SharePoint Online External Sharing Demystified (Part 2): Allow sharing only with the external users that already exist in your organization's directory

  • Article

Hi this is the 2nd of 4 blogs on SharePoint Online External Sharing of sites.

Here is a mini table of contents

The settings in the screenshot below are accessible via a Global admin OR a SharePoint Admin (meaning someone who has been granted access to the SharePoint Admin center BY a Global Admin). The location is as follows: O365 Portal>>SharePoint admin>>Sharing

Once this option is selected this next screen pops up as a reminder of the fact that SharePoint Site collections also have individual sharing settings that you can set. These SharePoint site collection settings RESPECT the settings of the SharePoint Admin Center. So, this is a reminder and you would click OK to proceed knowing that any site collections that previously had sharing settings enabled will be re-activated since you are activating it at the SharePoint Admin center level.

Now, I'd like to talk a bit about these SharePoint Site collection specific sharing settings because if you don't set them inline with your SharePoint admin settings, you could waste a lot of time trying to figure out why your settings in the Admin center are not taking effect.  These Site collection settings are also set at the SharePoint Admin center but they are located here: O365 Portal>>SharePoint Admin>>Site Collections. Then you would click on a specific site collection and click on the 'Sharing' icon.

 

This then brings up an additional set of Sharing settings that look exactly like the SharePoint admin settings except they apply specifically to a site collection.

NOTE: Now here is where it can get confusing. If your SharePoint Admin center is set to anything other than 'Don't allow sharing outside your organization' BUT your Site Collection is set to the setting you see above, when you go to share the site collection, you will experience the Scenario 1 in my previous blog. You will NOT be able to share it. I wasted a lot of time one late night trying to figure out why I could not share a site because I had set my SharePoint Admin settings to 'Allow sharing only with the external users that already exist in your organizations' directory', then I discovered my site collection specific sharing settings was set to a lower setting. Those lower settings of the site collection ARE RESPECTED over the SharePoint Admin settings.

So after I set my Site collection sharing settings to match my SharePoint Admin settings of 'Allow sharing only with the external users that already exist in your organization's directory' the following experience applies.

At this point, even if a site owner tries to share the site with an external user it will not work per the setting because the external user has not been added to Azure AD yet. So the site owner will receive this screen.

I then proceeded to add the external account to Azure AD.

The external user must then accept the email invitation as seen below.

As a global admin, I verified that the external Hotmail account is now in Azure AD as well as the o365 portal.

NOTE: A side note, is if you delete a user from Azure AD it automatically deletes them from the O365 portal

Now when the site owner shares a site with the external user, you will still see the user is not found. Just proceed to send the invite, it will work.

This next screen validates my statement. The site owner will see a notification that displays a message 'Shared with: whomever@hotmail.com'. From a SharePoint perspective, the user has been granted permissions to the site.

 

This final screen is what the external user sees when now trying to browse to the site. SUCCESS!!!