External Sharing

Iron Contributor

I have a project site which I want to share with some external user. External Sharing is enabled in site collection level and the new setting "External users must accept sharing invitations using the same account that the invitations were sent to" is disabled:

o365_external_sharing.png

 

Now I share the site with external user with his/hers work email address firstname.lastname@company.com

The external user receives invitation email to his/hers work email address and clicks the link. He/she uses (personal) Microsoft Account firstname.lastname@outlook.com to login the site and gives the username and password.

Then the external user is getting error "User is not found in the directory"

 

This article describes the issue but is somehow misleading when it says "if the user who accepts the invitation signs up by using an account other than the email address to which the invitation was sent, you may encounter an access denied message."

 

Does that mean that the external user has to use MS account, which has the same email address as where the invitation was sent to, to login? This all is a source of big confusion and in large customer projects it adds high management overhead to us and for our clients/customer. Microsoft, make it more simple!

 

31 Replies

Check out the great whitepaper from 2ToLead on External sharing  http://www.2tolead.com/whitepapers/

Yes, you are correct. The user has to login using the email address to which the invitation was sent. From the security perspective, this was correct because the user to whom the invite was sent alone can access it. If you want to allow the user to login with any email address, then you have to opt for Anonymous access which is considered less secure.
I recommend first to have a look at the sharing settings at the tenant level...just remember that what you configure at the tenant level is what rules the sharing stuff

I've been reading up on external sharing recently. If you have a lot of external sharing going on, have a look at Azure B2B Collaboration which allows you to manage it in a more controlled way using AAD.

 

Here's the recent Ignite demo and slidedeck

https://techcommunity.microsoft.com/t5/Microsoft-Ignite-Content/BRK3108-Share-corporate-resources-wi...

 

Another short video

https://techcommunity.microsoft.com/t5/Azure-Active-Directory/How-to-simplify-external-resource-shar...

 

Learn all about the Azure AD B2B Collaboration Preview

https://blogs.technet.microsoft.com/enterprisemobility/2015/09/15/learn-all-about-the-azure-ad-b2b-c...

 

Here's another guide to sharing with SP Online using AAD

http://blog.ciaops.com/2015/11/using-azure-ad-b2b-sharing-with.html

 

 

 

 

Thanks,

 

But MS support articles say explicitly "An external user invitation doesn't require that it be accepted by the email address to which it was first sent. It is a one-time invite"

 

In this article it pretty clearly says that invitations can be forwarded and someone else can use other account:

"Only one person may log in to access your site or document using an invitation you send. However, the person who gets your invitation may decide to not use it, and instead forward the invitation to someone else who can then log in using their Microsoft account or work account to access the site or document."

https://support.office.com/en-us/article/Share-sites-or-documents-with-people-outside-your-organizat...

 

This is what bothers me now, because if I recall correctly, previously it worked in a way that you could send the invitation to any email address, and then the receiver could use one of his/hers Microsoft Accounts (Office 365 from work, private outlook.com or private Office 365 account).

 

I might only know external user's work email address and share the site using that email. I cannot know if that email address is tied or not to any MS accounts.

I have checked the settings from tenant level and everything works fine when sharing with other Office 365 tenants and if I share site site with firstname.lastname@outlook.com and users logs in with MS account withthe same email address. But it does not work if I share site with firstname.lastname@work.com and users logs in with MS account that uses email address firstname.lastname@outlook.com.

@Santhosh Balakrishnan -  That's actually not correct -- the optional requirement that someone accepts an invitation with an account that has the same email address that it was sent to was something new added in 2015 (IIRC), but based on the screen shot, it looks like this tenant is configured to not enforce that requirement.

@Deleted Thanks for correcting. 

So basically it is possible to share a site with any email address and then the email receiver chooses which Microsoft account he/she is using when logging in to the site? And this MS account which he/she uses does not have to be associated with the email address where the invitation was sent to? An other way to phrase it: Invitation sent to identity A can be accepted by identity B?

This is how I have experienced how it works. But still, some external users are getting this error while using https://support.microsoft.com/en-us/kb/3026478

 

I openend support case to Micsofot support and first the support engineer told that the sharing and logging in needs to be done with the same email address.. This is conflicting with the support articles.

I was doing some testing on this today.

 

I set up a new personal MS account for testing. I shared a site from my tenant with this email address (Andytest). Logged into Outlook.com and the invite email was there. Now I use several different browsers for different client O365 accounts and my own. So I opened IE11, logged into Outlook and clicked the link. Even though I hadn't logged into my tenant in this brower for several days, it brough me straight to the shared site but I was logged in as my organisation account and not Andytest! I got no options to choose what account I wanted to log in with. I was straight in.

 

Not very useful. I ended up logging out from my tenant and re-sending the email invite. Then it worked by requesting which account I wanted to use and I logged in as Andytest.

