my issue has occurred the other way around.

Global SP settings are fine with external sharing allowed. External sharing for the entire Team / SP site was turned off though (as the site wasn't previously required to be shared externally so a good way of protecting accidental shares).

We then needed to share just one channel externally so setup a Shared Channel. Had I known (i.e. had Microsoft included this requirement in any of their documentation) that external sharing needed to be enabled for the whole Team to share a single channel, I would have allowed external sharing in the SP Admin Center. However, this isn't documented so I setup the channel and had the issues.

I've now gone back and updated the external sharing settings at the site level, but the change hasn't replicated to the shared channel's site so it appears impossible to fix.

It would be interesting to know from your test - if you look at the external sharing policy for the shared channels, does it still show as external sharing allowed in the SP Admin Center? I'm guessing it does, as it hasn't picked up the change you made to the parent site. This is why your test is opposite to mine - you started with a parent site with external sharing turned on, whereas I started with it turned off.

This is going to be very confusing for administrators as is is counterintuitive to have to allow external sharing for a whole Team, just to share a single shared channel ... and it's not documented that this is a requirement.

Had to try it. Created a new Team site and added Teams to it. Changed site sharing level to "only in my org" and finally a shared channel. Can't share 🙂

So assuming they are counting on not restricting before shared channel setup.. Will try and ask someone in the Teams PG about it.

 

@OzOscroft Trying to get some answers here. Will update if I get any.

Thanks Christian, much appreciated. I think you're right that they're assuming that the whole site has external sharing turned on - the question is whether this is by design or because of an oversight. Either way, the requirement needs to be documented and ideally a check put in place to avoid other orgs facing the same issue. I'm hoping that they break the inheritance of the external sharing policy between the shared channel's site and the parent site, as by doing that we could fully share the shared channel, but ensure the rest of the Team stays fully internal.
best response confirmed by OzOscroft (Iron Contributor)
Solution

@OzOscroft Answer received.

 

"When a shared channel is created, that creates a new site collection that does a one-time copy of the parent site collection. The channel site sees that external sharing is disabled, and does the same. From that point on it is managed separately and not synced if the parent changes. The two options are to re-create the shared channel after sharing externally is enabled at the parent or use SPO PowerShell to turn on external sharing for the shared channel's site collection. 
 
Thanks for raising this to our attention, we will look at how best to document this behavior."
 
Just tried the second option above and it works great. You use this Set-SPOSite (Microsoft.Online.SharePoint.PowerShell) | Microsoft Docs with the -SharingCapability parameter.
Thanks so much Christian. They've confirmed the behaviour I've experienced and I hope they can provide more granular control in the future to allow the shared channel to be shared, but not the rest of the Team or parent site.

I'd read on another forum that people tried Powershell to change the setting and it didn't work for them, so it's great to hear you've tested and it works well.

Great community response to this - problem raised, issue confirmed and acknowledged, understanding shared!
Hi OzOscroft

I have seen the same UseCase if you are changing the setting over time and create a channel during that time. For me, I would expect, that the setting is inhered from the team, each time you change that as it is the parent identity (owner of sensitivity label). We also have an open case, but I think they have to add an option in sharepoint which enables or disables inheritance of this setting.

@OzOscroft Hello, stumbled across this scenario again but used a sensitivity label for container instead of manual change of the site-level setting. Worked great and thought you might want to know.

stumbled across the exact same issue. We selectively enable external sharing on site collections. When you create a shared channel where the Parent Team site collection is not externally shared, then you dont have an option to add external B2B Direct users to the shared channel. Even if you turn on external sharing for the shared channel site collection, "AllowAddGuests" for parent team is still false and therefore there is no option to add external members.
Life saver! Exactly my same situation and managed to get it around after setting up parent site and then re-create the shared channel. THANKS a LOT
Is there a delay after running the Set-SPOSite command? I executed this script with the ExternalUserSharingOnly option on an existing shared channel and still receive the error when trying to add external users several hours later.

Hi, same behaviour here, @OzOscroft do you know if running the command works? Thanks

1 best response

Accepted Solutions
best response confirmed by OzOscroft (Iron Contributor)
Solution

@OzOscroft Answer received.

 

"When a shared channel is created, that creates a new site collection that does a one-time copy of the parent site collection. The channel site sees that external sharing is disabled, and does the same. From that point on it is managed separately and not synced if the parent changes. The two options are to re-create the shared channel after sharing externally is enabled at the parent or use SPO PowerShell to turn on external sharing for the shared channel's site collection. 
 
Thanks for raising this to our attention, we will look at how best to document this behavior."
 
Just tried the second option above and it works great. You use this Set-SPOSite (Microsoft.Online.SharePoint.PowerShell) | Microsoft Docs with the -SharingCapability parameter.

View solution in original post