This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 8%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETS%3C/text%3E%3C/svg%3E)
TLDR -easily locking down content per guest user.
I followed this page and everything works as the document shows ->Collaborate with guests in a site | Microsoft Learn
As we will have multiple guests uploading potentially sensitive content from competing businesses, I need to find a way to lock each folder so each "guest" who is also now in AD as a member of the Extranet site to only have permissions to documents the guest has uploaded or the guest has explicitly been granted access to. As our IT depart is small, we really want this to be a self-service action on the part of the internal users where they can follow steps to enable access. IT cannot walk each department through this each time a file is shared or a candidate needs to upload some data. Overall, my experience with End Users is that they take the easiest path, not necessarily the most secure path.
As it is set up now, all guests granted access through B2B have edit contrib to the site. I want them to only have access to specific items. I tried removing inherited permissions but then when sharing with a B2B guest, I could not because external sharing is not permitted (per a setting I have).
What I really would like is to share a file, not the whole site. I am trying to wean the company off of "DropBox" but if it is not a similar experience for them, I will run into cultural challenges. The question I am being asked at my office is, "..and we need to do it this way instead of Dropbox why?"
What I want to do is have several guest users in the extranet, but limit their access to specific files in the extranet.
What I then did is go to a folder in the extranet, right clicked and selected Managed Access, and removed Extranet Members, which removed access, which is fine. But, I cannot then add specifically share with the guest user as my policies don't allow sharing with external people outside the org. If you are still with me, it was already shared with the guest user and the guest had access to the whole extranet, but now removing perms and trying to add the guest to one thing does not work.
Do I need to create a separate extranet for every single client? Extranet_client1. ...Extranet_client50. This will be a mess and will make IT the bottleneck and until I get Microsoft Defender for Cloud, I won't easily able to block dropbox.
I suppose I can create a powershell script to do this but I can't be the only one who needs to do something like this. I don't want anonymous access- I would like to use the B2B feature.
Any ideas?
Hi TomSweet,
Have you looked into using Microsoft Information Protection/Purview for this purpose?
You would have the ability to apply sensitivity tags and more controls on specific sharepoint and/or onedrive folders.
reference:
sensitivity-labels-sharepoint-onedrive-files
Hi @Tom Sweet
Is David's answer helpful for you? I am checking this issue, is there any update or issue?
Thank you for the reply @David Broggy . Let me make sure I understand. Let's say I have 20 vendors and one extranet site, is the idea to have the end users:
If this is the ask, it is not a viable solution for most people. It might work it if was only internal vs external, but the need is several competing clients uploading proposals/bids to one extranet. The only solution I can think of is having IT create a separate extranet for each client with puts IT as the bottleneck. Another option would be to create an Azure App Service that allows someone to upload files and send over.
I can't be the only person in the world that needs this.
Hey Tom,
Have you looked into Azure External Identities? (Azure AD > External Identities)
Sounds like this (new) feature was built for exactly your purpose.
I've seen a lot of activity about this feature in the forums, so it may not be perfect yet, but hopefully it will get better over time.
There's also the new Microsoft Entra which will help with precisely tracking all of those new accounts and roles.
The external identity for B2B seems like what I have been using. I don't see another way around this other than to create a separate Sharepoint site for each company or who needs B2B access if these users should not see each other's files.
Am I missing something here or do I need a separate SharePoint site for each company that we work with? This will require IT to be involved in creating/sharing each time a file > than what Exchange can send or receive to be shared.