 

Have a look here as Sharegate explains it more detail.

http://en.share-gate.com/blog/ultimate-guide-deal-with-office-365-external-sharing

 

Sorry Teemu! More confusion. A lot depends on whether they have any sort of MS or O365 account and if the browser they are using has already authenticated against another account.

 

 

 

 

I have encountered the same issue but with a small twist.   I send the sharing invitation to a user's email, that user doesnt' have a MS account so it forces them to create one.   Once the account is created they are taken directly to the shared FOLDER.  However, if the user goes back to the sharing invitation and clicks the link they no longer have access to the folder.   The only way to grant them access again is to resend the invitation, then it will work over and over.   But why do I need to send it twice after the account has been made?  This makes no sense since the MS account that was created is using the same email address the invite was orginially sent to? Were you able to figure your situation out?  Maybe if you found anything it would help me. 

The first sharing invitation for external users is a special one-time use link.  It allows the user to associate the invitation with any user account they wish (unless the Office 365 Tenant is configured to require the email addresses match).

 

I think that second link that you are sending isn't the special one time use, it's merely a link to the document since that user account already has access to the file.

 

That would explain the behavior you're seeing.

I can't believe how convoluted this is. Clients and consultants are going to be very unhappy with us if they can't just see the file when they click the link.

I just want to send files with "View Only" priviliges like with Google Drive. 

They should be able to click the link and view the file and download it if they want. They are not going to want to log in to anything just to see the file/folder.

 

Is there any way around this?

If you don't want to require login then don't. You can send a guest link that they can use to view individual documents on your site anonymously (unless that's disabled in the collection/tenant).

 

@Reuben

If I understand correctly what you want, you could use a read-only anonymous link: no invite, no need to authenticate, immediate access.

Be aware that, of course, an anonymous link, not requiring authentication, can be forwarded by the recipient to anybody else.

@Teemu Strand

Have you instructed the recipient to use a browser InPrivate session?

Many problems are due to the invite being accepted behind the scenes with a different user.

In any case, I am sure that @Stephen Rice can help here. ;)

Oof, it's threads like this that make me really sad!

 

Let me start off by describing how this all is supposed to work. External sharing continues to be a huge focus for us so it's possible that there is documentation or support resources that are not as up to date as they need to be. We're working on overhauling a lot of this behind the scenes but it's never as fast as we'd like. 

 

For this example, let's pretend that I am a member of Contoso and I am sharing to Eugene, who is a member of Fabrikam. No one at Contoso has ever shared with Eugene prior to this.

 

When I share a resource to Eugene, we send an e-mail containing an external sharing invitation link. This is a one time use link that will grant Eugene access to the content. When Eugene clicks on the link, he is given an option to choose how we wants to authenticate. He can choose to use an O365 account, an existing Microsoft account (MSA), or he can create a new MSA from scratch. Unless the "require invited account match accepted account" feature is enabled, Eugene can choose any of these options to authenticate. Let's say he chooses to log-in with his MSA. In that case, he is redirected to the MSA sign-in page where he authenticates, and is then redirected back to the Contoso tenant. At that point, we create a stub account in the Contoso directory (that is set up to use his actual MSA as authentication) and then direct him to the document which he can now access. Subsequent shares to Eugene just permission his Contoso stub account directly. 

 

Now, @Teemu Strand, it sounds like you are seeing access denied errors in the scenario above. In this case, is the MSA account configured as an EASI ID? This is the case where I own the domain contoso.com and create an MSA as Stephen@Contoso.com instead of Stephen@outlook.com. There are some weird edge cases where things may break if contoso.com is registered as both a Microsoft account and as an O365 account. 

 

There's another wrinkle on the example flow as well. If you are already signed into your MSA or O365 account, when you get asked to choose an account, the system will detect that you are already logged in and redeem the invitation immediately (instead of checking to see what account you want to use). 

 

I think that covers all the questions that came up in the thread but feel free to ask more if this doesn't make sense. The other thing that I can tell you is that even at Microsoft, we know that everything I just described to you is far more complicated than we would prefer it to be. As I said at the top, improving external sharing is one of our main focuses right now and we're working towards what I am going to call Good Things. We'll have more to share in the future! Thanks!

 

Stephen Rice

OneDrive Program Manager II

 

 

 

Salvatore: That is exactly what I am looking for. Personnally I think the security aspect is overrated since someone could just download the file and send it out anyway - at least this way we could kill the link if we ever wanted to (at least I assume you can kill the link like with Google Drive).

@Stephen Rice it would be awesome if you guys could clean this external sharing process up. No one externally should have to sign in to see a file unless we want them to. 

 

External users will not buy in to our Sharepoint process unless they can just click a link and see what you are sending them. If you email someone a file attachment they don't have to sign in. When they see a login screen they automatically assume they don't have access which creates a string of emails back and forth where we become a broken record of "tech support" for this person while trying to convince them to use the system.... Most users have given up and just send the files as attachments after downloading it from our system which really kills our Sharepoint usage.