There is a very nice feature in SharePoint Online called External Sharing. This feature gives the ability to share content from within a SharePoint site collection to users that have a Microsoft Account or have an account in another Office 365 tenant. Once content is shared the external user can access the content exactly the same way an internal user from within the tenant can. There are some limitations as to what external users can do, for instance they cannot have their own OneDrive.

So what is wrong with this concept? It sounds very nice and useful? And it certainly is…

Experience from different enterprise size customers reveal demand for new and more granular functionality. As it is today, you can enable external sharing for the whole tenant, which essentially just enables you to switch it on for site collections in the tenant. You cannot differentiate external sharing on a more detailed level than a site collection.

Once the external sharing feature for a site collection is switched on, everybody can start sharing – and this means everybody… Any given user can share with external users just by typing in their e-mail.

This means that any user can give up to the same permission level, that the user has on the item or site being shared. If you have contribute access, you can pass on contribute access. You can of course also choose to only give read access even though, you have contributed yourself and it is of course not possible to provide the external user with a higher level of access, than you have yourself. All is fine and it works as designed.

The issue arises in larger corporations where you would like to open up for sharing with external partners, but you would like to control exactly whom you give access to. The current solution in Office 365 is black and white, you give access to external users or you do not.

You cannot control the process in which you give access and thereby you do not have the ability to approve the external users before they are given access to the content. Furthermore there are no good ways to validate who is actually behind the e-mail, when you share with an external user, you have to trust Microsoft to handle the users for you. This is what federation is all about – trusting somebody else to handle users’ credentials, so you don’t have to :).

What I think everybody would like is to have an optional workflow, that you can configure to handle the process when external users are invited and approved, this would give the flexibility that the enterprises need and at the same time give other tenant admins the freedom to let it be handled like it is today.

Another even more challenging aspect of the external users scenario is that an external user, once accepted and given access to SharePoint Online content, can share this content by inviting other external users. This is a challenge, because in larger corporations you could argue that the employees should act according to company policies and with this lose form of governance have internal policies that describe how external sharing should be handled by the employees. But these policies do not apply for people external to the company – obviously they could by sending some form of disclaimer along the invitation, but it is very hard to enforce and control.

The good thing is that you can always get an overview on site collection level of the users having external access and pending invites, but you cannot get it for the whole tenant. If you happen to be good with PowerShell, you can iterate all the site collections and get this information consolidated.

All in all it seems like the external user feature is a first version and there needs to be some further development to cater for the demand for control in larger corporations – some of them are required by compliance restrictions to know who has access to their content on a very granular level.

Let us hope that this is coming as part of the rapid evolvement of Office 365 we have been witnessing the last couple of years, this would make all the consultants and enterprise corporations that would like to share content with business partners, but control exactly how and what they are sharing, very happy.

Innofactor logo

About the Author: Innofactor is one of the leading Nordic IT solution providers focused on Microsoft platforms. Innofactor delivers business critical solutions and maintenance services as a system integrator and develops its own software products and services. Innofactor’s customers include over 200 private and public sector organizations in Denmark. Innofactor delivers business critical Business Intelligence solutions, consulting and maintenance services. Innofactor offers a comprehensive range of solutions from the Microsoft ecosystem that create added value to customers’ businesses and improve their competitiveness. Solutions provided by Innofactor are based on its own products and services, on Microsoft platforms such as SharePoint, Dynamics CRM, Dynamics ERP, Project, SQL Server, Office 365, and Windows Azure, and on selected third party products.

For further information please visit our website www.innofactor.dk or contact +45 70 26 36 70