Office 365 & SharePoint 2013 Online: Managing external users

 

I really love Office 365 and it looks like I’m not the only one. One of the feature I really like is the possibility to collaborate for free with people who don’t have any O365 licence : partners.. aka “external users”.

Adding external users (users who don’t have any O365 licence to access your tenant/O365) to SharePoint online is straightforward :

First you need to authorize Sharing with External users

We can only specify that at the site collection level (which is good).

In O365, go the Admin-SharePoint menu

image

 

  • Select the site collection you want to share with external users
  • Select Sharing in the ribbon :

image

The following window will show-up:

image

 

Next you can share your site, your list or your list item with the external user

For instance you can directly add the external user in any SharePoint security group, or you can also click on the Share button of your site

image

and you get this pop-up:

image

 

Type the user e-mail address and click on the Share Button; by default external users will be contributors –>they can edit your list items; be very careful with this ! You might need other permissions, so click on the “Show options” button and select for instance the Visitors group with read only access.

 

Now the invitation is sent to the user

the user won’t be member of your SharePoint Security group until he accepts the invitation

image

 

The user will get the following e-mail:

image

 

The user will be redirected to the Office 365 login page and will be able to provide his Account; if his account is already an existing O365 he can provide his O365 credentials, otherwise he will need a live account (by default the .hotmail, .outlook.com, .live,…) e-mail are by default a Microsoft Account; if the user has another type of account (gmail, or a corporate account he can safely assocate it to a new Microsoft account by going to the signup page.

I’ve noticed that many users (who dont have a Microsoft account) just click on link and get a 403 forbidden http message.

So, when we click on the link we get the following dialog:

image

 

In my case, I’ve used my hotmail address, so I’ve clicked on Microsoft Account, and automatically redirected to the requested SharePoint Page:

 

image

 

When we click on the external user “My Settings Menu”:

image

 

We get the Account details  like the membership provider (live.com in this case)

image

 

How can we manage requests

To manage requests, you have to use the… list of requests:  go to the site menu settings and click on “Access requests and invitations”:

image

 

We get the pending requests (users who request access to the site, more on this later), the external user invitations (the external user still have to accept the invitation), and the request history :

 

image

 

Pending requests are requests made by users to access a web site; the user can fill in a form detailing why he want to access the web site. This option is available when the Access Request Settings option (in the site settings menu) is activated:

image

image

Just check the Access Requests Settings option in the following form and provide the e-mail address of the guy in charge of managing the requests (usually the site owner).

image

 

At the time of writing, this works very well in SharePoint 2013 on premise, but I couldn’t get it to work in SharePoint Online O365.

 

image

 

image

Click on Share and as illustrated below, uncheck the Require sign-in option :

image

By clicking on Share again, an e-mail with a link (“guest link”) to the document will be sent to the external user.

This guest link can be used by any anomymous user, not just by our selected user : remember : sign-in is not required…

if we right click again on the document ellipsis button (…), we will notice a new information in the pop up windows : guest link

image

If you click on the guest link link, you get the url that can be shared across anonymous users. Again Be very careful when you do this !

image

As soon as you share your document, SharePoint will create a unique permission for this list item:

image

Don’t share too much, this (unique permissions) can have a huge impact on performance.Plus managing permissions at the item level is more complicated.

To remove a guest link, follow this procedure. It didn’t work for me at the time of writing, I couldn’t see the Delete button.

 

How can we manage external users (like removing external users,…)

 

We can manage external users by using the Request management functionality of SharePoint (see above “How can we manage requests”); don’t forget that external users are…users –>they are members of SharePoint groups (but not AD groups).

However bringing external users to your intranet (which, as a matter of fact becomes an extranet) can be considered as very risky –> and must be managed carefuly in the governance plan (who authorize the external user, which external users is authorized, which site, …).

Remove External Users

We must also be able to quickly remove an external user from every sites/site collection : this is not very well documented but there are 2 ways to do it :

in the UI :  go to the SharePoint Administration menu, click on Manage User Profiles:

image

type the user name and click on Find :

image

And you can delete the selected user.

Also, don’t forget that even if all your external users are removed, the existing guest links can be used by any anonymous user !!!! Danger….

Viewing External Users

If you want to visualize all external users of your SharePoint Online environment, or if you want to bulk remove external users, you must use the SharePoint Online Management Shell.

Check this link to figure out how to install the SharePoint Online Management Shell.

The cmdlet to know are:

Get-SPOExternalUser

image

Remove-SPOExternalUser

image

( we can also proceed to a batch remove by providing an array of live ids).

 

How many external users can access my SharePoint Online sites?

Ite depends on the Plan; at the time of writing, for the Enterprise and Midsize business Plans  you can go up the 10.000 external users and for the Small Business plan, the limitation is set to 500. More details here.

What External users cannot do

  • no skydrive Pro, no personal site
  • they cannot see the global newsfeed (they can still see the site newsfeed).
  • they cannot be site collection administrators (but they can be site owner).
  • they cannot access the site mailbox, more detail in my post.

2 responses to “Office 365 & SharePoint 2013 Online: Managing external users

  1. Hello Serge,
    I use the public site provided by the office 365, I have put some pictures into a picture library, now I am trying to allow anonymous access into this library but it does not work.

    The picture document library inherits from the site permissions and so have a anonymous users / view items permission.

    I tried to put Everyone into the Visitors group but it does not work either.

    It does work when I use the share button and share it with a specific person.

    Any ideas ?

    Thx

    Paul

  2. Thank you for the guide on Remove External Users via the SharePoint Online Management Shell. That was invaluable information. My issue was that deleting an external user profile does not remove the external user links. I tried countless ways and spend hours on the phone to MS Tech Support without success until using the Management Shell cmdlets. Great guide. Thank you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s