Follow me on Twitter @AntonioMaio2

Thursday, September 17, 2015

Security Controls - External Sharing of Sites in Office 365

In our SharePoint deployments in the past, we've often had the need to share content with external users, which are people that are not part of our company or organization.  Setting this up in an on premise environment often required a significant deployment of a SharePoint extranet, with some complex network configuration.

Office 365 makes sharing with external users very easy and gives administrators some great controls over it to ensure that its both secure and enables collaboration between internal and external users.

External Users
External users might be partners, customers, auditors, or generally those that cannot login to our corporate network.  From a technical standpoint we often think of them as people that do NOT have an account in our corporate Active Directory.  In Office 365, you can also think of an external user as one which does not have a license to your SharePoint Online sites or Office 365 subscription.

  • From a governance and security standpoint, we typically do not want to give external users an AD account or Office 365 license, so this makes sense.

If a SharePoint Online site is shared with an external user, that user inherits the rights of the SharePoint Online customer that's inviting them to access the site.  So, if you have an E3 Enterprise Plan with Office 365, any external users that you share a site with will also have the rights that are granted with an E3 Enterprise license.  That said, there are some capabilities that are NOT available to external users, which are:
  • Cannot be a site collection administrator or access any of the site collection administrator capabilities.
  • Cannot create their own personal One Drive for Business library.
  • Cannot search against everything, cannot search across site collections and cannot access the Search Center.
  • Cannot create their own personal sites, or a My Sites site.
  • Cannot access or view the company newsfeed.
  • Cannot change their user profile (things like their picture or contact information).
  • Cannot access site mailboxes
  • Cannot access PowerBI capabilities: PowerView, PowerPivot
  • Cannot use eDiscovery
  • Cannot open downloaded documents which are IRM protected (Information Rights Management).
  • Cannot use Excel Services features
  • Cannot access SharePoint Online data connection libraries
  • Cannot use Visio Services features
There are of course many other capabilities that external users can access, including viewing, editing and collaborating on content.  As described below, you can control the permission levels assigned to external users so that they can only view content, or so they can view and edit content.

We typically talk about 2 types of external users:
  • Authenticated User - this user is required to login with a user name and password
  • Anonymous User - this user is NOT required to login

Administering and Controlling External Sharing

Global Admin Controls
External sharing can be turned on and off globally, and individually for each site collection.  You turn it on or off globally by logging into your Office 365 tenant as a tenant administrator and doing the following:

  • Click the App Launcher and select Admin
  • In the menu at the left click the External Sharing option
  • Within External Sharing menu, click the Sharing Overview option
  • There are several options available on this page, including options for Sites, Calendars, Skype for Business and Integrated Apps.  We're focus on Sites for this article.

  • Under sites, you'll see a global ON and OFF switch for External Sharing - ensure that it is ON.
  • Click on the Go to detailed settings for sites link or in the left menu click on Sites

  • From this page, through the controls at the top, you can control the External Sharing settings for all site collections in the tenant.  The Let external people access your sites check box reflects the same state as the global ON and OFF switch mentioned above.
  • Selecting either the No anonymous guest links. Only allow sharing with authenticated users or Allow sharing with anonymous guest links for your sites and documents radio button will select whether only authenticated user access is permitted for external users, or if both authenticated users and anonymous users are permitted.
Security Note: This control allows me to turn ON and OFF anonymous access to all site collections (and leave authenticated access ON) all at once if needed.  In a situation where you detect that sensitive content may have been shared in appropriately through an anonymous link, this control can be extremely useful as it disables all previously shared anonymous access.  If I turn this off in the global Admin Center then it will be disabled (and I cannot turn it back on) in the SharePoint Admin Center:


Note: Each site collection remembers its previous setting, so if you have some site collections with only authenticated access and others with both authenticated and anonymous access, changing this radio button will change all site collections back and forth between their current settings or only allowing authenticated access.  

  • From this page you can select individual site collections, click the pencil icon to edit their settings and determine if external user access is permitted and if only authenticated users or if both authenticated and anonymous users are permitted.  Again, this can be done individually for each site collection here.

