Last week, we discussed how to configure your organizational sharing settings to allow external collaborators on SharePoint and OneDrive documents. Up until now, if you wanted any kind of security or authentication of who you were sharing your documents with, the recipient needed to have either a Microsoft account or an Office 365 account from a different organization.
However, just recently Microsoft released a preview feature for Azure AD B2B called “one-time passcode authentication”. This allows your users to share documents with users who don’t have existing Microsoft or Office 365 accounts. Rather, the external user will be sent a one-time passcode that they can use to sign in. This ensures that only the user who has access to that specific email address can view that document.
Enable the Azure AD One-Time Passcode Preview
To give your user access to this preview feature, you’ll need to enable it in your Azure AD settings and your SharePoint configuration.
First, opt in to the Azure AD B2B One-Time Passcode Preview:
- Sign in to the Azure AD portal at https://portal.azure.com
- In the navigation pane, select Azure Active Directory.
- Select Organizational Relationships > Settings
- Under Enable One-Time Passcode for guests select Yes.
Then, opt in to SharePoint and OneDrive integration with Azure AD B2B using the SharePoint Online Services for PowerShell tool:
- Open an administrative PowerShell prompt.
- Install the latest version of SharePoint Online Services Module:
- Install-Module -Name Microsoft.Online.SharePoint.PowerShell
- Connect-SPOService -url https://yourdomain.sharepoint.com
- Enter your SharePoint admin credentials when prompted.
- Set-SPOTenant -EnableAzureADB2BIntegration $true
- Set-SPOTenant -SyncAadB2BManagementPolicy $true
Managing External Sharing with Azure AD B2B
For users, sharing via Microsoft account, external O365 account, and one-time code look exactly the same. They choose the “specific people” sharing option, and then enter the recipient’s email address. Then once the recipient clicks the link to open the document, they are prompted to either sign in or receive a one-time code to access the document.
In all cases, the recipient is added to your Azure AD as a guest user. This means that they can easily be invited to collaborate on additional documents without needing to reauthenticate.
Additionally, this means that you can easily remove guest users from all access to your organization. This might be necessary if a guest user changes jobs or roles or otherwise no longer needs to have access to your company’s documents.
Simply sign in to the Azure portal, navigate to Azure Active Directory, select Users, and then search for the user you need to remove. You can also filter by User Type. Your company’s employees by default are Members, while outside users are listed as Guests.
It’s good to periodically review this list for those who need continued access. Additionally, if you have an Azure AD Premium P2 license, you can set up automated access reviews where group owners or guests themselves can confirm their need for continued access. For more information, see Manage Guest Access with Access Reviews.
Office 365 Unauthenticated Sharing Best Practices
If you choose to enable unauthenticated “anyone” links for your organization or sites, you can take some steps to ensure that this doesn’t lead to unwanted data disclosure. These settings can be set by logging in to the SharePoint admin center and navigating to Sharing.
First, set a maximum expiration time for sharing links. This prevents links from being used indefinitely. Check the box next to “These links must expire within this many days” and enter a number of days in the box.
Second, consider limiting what permissions can be granted with “anyone” links. By default, these links can be used to grant both read and edit permissions to documents. For added security, limit “anyone” links to read-only, and use “specific people” sharing for edit permissions.
To do this, under “Advanced settings for Anyone links”, set the permissions for File and Folder links to “View”.
Finally, change the default link sharing setting. By default, shared links will be set to “Anyone”, but you can change this to “Only people in your organization” in order to reduce the chances of accidental oversharing.
With these settings adjusted, your users will be able to easily and securely collaborate with individuals outside your organization using your existing Office 365 tenant. If you need more help configuring your cloud workflow, contact E-N Computers today. We specialize in helping small and medium businesses streamline their IT environments for today’s connected world. Contact us for a consultation today.