We need help configuring sharing with external users.

Question

Current Situation
We are in the process of moving all our local file shares to the cloud using SharePoint and Teams. This is generally going well.
The SharePoint permissions at the tenant level are most permissive, i.e. Anyone with a link. Each Individual site with one exception all have more restrictive permissions, mostly New and existing or in some cases Only people in your organization. We need to have one site with Anyone with link.
All users have Microsoft Office 365 E5 and EMS E3 licenses assigned.

The Problem
This Microsoft document seems to illustrate what we are currently experiencing.
Secure external sharing in SharePoint - SharePoint in Microsoft 365 | Microsoft Learn
https://learn.microsoft.com/en-us/sharepoint/what-s-new-in-sharing-in-targeted-release
If a user tries to share a document or folder within SharePoint using a browser they appear to get the Ad hoc external recipient option. The recipient receives an email and does have access but needs to request and enter a one-time passcode each time they connect.
We would like to have an Azure AD guest account created instead.
If we create a guest account for the recipient from within Azure AD and before setting up sharing, then when a user selects share from within SharePoint, that guest account is used. They then do no need to get a one-time passcode, access is controlled by Azure AD and they can edit in Word, etc. It also seems better for management and auditing.
The above Microsoft document notes that:
This article describes the current default one-time-passcode experience. However, we recommend that you enable SharePoint and OneDrive integration with Azure AD B2B which will ultimately replace this experience.
The above document also contains this link.
SharePoint and OneDrive integration with Azure AD B2B (Preview)
https://learn.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration-preview
I tried the “Enable Email One-Time Passcode for guests (Preview), select Yes.” But not the additional step of using the SharePoint Online Management Shell. IN the first step whether I choose Yes or No makes no difference.
The bottom line is that we would like the default experience when sharing from within SharePoint to be the creation of a guest account. Is this possible?
Changing tenant level permission to more restrictive makes no difference and in any event we next one Anyone with a link site.

Permissions
It seems desirable to us to use Microsoft Groups to manage access. I see comments online that using the “Ad hoc external recipient” option creates unique permissions and suggests that it also breaks permissions inherited from the Microsoft Group. Is this correct.?

Answer 1

Hi, @John McComb ,

First, event with the preview Email OTP feature, the external user still cannot be treated as a guest account which your created in the Azure AD.

Per my knowledge and test, if you want to opt in to the preview Email OTP feature, you will need to run the PowerShell cmdlet to get it work. After that, once you share contents to an account outside your organization , still the recipient receives an email and does have access but needs to request and enter a one-time passcode each time they connect.

After the user signs in, there will be an automatically created guest account in Azure AD you can check. However it is a guest account from OTP which will cannot be added to groups. The account will not appear in people picker. You can view guest users who authenticate with one-time passcodes in the Azure portal by going to Azure Active Directory > Users.

Reference: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/one-time-passcode

You may open a service request or contact with SharePoint consultant for other possible solutions.

---

If the answer is helpful, please click Accept Answer and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.