  • In the global Administration Center, you may also control the external users which have access to each site collection by selecting the site collection and clicking the Manage external users for this site link on the right, which will allow you to simply select and delete users:



SharePoint Admin Controls
From within the SharePoint Admin Center you may also manage sharing by selecting a site collection from your list::


...and then clicking the Sharing button in the ribbon:


However, these controls provide the same capabilities as those listed above at the global administration level.  If I modify the settings here in the SharePoint Admin Center for a site collection, the same change is reflected in the global Admin Center.

One advantage of the SharePoint Admin Center's sharing controls is that it allows me to edit the settings for more than 1 site collection at a time - I can select more than one, click the Sharing button in the ribbon and modify the sharing settings for all the selected site collections at one time:


Other than this, I can control external sharing settings for each site collection either at the global level or at the site collection admin level.  There are 2 advantages to controlling these settings at the global level:

  • View and delete the external users that sites are currently shared with
  • Turn sharing ON and OFF, or anonymous access ON and OFF for all site collections at once

See below for the administrative role needed to control external sharing.


Defaults for New Site Collections and Administrative Roles
The default External User settings for SharePoint Online is to have External Sharing turned ON at the global level.

However, external user sharing is turned OFF for new site collections - it must be explicitly turned ON for each site collection.  This is a good security feature, helping to ensure that you do NOT accidentally share sites externally.

In order to control External Sharing options, you must have either the Office 365 global administrator role or a SharePoint Administrator role.

  • You cannot control whether a site is share-able externally simply as the site collection administrator or from within the site settings.  Once you configure a site collection to be share-able in the global Admin Center and/or SharePoint Admin Center, then you select which external users a site is shared with from within the site collection, as discussed below.
Security Note: From the Office 365 Administrative interface it appears that a global administrator role would have the ability to control the global and SharePoint administrative settings for external sharing, whereas the SharePoint administrator role would only be able to control the SharePoint Admin Center settings for external sharing.  However, in testing I have found that this is NOT the case.  It appears that even if a user that has ONLY the SharePoint Administrator role they can control these particular settings in both the global Admin Center and the SharePoint Admin Center.  So, although some settings can be disabled at the global admin level and enforced automatically on all site collections, like turning anonymous access OFF on all site collections at once, a SharePoint administrative role can simply navigate to the global Admin Center and turn them back ON (even though they are not a global administrator).

Even if my user account is the site collection administrator on only 1 site collection, if I have the SharePoint administrator role in the Office 365 tenant settings, I can change external sharing settings for all site collections, both in the global Admin Center and the SharePoint Admin Center.


Sharing a Site with Authenticated Users
If you require that external users login with a username and password when accessing an Office 365 site that's been shared with them, then you must share with an authenticated user.

An authenticated user in this case must be a user with either a Microsoft account or an account assigned to them from Office 365, or what is sometimes referred to in Microsoft articles as a school or work account.

  • A Microsoft account is what used to be called a Windows Live ID, and can actually be any account used to access Outlook.com, OneDrive, Windows Phone, or Xbox LIVE.  If you have an account to access any of these services, then you already have a Microsoft account.  For example, my Microsoft account is still my @hotmail.com account.  So, if I want to share a site with an external user that has a Microsoft account named bob@outlook.com then I can simply share the site with that email address.  The user will receive an email invitation and when they click the link within, they'll need to login using their existing bob@outlook.com username and password.  Office 365 will authenticate them against their Microsoft account.
  • A school or work account in this context is a user account that has been created for users within the Office 365 tenant.  For example, when creating my Office 365 tenant I can optionally register and verify other domain names that I own.  Once that step is complete, I can create accounts within Office 365 which use that domain name.  So, if I register and validate the domain CONTOSO.COM in my Office 365 tenant, I can then create an account called bob@contoso.com.  In this case, if I need to share a site with an external user that does not already have a Microsoft account (and is not interested in getting one, even though they're free and really easy to register) I can simply create an account for them in my tenant.  I can then send that user an email invitation to access their new account with the username and password that I choose for them.  Finally, I can share a site with that user account and they'll be able to access the site even though they do not have an Office 365 license.  Please see below for some interesting controls (or lack of) about this scenario.

Sharing a Site
You may share a site with external users at the site collection level only.  So, if you share a top level site collection external users will gain access to all subsites, lists and libraries below that as well.  this is accomplished by clicking the Share button in the top right corner of the Office 365 page.


The following window will then appear where you can enter either the email address to their Microsoft account or the user name from the Office 365 tenant which represents the user's account.


