Unlicensed Office 365 Users

%3CLINGO-SUB%20id%3D%22lingo-sub-63627%22%20slang%3D%22en-US%22%3EUnlicensed%20Office%20365%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63627%22%20slang%3D%22en-US%22%3E%3CP%3ECreating%20a%20Microsoft%20Account%20for%20external%20users%20to%20access%20our%20SharePoint%20Online%20service%20has%20a%20tendency%20to%20fail%20to%20give%20them%20access%20for%20one%20reason%20or%20another%2C%20forcing%20me%20to%20create%20all%20of%20the%20external%20Microsoft%20Accounts%20myself%20(and%20create%20an%20email%20forwarding%20rule%20to%20their%20personal%20email%20accounts%20in%20outlook.com).%20It%20gets%20very%20tedious%20after%20a%20while%20creating%20the%20account%2C%20then%20verifying%20it%20in%20order%20to%20create%20a%20forward%20rule%20to%20external%20user's%20personal%20accounts%2C%20then%20making%20sure%20they%20can%20access%20SharePoint%20without%20the%20access-deny%20issue%20by%20opening%20IE%20in%20InPrivate%20mode.%20Then%20there's%20this%20warning%20after%20making%20so%20many%20accounts%20that%20you%20cannot%20verify%20any%20more%20accounts%20for%2030%20days.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThen%20I%20discovered%20this%20week%20it%20doesn't%20have%20to%20be%20this%20difficult.%20Creating%20an%20external%20user%20simply%20entails%20making%20a%20normal%20user%20in%20Office%20365%20admin%20portal%20without%20assigning%20any%20license%20to%20them.%20Sounds%20super%20easy%20enough%2C%20but%20there's%20two%20things%20I%20need%20to%20know%20before%20I%20start%20doing%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20is%20there%20a%20way%20to%20keep%20them%20out%20of%20the%20Everybody%20and%20the%20Everybody%20Except%20External%20Users%20groups%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20is%20there%20a%20way%20to%20create%20rule%20or%20adjust%20their%20profile%20so%20that%20alerts%20will%20go%20to%20their%20personal%20email%20account%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-63627%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-252807%22%20slang%3D%22en-US%22%3ERe%3A%20Unlicensed%20Office%20365%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-252807%22%20slang%3D%22en-US%22%3E%3CP%3EThanks!%26nbsp%3B%20One%20heck%20of%20a%20headache!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-64188%22%20slang%3D%22en-US%22%3ERe%3A%20Unlicensed%20Office%20365%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-64188%22%20slang%3D%22en-US%22%3EI%20agree%20it's%20best%20not%20to%20use%20Everybody%20%26amp%3B%20Everybody%20Except%20External%20Users%20security%20groups%20in%20your%20scenario.%20A%20proven%20practice%20is%20to%20use%20security%20groups%20for%20access%20control.%20For%20example%20add%20these%20users%20to%20%22External%20Collaborators%22%20security%20group%20and%20use%20it.%20It%20will%20help%20make%20their%20access%20more%20visible.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-63709%22%20slang%3D%22en-US%22%3ERe%3A%20Unlicensed%20Office%20365%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63709%22%20slang%3D%22en-US%22%3E%3CP%3EMicrosoft%20replied%20to%20my%20support%20request%20in%20email%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Yes%20there's%20a%20way%20to%20allow%20SMTP%20forwarding%20for%20unlicensed%20users.%20Admin%20portal%20%26gt%3B%20SharePoint%20admin%20portal%20%26gt%3B%20User%20Profiles%20%26gt%3B%20Manage%20User%20Profile%20%26gt%3B%20search%20for%20the%20user%20%26gt%3B%20Edit%20My%20Profile%20%26gt%3B%20Work%20Email.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E2.%20There's%20no%20way%20to%20remove%20unlicensed%20users%20from%20Everybody%20and%20Everybody%20Except%20External%20User%2C%20however%2C%20you%20can%20simply%20just%20not%20use%20these%20two%20groups%20in%20your%20SharePoint%20sites%20at%20all.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-63708%22%20slang%3D%22en-US%22%3ERe%3A%20Unlicensed%20Office%20365%20Users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-63708%22%20slang%3D%22en-US%22%3E%3CP%3EThat%20part%20of%20licensing%20has%20been%20shady%20for%20years%20now%2C%20but%20I%20wouldnt%20advise%20going%20this%20road%2C%26nbsp%3Bas%20Microsoft%20might%20start%20enforcing%20license%20requirements.%20Plus%2C%20I%20doubt%20during%20potential%20audit%20you%20will%20be%20able%20to%20convince%20them%20%22it%20was%20for%20external%20users%20only%22%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Creating a Microsoft Account for external users to access our SharePoint Online service has a tendency to fail to give them access for one reason or another, forcing me to create all of the external Microsoft Accounts myself (and create an email forwarding rule to their personal email accounts in outlook.com). It gets very tedious after a while creating the account, then verifying it in order to create a forward rule to external user's personal accounts, then making sure they can access SharePoint without the access-deny issue by opening IE in InPrivate mode. Then there's this warning after making so many accounts that you cannot verify any more accounts for 30 days.

 

Then I discovered this week it doesn't have to be this difficult. Creating an external user simply entails making a normal user in Office 365 admin portal without assigning any license to them. Sounds super easy enough, but there's two things I need to know before I start doing this:

 

1. is there a way to keep them out of the Everybody and the Everybody Except External Users groups?

 

2. is there a way to create rule or adjust their profile so that alerts will go to their personal email account?

4 Replies
Highlighted

That part of licensing has been shady for years now, but I wouldnt advise going this road, as Microsoft might start enforcing license requirements. Plus, I doubt during potential audit you will be able to convince them "it was for external users only" :)

Highlighted

Microsoft replied to my support request in email:

 

1. Yes there's a way to allow SMTP forwarding for unlicensed users. Admin portal > SharePoint admin portal > User Profiles > Manage User Profile > search for the user > Edit My Profile > Work Email.

 

2. There's no way to remove unlicensed users from Everybody and Everybody Except External User, however, you can simply just not use these two groups in your SharePoint sites at all.

Highlighted
I agree it's best not to use Everybody & Everybody Except External Users security groups in your scenario. A proven practice is to use security groups for access control. For example add these users to "External Collaborators" security group and use it. It will help make their access more visible.
Highlighted

Thanks!  One heck of a headache!