Secure external access to Microsoft Teams, SharePoint, and OneDrive with Azure Active Directory
Use this article to determine and configure your organization's external collaboration using Microsoft Teams, OneDrive for Business, and SharePoint. A common challenge is balancing security and ease of collaboration for end users and external users. If an approved collaboration method is perceived as restrictive and onerous, end users evade the approved method. End users might email unsecured content, or set up external processes and applications, such as a personal DropBox or OneDrive.
External Identities settings and Azure Active Directory
Sharing in Microsoft 365 is partially governed by the External Identities, External collaboration settings in Azure Active Directory (Azure AD). If external sharing is disabled or restricted in Azure AD, it overrides sharing settings configured in Microsoft 365. An exception is if Azure AD B2B integration isn't enabled. You can configure SharePoint and OneDrive to support ad-hoc sharing via one-time password (OTP). The following screenshot shows the External Identities, External collaboration settings dialog.
Guest user access
Guest users are invited to have access to resources.
- Go to the Azure Active Directory admin center.
- Select All Services.
- Under Categories, select Identity.
- From the list, select External Identities.
- Select External collaboration settings.
- Find the Guest user access option.
To prevent guest-user access to other guest-user details, and to prevent enumeration of group membership, select Guest users have limited access to properties and memberships of directory objects.
Guest invite settings
Guest invite settings determine who invites guests and how guests are invited. The settings are enabled if the B2B integration is enabled. It's recommended that administrators and users, in the Guest Inviter role, can invite. This setting allows setup of controlled collaboration processes. For example:
Team owner submits a ticket requesting assignment to the Guest Inviter role:
- Responsible for guest invitations
- Agrees to not add users to SharePoint
- Performs regular access reviews
- Revokes access as needed
The IT team:
- After training is complete, the IT team grants the Guest Inviter role
- To enable access reviews, assigns Azure AD P2 license to the Microsoft 365 group owner
- Creates a Microsoft 365 group access review
- Confirms access reviews occur
- Removes users added to SharePoint
- Select Email one-time passcodes for guests.
- For Enable guest self-service sign up via user flows, select Yes.
For the Collaboration restrictions option, the organization's business requirements dictate the choice of invitation.
- Allow invitations to be sent to any domain - any user can be invited
- Deny invitations to the specified domains - any user outside those domains can be invited
- Allow invitations only to the specified domains - any user outside those domains can't be invited
External users and guest users in Teams
Teams differentiates between external users (outside your organization) and guest users (guest accounts). You can manage collaboration setting in the Teams Admin portal under Org-wide settings. Authorized account credentials are required to sign in to the Teams Admin portal.
- External Access - Teams allows external access by default. The organization can communicate with all external domains
- Use External Access setting to restrict or allow domains
- Guest Access - manage guest access in Teams
The External Identities collaboration feaure in Azure AD controls permissions. You can increase restrictions in Teams, but restrictions can't be lower than Azure AD settings.
- Manage external meetings and chat in Microsoft Teams
- Microsoft 365 identity models and Azure AD
- Identity models and authentication for Microsoft Teams
- Sensitivity labels for Microsoft Teams
Govern access in SharePoint and OneDrive
SharePoint administrators can find organization-wide settings in the SharePoint admin center. It's recommended that your organization-wide settings are the minimum security levels. Increase security on some sites, as needed. For example, for a high-risk project, restrict users to certain domains, and disable members from inviting guests.
- SharePoint admin center - access permissions are required
- Get started with the SharePoint admin center
- External sharing overview
Integrating SharePoint and OneDrive with Azure AD B2B
As a part of your strategy to govern external collaboration, it's recommended you enable SharePoint and OneDrive integration with Azure AD B2B. Azure AD B2B has guest-user authentication and management. With SharePoint and OneDrive integration, use one-time passcodes for external sharing of files, folders, list items, document libraries, and sites.
- Email one-time passcode authentication
- SharePoint and OneDrive integration with Azure AD B2B
- B2B collaboration overview
If you enable Azure AD B2B integration, then SharePoint and OneDrive sharing is subject to the Azure AD organizational relationships settings, such as Members can invite and Guests can invite.
Sharing policies in SharePoint and OneDrive
In the Azure AD admin center, you can use the External Sharing settings for SharePoint and OneDrive to help configure sharing policies. OneDrive restrictions can't be more permissive than SharePoint settings.
Learn more: External sharing overview
External sharing settings recommendations
Use the guidance in this section when configuring external sharing.
- Anyone - Not recommended. If enabled, regardless of integration status, no Azure policies are applied for this link type.
- Don't enable this functionality for governed collaboration
- Use it for restrictions on individual sites
- New and existing guests - Recommended, if integration is enabled
- Azure AD B2B integration enabled: new and current guests have an Azure AD B2B guest account you can manage with Azure AD policies
- Azure AD B2B integration not enabled: new guests don't have an Azure AD B2B account, and can't be managed from Azure AD
- Guests have an Azure AD B2B account, depending on how the guest was created
- Existing guests - Recommended, if you don't have integration enabled
- With this option enabled, users can share with other users in your directory
- Only people in your organization - Not recommended with external user collaboration
- Regardless of integration status, users can share with other users in your organization
- Limit external sharing by domain - By default, SharePoint allows external access. Sharing is allowed with external domains.
- Use this option to restrict or allow domains for SharePoint
- Allow only users in specific security groups to share externally - Use this setting to restrict who shares content in SharePoint and OneDrive. The setting in Azure AD applies to all applications. Use the restriction to direct users to training about secure sharing. Completion is the signal to add them to a sharing security group. If this setting is selected, and users can't become an approved sharer, they might find unapproved ways to share.
- Allow guests to share items they don’t own - Not recommended. The guidance is to disable this feature.
- People who use a verification code must reauthenticate after this many days (default is 30) - Recommended
Access controls setting affect all users in your organization. Because you might not be able to control whether external users have compliant devices, the controls won't be addressed in this article.
- Idle session sign-out - Recommended
- Use this option to warn and sign out users on unmanaged devices, after a period of inactivity
- You can configure the period of inactivity and the warning
- Network location - Set this control to allow access from IP addresses your organization owns.
- For external collaboration, set this control if your external partners access resources when in your network, or with your virtual private network (VPN).
File and folder links
In the SharePoint admin center, you can set how file and folder links are shared. You can configure the setting for each site.
With Azure AD B2B integration enabled, sharing files and folders with users outside the organization results in the creation of a B2B user.
- For Choose the type of link that's selected by default when users share files and folders in SharePoint and OneDrive, select Only people in your organization.
- For Choose the permission that's selected by default for sharing links, select Edit.
You can customize this setting for a per-site default.
Enabling Anyone links isn't recommended. If you enable it, set an expiration, and restrict users to view permissions. If you select View only permissions for files or folders, users can't change Anyone links to include edit privileges.
See the following articles to learn more about securing external access to resources. We recommend you follow the listed order.