Different External Sharing Settings for different sets of users(allow for many, restrict for some)

%3CLINGO-SUB%20id%3D%22lingo-sub-1535623%22%20slang%3D%22en-US%22%3EDifferent%20External%20Sharing%20Settings%20for%20different%20sets%20of%20users(allow%20for%20many%2C%20restrict%20for%20some)%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1535623%22%20slang%3D%22en-US%22%3E%3CP%3EIve%20seen%20some%20similar%20posts%20and%20done%20al%20ot%20of%20research%20but%20am%20as%20yet%20unable%20to%20ascertain%20if%20there%20is%20a%20way%20to%20do%20this%20%2C%20so%20Im%20posting%20the%20question%20in%20case%20im%20missing%20something.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20are%20a%20large%20org%2C%20with%20circa%2040000%20M365%20users%20(basically%20staff%20and%20students)%26nbsp%3B%20and%20currently%20have%20external%20sharing%20set%20to%20be%20only%20allowed%20by%20domain%20whitelist%26nbsp%3B%20(sharepoint%20top%20level%20Allow%20list).%20Students%20have%20only%20recently%20been%20onboarded%20(same%20tenant%20but%20with%20subdomain)%20and%20the%26nbsp%3B%20we%20want%20to%20allow%20them%20to%20share%20unrestricted%20via%20onedrive%20but%20maintain%20restrictions%20for%20staff%20(control%20via%20domain%20whitelist).%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20current%20understanding%20is%20that%20there%20seems%20to%20be%20no%20way%20to%20have%20top%20level%20sharepoint%20setting%20of%20restrict%20by%20domain%20and%20then%20have%20anything%20lower%20than%20that%20less%20restrictive%20-%20i.e.%20onedrive%20cannot%20be%20less%20restrictive.%20So%20the%20approach%20would%20have%20to%20be%20allow%20globally%20at%20top%20level%20SP%20setting%20which%20the%20students%20would%20inherit%2C%20and%20then%20individually%20apply%20more%20restrictive%20settings%20for%20the%20staff%20on%20a%20per%20user%20basis.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can%20see%20how%20the%20above%20would%20technically%20work%20but%20the%20reality%20is%20that%20is%20unmanageable%20for%201000s%20of%20users%20when%20the%20settings%20seem%20to%20be%20applied%20using%20powershell%20Set-SPOSite%20cmdlet%20on%20a%20individual%20user%20basis%20and%20I%20cant%20see%20it%20that%20is%20possible%20to%20control%20at%20a%20Security%20Group%20level%20or%20even%20with%20batch%20processing%2C%20additionally%20we%20will%20be%20adding%20%2F%20removing%20whitelist%20domains%20quite%20frequently%20so%20the%20settings%20would%20have%20to%20be%20applied%20on%20a%20daily%20basis.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIve%20looked%20at%20Information%20Barriers%20for%20Teams%20for%20similar%20segregation%20reasons%20but%20not%20looked%20at%20IB%20for%20sharepoint%20%26amp%3B%20onedrive%20in%20depth%20yet%20(will%20read%20some%20more%20today%20if%20I%20get%20a%20chance)%20%2C%20but%20with%20a%20quick%20glance%20I%20cant%20see%20how%20those%20can%20be%20used%20for%20controlling%20external%20sharing%20anyway%20so%20I%20dont%20think%20it%20will%20be%20a%20solution.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20further%20suggestions%20or%20ideas%20are%20appreciated%20-%20open%20to%20any%20ideas%2C%20licencing%20not%20likely%20to%20be%20an%20issue%20given%20we%20have%20E5%20level.%20Utilizing%20scripted%20solutions%20%2C%20Azure%20Automation%26nbsp%3B%20etc%20all%20perfectly%20acceptable%20if%20can%20be%20applied%20within%20in%20reasonable%20timeframe%20each%20day.%3C%2FP%3E%3CP%3EThis%20seems%20to%20be%20a%20(another)%20big%20blind%20spot%20for%20use%20cases%20for%20large%20organizations%20-%20seems%20crazy%20to%20assume%20that%20when%20you%20are%20dealing%20with%2010s%20of%20thousands%20of%20users%20that%20you%20wouldn't%20need%20more%20flexibility%20in%20an%20easier%20to%20administer%20way.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1535623%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdmin%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Groups%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOneDrive%20for%20Business%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Contributor

Ive seen some similar posts and done al ot of research but am as yet unable to ascertain if there is a way to do this , so Im posting the question in case im missing something.

 

We are a large org, with circa 40000 M365 users (basically staff and students)  and currently have external sharing set to be only allowed by domain whitelist  (sharepoint top level Allow list). Students have only recently been onboarded (same tenant but with subdomain) and the  we want to allow them to share unrestricted via onedrive but maintain restrictions for staff (control via domain whitelist). 

 

My current understanding is that there seems to be no way to have top level sharepoint setting of restrict by domain and then have anything lower than that less restrictive - i.e. onedrive cannot be less restrictive. So the approach would have to be allow globally at top level SP setting which the students would inherit, and then individually apply more restrictive settings for the staff on a per user basis.

 

I can see how the above would technically work but the reality is that is unmanageable for 1000s of users when the settings seem to be applied using powershell Set-SPOSite cmdlet on a individual user basis and I cant see it that is possible to control at a Security Group level or even with batch processing, additionally we will be adding / removing whitelist domains quite frequently so the settings would have to be applied on a daily basis.

 

Ive looked at Information Barriers for Teams for similar segregation reasons but not looked at IB for sharepoint & onedrive in depth yet (will read some more today if I get a chance) , but with a quick glance I cant see how those can be used for controlling external sharing anyway so I dont think it will be a solution.

 

Any further suggestions or ideas are appreciated - open to any ideas, licencing not likely to be an issue given we have E5 level. Utilizing scripted solutions , Azure Automation  etc all perfectly acceptable if can be applied within in reasonable timeframe each day.

This seems to be a (another) big blind spot for use cases for large organizations - seems crazy to assume that when you are dealing with 10s of thousands of users that you wouldn't need more flexibility in an easier to administer way.

 

0 Replies