Page tree
Skip to end of metadata
Go to start of metadata

What Is External Sharing?

On the surface, external sharing in Office 365 is the act of making content available to someone outside of the college - without a @bruford.ac.uk account.

Behind the scenes though, it can mean very different things depending on whether or not the content is shared anonymously or with an authenticated external user.

Sharing With Anonymous Users

A folder or document can be shared with an external user via an anonymous link, meaning the person accessing the document can’t be identified by the college. These guest users are commonly called "anonymous users".

When this option is chosen, your document will be visible to anyone who has access to the link, meaning an external user to whom it was sent to directly can share the link to other external users. Thus, documents containing sensitive data should never be shared this way.

The person choosing to send a document anonymously can decide whether to make it "View Only" or "Editable". They can also set an expiration date, so the content isn't accessible to external users after the chosen date.

In essence, the permissions to access your content is given to the hyperlink and not a user.

Sharing With Authenticated External Users

Content can also be shared with authenticated external users, meaning guest users are sent an invitation by email and prompted to sign in using an account from a trusted provider in order to access the content in question.

Once the invitation is accepted, they are added to the college's directory as an external user, but will only have access to the specific elements you shared with them. If you've shared an entire site, they'll have access to everything in it, so make sure it doesn't contain sensitive content.

If you want to see whether or not the user has accepted the invitation and accessed your content, you can view pending invitations in your site collection settings, under the tab "Access requests and invitations,” or you can search the guest user’s name in your directory.



Authenticated External UserAnonymous User
ParticularitySigning in is required before they can view contentCan access content from a shared link without signing in
What you can share
  • A complete site
  • Lists and Libraries
  • Documents and list items
  • Yammer threads
  • Teams
  • Depending on permissions, most content within an Office 365 Group
Only documents or folders
Who can share
  • Site owners and others with full control permissions can share a site
  • All members as contributors can share lists, libraries and documents
  • All members can nominate a person to be added in an Office 365 Group as a guest user
All site users can share a document and generate a view or edit link for external sharing
How you can share The same as with your internal users
  • View only link
  • Edit link
The security risks
  • If you give full control to an external user, he could share content with other external users
  • It’s hard to link the email address you sent the invite to and the Microsoft account associated to the user.
  • Permission inheritance if you give access to a site or a Group
Anonymous guest links can be shared to other people who might be able to view or edit the content.  Changes cannot  be tracked in the document


How Can Users Share Externally and What Happens When They Do?

Depending on how external sharing has been configured, users have a few different options when they decide to share with people outside of the college. As mentioned above, they can choose to share content with anonymous external users or with authenticated external users.

Sharing a SharePoint or OneDrive for Business Documents or Folder with an Anonymous User

  1. Go to the SharePoint document library or your OneDrive for Business in which the document or folder you want to share is located and select it by checking the circle on the left of the document title.

    External Sharing of SharePoint Document

     

  2. Click "Share" and "Anyone" in the link settings. You can choose to allow whether guest users can edit the document, and set an expiration date on the link.

    SharePoint Anonymous External Sharing

     

  3. Once you’ve clicked "Apply,” a link will be generated that you can then copy to your clipboard, or send via email. In this case, the email is only to send the link to your external user. It won’t require them to log in to view documents.

    Creating an anonymous link in SharePoint

Sharing a Document with an Authenticated External User

  1. Sharing a document or folder with an authenticated external user is just as simple as creating an anonymous link. In the link settings, choose the "Specific people"  option and type out the email address of the user you want to share your document with.

    Just like with anonymous links, you can choose to allow whether guest users can edit the document, and set an expiration date.

    Sharing a document with an authenticated external user

    The other two options under "Anyone" are options for sharing a document with users already in the college's directory.

  2. Once you’ve clicked "Apply,” you can choose to copy the link to your clipboard or to send it via email. Only the people you’ve invited specifically will be able to access the document. You’ll also be able to see exactly who currently has access to the document.

    Sharing a document with an authenticated external user in SharePoint

  3. An invitation to join the document will be sent the guest user, who will have to accept it. Once accepted, they can log in using a trusted email address and he or she will be added to the college’s directory.

    External sharing email invitation

    External Sharing log in screen

How to Manage External Sharing

If you're going to open up access to your environment to external users, it's important you stay aware and in control. As mentioned earlier, blocking all access out of fear will not necessarily solve the problem, the internet is full of solutions today. So how can you manage external sharing?

There a few options you can look into:

  • Configuring the right options for you in the Admin Center
  • Managing External Sharing via PowerShell Commands and Scripts

Managing External Sharing with the Admin Center

There's a number of options we discussed above when configuring this feature. Some of them can help you control access to your environment a little more, should you need to.

  • Set default expiration links for all anonymous links created, always.

  • Limit external users by their domain. You don't want invitations sent to Gmail accounts? Make sure only certain approved domains can enter or, the other way around, blacklist certain domains.

  • Enforce that only a user with the same email address as the one the invitation was sent to can accept and sign in. The default behavior allows the recipient of the external sharing invitation to forward it to anyone else. 

  • Make sure external users can't share with others documents they didn't create. 

  • Dive into Device Access management and Intune to make sure only certain IP addresses are accepted, and enforce policies such as the blocking of the "Print" button on Office documents. 

  • Leverage the Azure Portal's access to your Azure Active Directory to see and manage your guest users throughout your Office 365 environment.

External Sharing Best Practices

  • Don’t turn off external sharing! Rather, configure external sharing to your specific business needs, while keeping in mind that your users will need to collaborate with external guests. 

  • Implement proper governance policies to ensure everyone is on the same page when it comes to reacting to and correcting an external sharing blunder. 

  • Educate your users on proper external sharing (i.e. how to share a document, vs. sharing a site) to avoid them inadvertently giving access to sensitive data. 

  • In most cases, it’s probably best to turn off anonymous sharing and only allow authenticated external users, or to set an expiration date at the very least. You’ll be able to control and follow-up with who has access to what. 

  • Double check the permission levels of your site collections to ensure external users don’t inherit permissions that allow them to wreak havoc in your environment. 

  • Manage security by checking reports every day.

     

External sharing can be a very important part of proper collaboration in your organization, so don’t be afraid of it! Once you’ve understood the way it works, you’ll never want to work any other way.