Home

Sharing files with authenticated external users

%3CLINGO-SUB%20id%3D%22lingo-sub-168886%22%20slang%3D%22en-US%22%3ESharing%20files%20with%20authenticated%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-168886%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%20I'm%20looking%20into%20how%20to%20share%20files%20from%20SharePoint%20and%2For%20OneDrive%20(Office%20365%20EMS%20E3%20account)%20with%20authenticated%20external%20users.%26nbsp%3B%20In%20this%20case%20the%20user%20has%20a%20Gmail%20account%2C%20but%20ideally%20would%20like%20to%20be%20able%20to%20arbitrarily%20%22trust%22%20certain%20domains%20to%20handle%20authentication%20in%20the%20remote%20IdP%20so%20that%20there's%20no%20additional%20work%20for%20the%203rd%20party%20user%20to%20do%20as%20long%20as%20they%20are%20signed%20into%20their%203rd%20party%20account.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20this%20article%20and%20the%20others%20in%20the%20series%3A%20%3CA%20href%3D%22https%3A%2F%2Falpeshnakar.com%2Finvite-external-user-to-office-365-via-sharepoint-online%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Falpeshnakar.com%2Finvite-external-user-to-office-365-via-sharepoint-online%2F%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20looks%20like%20this%20is%20possible%20as%20long%20as%20the%20user%20has%20a%20Google%20business%20account.%26nbsp%3B%20If%20so%2C%20is%20there%20any%20more%20configuration%20for%20me%20to%20do%20on%20the%20AAD%20side%2C%20or%20does%20AAD%20implicitly%20trust%20Google%20as%20an%20authentication%20service%3F%26nbsp%3B%20Furthermore%2C%20what%20if%20I%20wanted%20to%20trust%20some%20other%203rd%20party%20authenticator%20(IdP)%2C%20such%20as%20an%20organization%20who%20used%20Okta%2C%20or%20iCloud%2C%20or%20some%20other%20cloud%20IdP%3F%26nbsp%3B%20There%20has%20to%20be%20some%20way%20to%20tell%20AAD%20which%20IdPs%20to%20trust%20and%20for%20which%20domains%2C%20but%20I%20can't%20find%20it%20anyplace.%26nbsp%3B%20Is%20there%20such%20a%20thing%2C%20or%20does%20AAD%20only%20trust%20the%20big%20IdPs%20and%20you%20can't%20change%20it%3F%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThanks.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-168886%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Active%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EIdentity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-168946%22%20slang%3D%22en-US%22%3ERe%3A%20Sharing%20files%20with%20authenticated%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-168946%22%20slang%3D%22en-US%22%3EHi%2C%20thank%20you%20for%20the%20response%20--%20however%20that's%20not%20quite%20what%20I'm%20looking%20for.%20One%20of%20those%20articles%20states%20%22external%20user%20should%20own%20Microsoft%20account%20(such%20as%20Outlook.com%20or%20Live.com)%20or%20Office%20365%20account%20for%20sign-in%20process%20at%20least.%20For%20the%20gmail%20or%20yahoo%20users%2C%20as%20a%20workaround%2C%20you%20can%20consider%20signing%20up%20a%20Microsoft%20account%20with%20the%20gmail%20or%20yahoo%20email%20address%22%20--%20which%20means%20the%20intended%20guest%20user%20still%20needs%20to%20create%20himself%20a%20Microsoft%20account.%20The%20other%20article%20discusses%20using%20your%20AAD%20identity%20to%20sign%20into%20Google%20services%2C%20which%20is%20the%20opposite%20of%20what%20I'm%20trying%20to%20do%20--%20have%20a%20Google%20user%20sign%20into%20our%20AAD%20tenant.%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20looking%20for%20a%20way%20for%20our%20AAD%20tenant%20to%20trust%20Google%20authentication%20to%20validate%20the%20user's%20identity%2C%20much%20the%20way%20SAML%20SSO%20services%20trust%20MS%20AAD%20identity%20assertions.%20In%20other%20words%2C%20I%20want%20the%20incoming%20guest%20user%20to%20provide%20an%20assertion%20that%20states%20%22Google%20have%20verified%20my%20identity%20as%20joeuser%40gmail.com%2C%22%20and%20then%20we%20trust%20that%20assertion.%3CBR%20%2F%3E%3CBR%20%2F%3EAll%20of%20this%20is%20technically%20possible%20at%20a%20fundamental%20level%2C%20I%20just%20don't%20know%20how%20to%20make%20it%20work%20with%20AAD%20--%20unless%20you%20just%20can't%20do%20this%20because%20the%20interface%20to%20configure%20it%20isn't%20implemented.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-168915%22%20slang%3D%22en-US%22%3ERe%3A%20Sharing%20files%20with%20authenticated%20external%20users%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-168915%22%20slang%3D%22en-US%22%3E%3CP%3EHere%20are%20couple%20of%20links%20which%20can%20be%20of%20some%20help%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fanswers.microsoft.com%2Fen-us%2Fmsoffice%2Fforum%2Fmsoffice_onedrivefb%2Fnot-able-to-share-organizational-onedrive-data%2F3e5c1cf1-2d1f-411b-a20b-69c39445c923%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fanswers.microsoft.com%2Fen-us%2Fmsoffice%2Fforum%2Fmsoffice_onedrivefb%2Fnot-able-to-share-organizational-onedrive-data%2F3e5c1cf1-2d1f-411b-a20b-69c39445c923%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-saas-google-apps-tutorial%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Factive-directory-saas-google-apps-tutorial%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22x-hidden-focus%22%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
James Breton
Occasional Contributor

Hi, I'm looking into how to share files from SharePoint and/or OneDrive (Office 365 EMS E3 account) with authenticated external users.  In this case the user has a Gmail account, but ideally would like to be able to arbitrarily "trust" certain domains to handle authentication in the remote IdP so that there's no additional work for the 3rd party user to do as long as they are signed into their 3rd party account.

 

From this article and the others in the series: https://alpeshnakar.com/invite-external-user-to-office-365-via-sharepoint-online/

 

It looks like this is possible as long as the user has a Google business account.  If so, is there any more configuration for me to do on the AAD side, or does AAD implicitly trust Google as an authentication service?  Furthermore, what if I wanted to trust some other 3rd party authenticator (IdP), such as an organization who used Okta, or iCloud, or some other cloud IdP?  There has to be some way to tell AAD which IdPs to trust and for which domains, but I can't find it anyplace.  Is there such a thing, or does AAD only trust the big IdPs and you can't change it?

 

Thanks.

2 Replies
Hi, thank you for the response -- however that's not quite what I'm looking for. One of those articles states "external user should own Microsoft account (such as Outlook.com or Live.com) or Office 365 account for sign-in process at least. For the gmail or yahoo users, as a workaround, you can consider signing up a Microsoft account with the gmail or yahoo email address" -- which means the intended guest user still needs to create himself a Microsoft account. The other article discusses using your AAD identity to sign into Google services, which is the opposite of what I'm trying to do -- have a Google user sign into our AAD tenant.

I'm looking for a way for our AAD tenant to trust Google authentication to validate the user's identity, much the way SAML SSO services trust MS AAD identity assertions. In other words, I want the incoming guest user to provide an assertion that states "Google have verified my identity as joeuser@gmail.com," and then we trust that assertion.

All of this is technically possible at a fundamental level, I just don't know how to make it work with AAD -- unless you just can't do this because the interface to configure it isn't implemented.
Related Conversations