Office 365 is a great way to collaborate with your colleagues on documents no matter where you are. And its granular security settings mean that you can trust it with a wide range of sensitive data.
But those security settings can make it difficult to share documents with outside users, such as vendors, consultants, and contractors. Of course, you could create an account for them, but Office 365 now includes several other options that will allow you to share individual documents or entire sites with outside individuals.
SharePoint Organizational Sharing Settings
To be able to share anything with outside users, you’ll need to have both Azure Active Directory and SharePoint configured to allow it. Without these settings, none of your users will be able to share documents with users outside your organization.
To verify your Azure AD sharing settings:
- Log in to the Azure admin portal at https://portal.azure.com/
- Click Azure Active Directory in the left navigation pane.
- In the Overview pane, click Organizational Relationships.
- From there, click Settings.
- Check that “Admins and users in the guest inviter role can invite” and “Members can invite” are set to Yes.
- Click Save.
Next, we’ll verify the SharePoint and OneDrive organization-level sharing settings. These settings define how permissive sharing can be across all SharePoint sites in your organization, though individual sites can use a more restrictive sharing setting. There are four levels that you can select, from most permissive to least:
- Anyone: Users can share links with users that don’t require authentication.
- New and Existing Guests: Users can share links, but outside users will be required to sign in or provide a verification code.
- Existing Guests: Users can share links only with users who you’ve already set up in your Azure AD.
- Only people in your organization: No outside sharing is allowed.
To view or change the SharePoint sharing settings, log in to the Office 365 admin center. Then:
- Click Admin Centers > SharePoint.
- In the SharePoint admin center, click Sharing.
- Set the SharePoint and OneDrive sharing settings that you need, and then click Save.
Here you can also set the org-wide sharing link defaults. This setting controls what option is first presented to the user when they choose to share a folder or document, but they are free to choose a different option if it is allowed by the organization or site settings. This is found under File and Folder Links. You have three default options to choose from:
- Specific People: The user must specify who to share with.
- Only people in your organization: The document is available to anyone in your organization.
- Anyone with the link: The document is available to anyone who has the link.
You can also specify more restrictive settings on “anyone with the link” sharing, including enforced expiration dates and restrictions on whether link-only sharing can be used to grant edit or upload permissions.
SharePoint Site Sharing Permissions
Sharing settings can also be set on a per-site level. These settings can be more restrictive than the organizational settings specified above, but they cannot be more permissive.
Site-specific permissions are a great way to lock down confidential information contained in a specific site. For example, your HR department might have a site dedicated to employee records and other sensitive data that never should be shared externally. That site can be configured so that no sharing is allowed outside your organization. Of course this doesn’t prevent malicious data theft, but it could help prevent an accidental “over-sharing” incident.
To configure site-specific SharePoint sharing settings:
- Access the SharePoint Admin Center.
- In the left navigation pane, expand Sites and click Active Sites.
- Choose a site. In the ribbon, click Sharing.
- Set the desired sharing access level.
Authenticated Sharing Options
Of course, the Anyone with the link sharing option is the simplest way to share a document or folder with an outside user. But this method provides you with no control over what happens to the link after it has been shared.
If you use a more secure option, each user will be required to sign in to view shared documents. They can sign in with either an Office 365 account from a different organization, or a consumer Microsoft account (OneDrive, Xbox Live, Outlook.com, Hotmail, etc.) Once they sign in, they will be added to your Azure AD as a guest user. This gives you much more granular control over who is allowed to access shared documents, and allows you to revoke access to one person across your organization.
Additionally, Microsoft is rolling out a new feature called Azure AD B2B. This allows users who don’t have an existing Microsoft account to use a verification code instead. We’ll cover setting that up, along with some other security considerations, in our next article.
If you need help supporting your remote workforce with Office 365, we can help. E-N Computers helps small and medium-sized businesses with their IT needs, including cloud collaboration solutions. Contact us today for a free cloud consultation.