On every business operations its crucial to sanction external partners,vendors to collaborate on their quotidian operations. Withal there are cases wherein only business to business collaboration like sharing between two organization is required and remains a vital factor to their business.
To felicitate a classical external collaboration site it was always bit challenging for administrators from SharePoint on premise workloads. Extensive orchestrating is required in terms of provisioning hardware or VM resource, security hardening and getting the access on the firewalls etc..,
With Office 365 B2B there are much more easier ways to roll out this feature to business with no additional server provisioning, no certificate requirement and simple administration. This magnificently reduces the traditional deployment costs. By default we get secure sharing, seamless collaboration and we have much detailed governance and audit reporting.
This article contours the steps involved in planning for an external business sharing in SharePoint online.
Configure External Authentication for Guest Users:
As an initial prerequisite we need to plan for the authentication and management through Azure AD for all the guest users.
At this moment we have the authentication via one-time pass code which will be sent to their email address for the non Microsoft accounts.Enabling one-time passcode feature can be used when external sharing of files,folders,document libraries and sites is done. Currently the one-time passcode is under preview and subsequently will replace the AD-Hoc sharing from onedrive and sharepoint in office 365.
Below are the major key points of enabling the azure B2B:
- MFA can be enabled for the B2B Invited Guest Users.
- If we have configured Google federation in our Azure AD tenant then the federated users can consume the permissible SharePoint and one drive resources shared with them.
- Much granular level of sharing options are present and subject to organization settings.
Follow the below steps to enable the pass code authentication:
login to azure portal – navigate to azure active directory – choose organizational relationship settings – Enable the option Enable Email one-Time Pass code for guests.
There are few other options on controlling the guest users permissions and can be added based on the requirement.
Now we have the one time pass code enabled we would need to enable the integration for SharePoint and one-drive with azure AD to enable this service on these workloads with the below two commands.
Set-SPOTenant -EnableAzureADB2BIntegration $true
Set-SPOTenant -SyncAadB2BManagementPolicy $true
Ensure that the below configuration is set
Having the authentication part configured now we would need to create an extranet site in few clicks.
1) Create an external business-sharing site in SharePoint Online (This site can be used for sharing between the Tenants)
On the Active sites page of the new SharePoint admin center, select Create – – select Other options —
Select More templates
Choose Team site (classic experience).
Here we need to provide a title and name for the site that we are creating.
There are few other options like timezone, admin, storage quota and server resource quota which can be configured based on our requirement.
Now the sharing capability needs to be enabled and there are 2 places where it can be controlled organizational level and site level.
The first step is to enable them at the organizational level
Login to office 365 portal – search for external
Choose the option new and existing guests
There are few other options which can be controlled from the SharePoint admin center
We can further restrict the site collaboration only to few selected domains.
The guest permissions must also be selected based on our business requirement .
Choose the first option which is applicable for the invited guest users. There are other options to limit the sharing option to least permissible users via targeting them to a security group.
Finally navigate to the sites and here we have option to further control the site permissions.
Here we have the option to share new and existing guests.
Now we have configured the org level settings we can test this behavior from site admin side
Navigate to the site with site admin privilege and create a folder with sharing partner.
While sharing a document to the external partner we will be notified with the message info as we see below.
The guest user will receive the invitation email with a link to access the folder.
They need to Enter their Microsoft credentials (the credentials for the account that the invitation was sent to). And User will be challenged for Verification code which will be sent to their email account.
This cool feature helps the admin to accomplish the business requirement with ease of operation , no additional resource cost and providing them with much controlled and tracking them through auditing and reporting of external users.