One of the hottest, most discussed topics in SharePoint is the whole topic of external sharing. Once you provide your employees with ability to store and manage content internally, there are almost always instances, where they also need to share same content externally. Typical scenarios include documents that need to be shared clients, vendors, consultants, contractors. With this blog post, I would like to clarify different options available to you as the Administrator of the Office 365/SharePoint Online environment on how to setup external users in SharePoint.
Before we proceed further, I recommend that your check out this post/slide deck I published recently. It will explain to you in great detail what you can share from y our SharePoint Online environment and what happens behind the scenes when you do that. One important aspect of external sharing is “external user experience“. That experience (when they get an email and have to login into your environment with one of Microsoft’s domain email addresses) is the reason for this post. When you share content with external users, you want their experience to be smooth and straightforward. In other words, you want to make sure they don’t need a PhD to figure out how to access a file or a site. With that being said, I list various options that are available to you. These are the options I have seen my clients implement. I will specify pros and cons for each method, as well as my recommendation.
How to setup external users in SharePoint
Option 1: Require users to authenticate
Essentially, this is the “as-designed” default option I described in the slide-deck. The idea is that users get an email and have to login using any Microsoft domain email account (hotmail.com, live.com, outlook.com or another Office 365 account). If they don’t have an account, they can create one on the fly.
This is obviously the most secure option. I wish user experience was improved a bit when they have to login for the first time (not everyone has an existing Microsoft account, would have been nice to authenticate with Google or Facebook account). That means an extra step for the user to create one before they can access content. They also need to memorize another login/password combination for this specific account.
However, by requiring your users to authenticate, you can “track” their activity and disable their access at any point. By the way, I do describe how to administer and manage external users in that same blog post.
Option 2: Create Microsoft accounts for external users and email them credentials
Essentially, this is Option 1, but you take on the burden of creating Hotmail/Outlook accounts for external users and sending them credentials via email. This way, external users are “ready to go” when you share content with them.
This might be a useful option when you want to minimize “SharePoint fatigue” for your vendors/clients. This obviously means more work for you. The downside of this approach is that external users tend to share these credentials among themselves and this might lead to other confidentiality issues. I don’t recommend this option.
Option 3: Provide users with your Company Office 365 account/license
I strongly discourage you from doing this, but I do list this as an option as I have seen some of my clients do that. Essentially, you setup external users as if they are your employees in your Office 365 tenant. In other words, you don’t differentiate between internal and external users. You might not necessarily give them the full Office 365 license, as a matter of fact, they can be setup without any product license at all! While convenient in theory, this option is extremely dangerous in terms of security. I want to mention just couple of things that will keep you sleepless at nights:
- Your “external” user might have access to other Office 365 properties. For example, if you decide to give them a license, they will become part of your Employee Directory, Office 365 Delve, will have their own OneDrive and will be able to see changes, feeds, activities and access documents not necessarily intended for them.
- Even if you do not give them a license, the “external” user will automatically get added to Everyone and Everyone except external users security groups. That means that if you shared any sites with your internal employees using these domain groups (a common and very convenient practice), they will inadvertently have access to those sites and will be able to browse around your sites and site collections.
Once again, this option is not recommended!
Option 4: Share anonymously
You can’t share sites and folders anonymously, but you can share individual files anonymously (your IT admin needs to enable that option at the site collection level). In that case, the user experience is “the smoothest”, as they don’t need to login or enter any credentials. Just by clicking on file URL, gets them inside of the document and gives them ability to read or edit the document (based on permissions you have given them).
Not my favorite option either, since it does not allow tracking of those who access or make changes to the content. Anonymous sharing works in certain cases and might be suitable best for OneDrive sharing. If you do need to share externally from SharePoint – limit it to certain site collections and sites. Make it more of an exception than the rule.