Notice on the left side of the window you can also see who the site is currently shared with by clicking none other than Shared with.

If I access this same Share button from a subsite, I can share the site collection with an external user from there as well, but notice the message which appears at the top of the new window letting us know that sharing the subsite will also give the external user access to the site collection.


Once I enter the user name or email address and an email invitation message for the external user, they will receive an email with a link to the site. When they click that link, they will be taken to a page that allows them to choose how they wish to login, where they can choose either an organizational account or their Microsoft account:


Security Note: When you share a site collection with an external authenticated user and you select to give them the ability to view and edit content, that user is made a member the Members group within the site collection.  This means they have Contribute rights on the entire site collection.  It also means that they are now able to share the site collection with other authenticated users.  That can be a useful feature for them, and it can pose security risks.  

  • Fortunately, if they try to share a site with another external user, they will be prevented from doing so and the following error will appear:

  • If they try to share with other internal authenticated users, they are permitted to do this, but a request is first sent to the site owners group for approval, before those internal users are actually given access.

Its typically recommended that if you're going to share sites in this way that you create a separate site collection within your Office 365 tenant specifically for sharing with external users and you ensure that no sensitive content is placed within that site collection.

Sharing a Document
You may also share individual documents with external users, however I do find the experience for the user is not ideal.  When a user receives a sharing invitation to a document, clicking the link in the sharing email invitation received simply opens the document in the web browser.  The user does not get to navigate through SharePoint site to access the document.  Once again, to do this you must select the document and then click Share as shown in the following;


You can also share a document by clicking the ... on a document and selecting Share from the window that appears.  Once Share in either location is clicked, the following window will then appear:


Notice the extra options available in the dialog: 
  • Require sign-in option
  • Get a Link option
The Require sign in option does just that, requires a user to sign in when they access a document through a shared link.

See below for more information on the Get a link option.


Sharing a Site with Anonymous Users
Sites can only be shared with authenticated users.  They cannot be shared anonymously with external users.

Only documents can be shared anonymously with external users.  Once anonymous access is enabled for a site collection, as shown above, sharing a document anonymously is accomplished through the process shown above to share a document.

Once in the Share window, click the Get a link option and the following dialog will appear:


Clicking CREATE LINK either within the View Only section or the Edit section will then display links that you can email to users in order to enable them to access this document without having to login:


If you wish to only enable external users to view a document without logging in, then you may only email them the link under View Only.  If you wish to enable external users to view and edit a document without logging in, then email them the link under Edit.  A few other capabilities within this window are:

  • In this window, you can also click the Mobile phone icon beside each link, which will give you a QR code that you can send to users enabling them to easily open this document on the mobile phone.
  • Finally, you can also disable links to specific documents within this window through the disable link.


Security Note:  Its important to understand that by sharing documents anonymously through links like this, any external user that has the link can access the document.  So, if an external user inadvertently or maliciously forwards an email with such a link to another external user, that user will also be able to view or edit the document without having to login.  As a result, it is important to limit the external users with which documents are shared, and to ensure that these anonymous links to get reviewed on a regular basis and disabled once external users no longer have a need to access documents.  This should be part of your information governance policies.

Overall, sharing sites and information with external users is much simpler in Office 365 than its ever been, and Microsoft has provided some great security controls around this capability to ensure that sharing occurs in a secure and controlled way.

   -Antonio


Thursday, September 10, 2015

Office 365 Alternatives to SharePoint Mail Enabled Libraries

I get this question a lot from clients: how can I use mail enabled libraries in Office 365?  As you know, mail enabled libraries are not supported in Office 365.  Microsoft’s reasoning behind it is the following:

Mail-enabled lists create contact objects in AD. Since SharePoint Online is a multi-tenant environment, this functionality would cause a large increase in traffic, which in turn would cause performance issues for all customers.  This functionality is currently disabled due to the performance concerns, as well as security, data requirement, legal compliance and scalability concerns.

Never say never, however due to the nature of mail enabled libraries, as described in this Microsoft message, I suspect that they are not scheduled to be supported in Office 365 for a very long time.  As such, I have been looking at alternatives and the following are 2 alternatives that I would recommend are worth considering.

