Dec 12 2016 01:40 PM - edited Dec 12 2016 01:41 PM
I am trying to understand the possible appraches I can take for migrating my company's extranet & intranet to SharePoint online.
Below are some keys facts about existing extranet:
1. Identity provider for SharePoint extranet is CA site minder.
2. Each extranet user has a registered account in the Site minder LDAP. This enables SSO between SharePoint and non-SharePoint sites.
3. All internal company users also has an identity in the Site minder LDAP (created through a sync job) through which they also access the extranet sites.
4. User profiles exists for both company users & external users in SharePoint extranet.
Intranet is pretty plain SharePoint installation with company AD as identity provider. User profile for intranet is seperate from extranet.
Below are some approaches we are exploring:
Option1: Merge intranet & extranet into single office 365 tenant:
Pros: 1. No double license required for company users(around 3k users) 2. External users can be purchased free AAD licenses.
Cons: 1. Challenges on how to make sure internal sites people picker show only internal users. 2. Internal content can be shared to external user by accident.
Option 2: Seperate office 365 tenant for intranet & extranet:
Pros: 1. No data security issue. 2. Less technical challenges.
Cons : Double billing for internal company users, as they need to have access to extranet also.
Has anybody here done similar migrations and what are the feasible approach?
Jun 11 2018 01:58 PM
Hi, I am in a similar situation and was disappointed that your post had not attracted more attention or response. Curious to hear what progress or decision you made.
We are currently using another external platform (Jive-X) to engage with a select subset of clients. We do not limit the amount of client accounts who have access. We are billed by usage or clicks.
Jun 12 2018 03:58 AM - edited Jun 12 2018 03:59 AM
Hi Nadine, I am still evaluating extranet strategy in SharePoint Online. But since the original posts is old, I can update on some key things:
Option 1 is the most feasible approach and extranet users can be added to tenant as "external users" and they need not be assigned any licenses . Good governance (making sure internal sites have sharing disabled) can prevent accidental sharing of intranet sites with external users. The main disadvantage is since extranet users are present in our company Azure AD , they will appear in SharePoint people picker even in the internal sites.
Option 2 : For this there is no double licensing involved as company users can be added as guests to new tenant and reuse their existing licenses in the second tenant. There is clear separation of internal and extranet tenants. Additional tenant needs to be purchased with minimum 250 seats.
Jun 12 2018 04:21 AM
what about using B2C or B2B for external users, that way you can have better control over what people can share with whom.
Jun 12 2018 04:26 AM
Jun 12 2018 04:35 AM
then B2B is best option as it solves your problem of content getting shared with external users since you can control external sharing at site collection level
Jun 13 2018 11:40 AM
Thank you for the update - it was useful.
Jun 14 2018 01:16 AM - edited Jun 14 2018 01:20 AM
Dear all,
We had the same challenge internally to migrate around 3000 On Premise SharePoint Site collections dispatched across 17 SP2007 farms.
In those farm one was dedicated to Extranet usage with Extranet dedicated AD (B2B domain) joined to our internal AD forest.
We evaluated the 2 options you specified and the second case is too complex to manage at the end, so we decided to migrate all the site collections (excluding the non used) to only one Tenant URL https://xxx.sharepoint.com
To separate the 2 kind of sites we created a dedicated masterpage (oslo based) with horizontal menu focused on the Doc Library for the Extranet and the standard for the Intranet sites. We also defined a clear naming convention for the Site Collection URL similar to:
- Intranet = https://xxx.sharepoint.com/sites/[geoscope]-[businessorFunction]-[ShortSiteName]
- Extranet = https://xxx.sharepoint.com/sites/ext-[geoscope]-[businessorFunction]-[ShortSiteName]
Finally we used the Sharegate tool with a mapping XML file (based on a created script) for the Users accounts to migrate all the sites to SPO and the Extranet sites was migrated without the External user accounts
After the migration, the site owners had to invite the External user via the standard external Sharing process (mapped to MS Identity).
If you need technical details, feel free to contact me
Fab
PS1: This MS identity invitation process also help us to prepare the GPDR process because we gave back the Identity ownership to the invited external user, we don't maintain anymore the external user password or account for SharePoint Online
PS2: That also help us to switch some intranet site to extranet site without big technical issue, we only have to enable the External Sharing option for the site collection. By default, all the created site are Intranet mode with external sharing disable
PS3: the migration project required us for this volume around 1 year of work, so it's possible to and except few number of case, no big issue observed. The main challenge is the SPlist with huge number of items (more than 20'000), and you have to detect that before the migration execution.
Jun 14 2018 04:42 AM
Jun 14 2018 04:53 AM
There is only one AAD in our case, but when you invite an external user, the system will create a mapped user into your internal AAD pointing the MS Identity system he/she used.
You can filter that when you go into the AAD portal and select the GUEST user type.
So the people Picker is using that AAD list as source when you add someone into and work quite well.
The main issue observed is related with the invitation sent to someone "USERA" who (for any personal reason) decided to transfer the invitation email to someone else "USERB" (his/her assistant, colleague, …), that will create a mapping into the AAD and SharePoint with a name displayed with "USERA" but with the USERB email address.
That create a mess internally and we have many support case related to that cleanup task, because the only solution is to remove totally that account from our SharePoint and AAD.
I detailed that case issue here (in French):
Fab
Jun 14 2018 06:22 AM
Jun 14 2018 07:41 AM
This is a real good question, and to be honest I did not evaluate that question.
I never took attention for that people picker question in Intranet site calling the Guest accounts
But for your question I tested our case to call someone in our AAD from an Intranet site and that is not working
So did you observed that issue or it's only a risk you imagine to have ?
Fab
Jun 19 2018 02:39 AM