SOLVED

guest expiration

New Contributor

Hello,

 

we would like to use https://support.microsoft.com/en-us/office/manage-guest-expiration-for-a-site-25bee24f-42ad-4ee8-840... 

but that option is missing on our site. 

Will it appear after we buy some azure ad premium licenses?

Does it work for folders, or whole site only? e.g. folder1 shared with user1 and user2; folder2 shared with user3 and user4

 

Thank you

Jan

35 Replies

@JohnnySvob I had exactly the same question. I didn't find anything.

Not clear if it's related to that topic https://docs.microsoft.com/en-us/azure/active-directory/governance/create-access-review (not yet implemetend for us so couldn't tel)

@JohnnySvob 

 

Its configured in Azure, so it will be missing from your site until configured there. I get access to the screen under "Identity Management" in  Azure but I get a "No Access" message as I don't have Azure AD P2 which is needed by the user configuring the access review (as well as Global admin) and the user undertaking the access review. 

 

Andy Hodges |ThinkShare | www.thinkshare.uk

@Vertebre85 i guess it is related?

But it only checks group membership and i don't really want to connect our SP site to O365 group - it'll be visible in MS Teams, adds group to permissions etc.

 

would have been so much easier if we had same option as when sharing anonymously: "These links must expire within this many days"

 

 

 

best response confirmed by JohnnySvob (New Contributor)
Solution

Hi all,

 

The Expiring External Access feature mentioned in the documentation above hasn't been rolled out yet which is why it's not showing up in your UI :) Looks like our documentation went live a little early. Keep an eye on Message Center for the latest details on this feature! Thanks!

 

Stephen Rice

Senior Program Manager, OneDrive

@Stephen Rice I saw that at your webinar of Yesterday

@Stephen Rice 

Sounds like a cool feature, where can I learn more about it?

 

Thanks

Hi @Vertebre85, glad you were able to join the webinar!

 

Hi @roniy, you can check out a demo of the feature from our Ignite talk late last year: https://myignite.techcommunity.microsoft.com/sessions/81495?source=sessions

 

It's near the end of the session though I think the entire talk is worthwhile (I may be a bit biased ;))

 

Thanks!

 

Stephen Rice

Senior Program Manager, OneDrive

@Stephen Rice 

Hi, thank you for the information and the video.

I need some more information about this.

I am concerned about how this affects guests in MS Teams.....

I invite a guest to a MS Team, they of course have access to the "files" tab and all the Sharepoint content.

If this policy is enforced, will the guest lose access to the "files" tab after the set timeframe? But still remain in the Team?

 

That seems problematic, I think.

 

Alex

Hi @alexrademeyer,

 

Expiration will only be applied to guests who are accessing via sharing links, direct permissions or SP Groups. If the user is accessing via an O365 group or security group, they will not expire. 

 

If you want users to expire from those constructs, check out the Azure AD Access Reviews feature. These features are designed to work in concert with each other :) Thanks!

 

Stephen Rice

Senior Program Manager, OneDrive

@Stephen Rice 

Hi Stephen, that's great- thank you for confirming, and for replying so quickly.


I had been wondering about this for a few days after the announcement in the message center, which did not mention if/how Teams users would be affected. to make things more confusing, MS Support confirmed to me that the guests would remain Team members, but lost access to the "files" tab...... 

I am going to believe you instead of them. 
Thank you for helping clear it up!

Alex

Hi @alexrademeyer,

 

No problem! We are working on updating the MC post so it's more clear as well :) I'll also drop an e-mail to our support folks to make sure they're on the same page! Thanks!


Stephen Rice

Senior Program Manager, OneDrive

Hi @Stephen Rice,

 

we're about to test the expiration policy and I was wondering...in the official support article is everywhere mentioned that Site Administrators will receive the expiration notifications and can extend the access. Now, what is meant by "Site admin"? Is it really site collection admins only or also site Owners (with Full Control permissions) will be able to manage this?

 

Because if it's only SC admins then it's pretty useless as we (and I guess it's best practice in general) do not give SC admin permissions to our users....only site owners permissions.

 

Additional question...any plans on having separate expiration settings for Sharepoint and OneDrive? We are using SP site guest access for long term sharing and OneDrive for short term ad hoc sharing with externals. Would be nice if we can set i.e. 30 days expiration for SP and only like 3 days for OneDrive.

Hi @Marek Halfar,

 

Quick heads up that the feature is still rolling out so you may not have it just yet :) 

 

It is the site collection administrator who does the extension (noting that in OneDrive & Group-connected sites, the owners are also the site collection admins). Can you explain what you mean by "don't give SC admin permissions to our users"? The SC admin in this case is only extending the user's access on their site collection, not in the tenant as a whole. 

 

Although there is no clean way to create separate policies for OneDrive vs. Sharepoint, you can customize the expiration length on a per-site collection basis. 

 

Hope that helps!

 

Stephen Rice

Senior Program Manager, OneDrive

Hi @Stephen Rice,

 

I meant that when we are providing SP sites to our users, we do not appoint them as site collection admins but instead we are granting them only Full control permissions via the Owners group.

 

So that means that in our case no user on our tenant will be able to extend the guest access for their sites.

 

And because there is no policy separation we cannot even use the per site setting to at least have the policy on users OneDrives but not on Sharepoint sites, right? Or what is the max expiration time? So that we can let's say have 30 days on OneDrive and 100 years on SP sites, defined on per site basis. that would kind of workaround the policy separation for OD/SP.

 

Marek

Hi @Marek Halfar,

 

That is correct then.

 

And yes, the workaround would be to use PowerShell to customize the policies on OD vs. SP as needed. Hope that helps!


Stephen Rice

Senior Program Manager, OneDrive

 

 

 

 

Hi @Stephen Rice,

 

thanks, that helps. So basically to have expiration policy applied only for OneDrive we would enable it with 30days duration in tenant wide settings. And then for all our SP sites we configure these properties using PowerShell:
ExternalUserExpirationInDays : 0
OverrideTenantExternalUserExpirationPolicy : False

 

So if we just set the override to $true and keep expiration days at 0, that should basically disable the expiration, right? Is that supported combination? Otherwise we just set the expiration days to its maximum which is two years.

 

Marek

Hi @Marek Halfar,

 

Almost! I think you want to set the Override value on each site to True. This would then override the tenant policy on this site and set it to 0 (which is equivalent I believe to no expiration policy). Thanks!


Stephen Rice

Senior Program Manager, OneDrive

@Stephen Rice

Is there a reason why the approval can only be done by the site administrators and not the owners?

 

On Sites without an O365 group the owners are not part of the site admin group but they still invite the external users to the sites. Therefore this feature can not be used on these sites.

 

Furthermore in our tenant we have the same problem as @Marek Halfar: In all sites we create create - even the ones with an O365 group - the site administrators do not contain the owner group (the O365 Owner group is explicitly removed from the site admins in the provisioning process to ensure site governance). Therefore we won't be able to use the Guest Expiration feature at all because owners have no chance to extend the expiration date.

 

SharePoint had a pretty clear governance concept using the AssociatedOwner, AssociatedMember and AssociatedVisitor-Groups but this concept is more and more weakened because Microsoft suddenly starts to give Owners Site Collection administrator permissions to execute stuff.

Hi @Quantumrunner,

 

The primary reason here is that the site collection administrator is the only role that allows for modifying the user object across an entire site collection (e.g. the User Info Table, which is where the expiration date is stored/modified).

 

This is certainly an area we'll be listening for feedback though as this feature rolls out. Thanks!

 

Stephen Rice

Senior Program Manager, OneDrive