Site Mailboxes
A site mailbox is a central email account that is accessed from a SharePoint site. A team may choose to use a site mailbox to gather relevant team email conversations or collaborate on composing an important email message. A team may also find it helpful to share important documents securely by using a site mailbox.  Once a site mailbox is set up for a site, a new email account is created that uses the name of the site. For example, if you have a team site that uses the URL http://contoso.sharepoint.com/HRSite. The email address for that site mailbox will be HRSite@contoso.sharepoint.com.  You can of course email or CC that address in order to have emailed stored within the Site Mailbox, as you could with mail enabled libraries. Everyone who has Contribute permissions to your site will be able to open the site mailbox and view those messages. Then, for example, a few months from now when another team member is trying to recall what information went into a particular decision, that team member can open the site mailbox, search through the mail captured in that account, and see the history of the issue.

When storing a team’s documents on a SharePoint site, you can leverage the Site Mailbox app to share those documents with those who have site access.  You can view a site mailbox in Outlook, and when doing so users will see a list of all the documents in that site’s document libraries. Site mailboxes will display the same list of documents to all users, so some users may see documents they do not have access to open.  If you’re using Exchange, your documents can also appear in an Outlook folder, which makes it easy to forward documents to others.

The following are a couple of good articles about site mailboxes:



All this said, there have been some issues found with site mailboxes (see here for more info) so Microsoft has introduced an alternative to site mailboxes in the last year called Office 365 Groups which I'll talk about further down.

From a licensing perspective, your Office 365 plan must include SharePoint Online and Exchange Online. Site mailboxes require that users have both SharePoint and Exchange licenses.  The site mailboxe feature is available across all Office 365 licenses.

If emails within a site mailbox must be secured, it’s important to note that Azure Rights Management (RMS) is not included but it can be purchased as a separate add-on in order to enable the supported IRM features within Site Mailboxes. Office 365 Message Encryption depends on Azure RMS.

Office 365 Groups
An Office 365 Group is a relatively new capability of Office 365 introduced over the last year.  It is a shared workspace for email, conversations, files, and calendar events where group members can quickly collaborate.  Microsoft has placed a lot of focus on making collaboration in Groups very quick and easy.

  • Users can subscribe to a group to receive group email, conversations and events in your email inbox, either in Outlook or in Outlook Web Access.  Subscribing is not enabled by default.  It can be enabled when creating a group, or on an already existing group when adding a new member.  As well, each member of a group can subscribe or unsubscribe from a group depending on their needs.
  • A group contains a shared calendar, allowing group members to manage events and schedules for group members.  This is an Outlook/Exchange calendar; it’s not a SharePoint calendar.  Groups has built in some really good integration between the Group calendar and your personal Outlook calendar, so that you can easily add events that are on the group calendar to your personal calendar.  
  • A group includes a shared OneNote notebook.
  • A group contains a OneDrive for Business page  which allows users to easily store and access documents in 1 central location that are relevant to group members.
  • A group also integrates a Yammer conversation feed for the group members.

A group can be public or private. Public groups are open to everyone. If you just want to see what the group is doing, all the content and conversations of a public group are viewable.  If you wish to collaborate with a public group, you can join it and become a member. A private group is exclusive and open to its members only. The content and conversations are secure and not viewable by everyone. Teams choose a private group when concerned about security and privacy, such as confidential documents. Everyone can see the name of a private group, but information within the group is security-trimmed so it is not accessible from search, links, or in other ways if you are not a member of the group. Joining a private group requires approval from a group administrator.

Through the OneDrive for Business capabilities, you can share a file or folder with people outside your group and even outside your organization, like customers, partners, or clients. One goal of Office 365 Groups is to strike a balance between collaboration and making sure files are not shared inappropriately. Administrators can require that access requests are sent before granting permissions, which helps to control the sharing within an organization, and enable/disable external sharing.

The following videos provide a great introduction and deep dive to Office 365 Groups:



You can also learn more about Office 365 groups here:



From a licensing perspective, at time of launch Office 365 Groups were rolled out to all customers that have an Exchange Online or Office 365 commercial subscription. Eligible Office 365 plans include the Office 365 Enterprise E1–E4 subscription plans (including the corresponding A2–A4 and G1–G4 plans for Academic and Government customers, respectively), Office 365 Business Essentials and Business Premium plans, Office 365 Small Business, Small Business Premium and Midsize Business plans and Office 365 Kiosk plan.

   -Antonio