I really love Office 365 and it looks like I’m not the only one. One of the feature I really like is the possibility to collaborate for free with people who don’t have any O365 licence : partners.. aka “external users”.
Adding external users (users who don’t have any O365 licence to access your tenant/O365) to SharePoint online is straightforward :
First you need to authorize Sharing with External users
We can only specify that at the site collection level (which is good).
In O365, go the Admin-SharePoint menu
- Select the site collection you want to share with external users
- Select Sharing in the ribbon :
The following window will show-up:
Next you can share your site, your list or your list item with the external user
For instance you can directly add the external user in any SharePoint security group, or you can also click on the Share button of your site
and you get this pop-up:
Type the user e-mail address and click on the Share Button; by default external users will be contributors –>they can edit your list items; be very careful with this ! You might need other permissions, so click on the “Show options” button and select for instance the Visitors group with read only access.
Now the invitation is sent to the user
the user won’t be member of your SharePoint Security group until he accepts the invitation
The user will get the following e-mail:
The user will be redirected to the Office 365 login page and will be able to provide his Account; if his account is already an existing O365 he can provide his O365 credentials, otherwise he will need a live account (by default the .hotmail, .outlook.com, .live,…) e-mail are by default a Microsoft Account; if the user has another type of account (gmail, or a corporate account he can safely assocate it to a new Microsoft account by going to the signup page.
I’ve noticed that many users (who dont have a Microsoft account) just click on link and get a 403 forbidden http message.
So, when we click on the link we get the following dialog:
In my case, I’ve used my hotmail address, so I’ve clicked on Microsoft Account, and automatically redirected to the requested SharePoint Page:
When we click on the external user “My Settings Menu”:
We get the Account details like the membership provider (live.com in this case)
How can we manage requests
To manage requests, you have to use the… list of requests: go to the site menu settings and click on “Access requests and invitations”:
We get the pending requests (users who request access to the site, more on this later), the external user invitations (the external user still have to accept the invitation), and the request history :
Pending requests are requests made by users to access a web site; the user can fill in a form detailing why he want to access the web site. This option is available when the Access Request Settings option (in the site settings menu) is activated:
Just check the Access Requests Settings option in the following form and provide the e-mail address of the guy in charge of managing the requests (usually the site owner).
At the time of writing, this works very well in SharePoint 2013 on premise, but I couldn’t get it to work in SharePoint Online O365.
Click on Share and as illustrated below, uncheck the Require sign-in option :
By clicking on Share again, an e-mail with a link (“guest link”) to the document will be sent to the external user.
This guest link can be used by any anomymous user, not just by our selected user : remember : sign-in is not required…
if we right click again on the document ellipsis button (…), we will notice a new information in the pop up windows : guest link
If you click on the guest link link, you get the url that can be shared across anonymous users. Again Be very careful when you do this !
As soon as you share your document, SharePoint will create a unique permission for this list item:
Don’t share too much, this (unique permissions) can have a huge impact on performance.Plus managing permissions at the item level is more complicated.
To remove a guest link, follow this procedure. It didn’t work for me at the time of writing, I couldn’t see the Delete button.
How can we manage external users (like removing external users,…)
We can manage external users by using the Request management functionality of SharePoint (see above “How can we manage requests”); don’t forget that external users are…users –>they are members of SharePoint groups (but not AD groups).
However bringing external users to your intranet (which, as a matter of fact becomes an extranet) can be considered as very risky –> and must be managed carefuly in the governance plan (who authorize the external user, which external users is authorized, which site, …).
Remove External Users
We must also be able to quickly remove an external user from every sites/site collection : this is not very well documented but there are 2 ways to do it :
in the UI : go to the SharePoint Administration menu, click on Manage User Profiles:
type the user name and click on Find :
And you can delete the selected user.
Also, don’t forget that even if all your external users are removed, the existing guest links can be used by any anonymous user !!!! Danger….
Viewing External Users
If you want to visualize all external users of your SharePoint Online environment, or if you want to bulk remove external users, you must use the SharePoint Online Management Shell.
Check this link to figure out how to install the SharePoint Online Management Shell.
The cmdlet to know are:
( we can also proceed to a batch remove by providing an array of live ids).
How many external users can access my SharePoint Online sites?
Ite depends on the Plan; at the time of writing, for the Enterprise and Midsize business Plans you can go up the 10.000 external users and for the Small Business plan, the limitation is set to 500. More details here.
What External users cannot do
- no skydrive Pro, no personal site
- they cannot see the global newsfeed (they can still see the site newsfeed).
- they cannot be site collection administrators (but they can be site owner).
- they cannot access the site mailbox, more detail in my post.