Managing guests in sharepoint

Being able to collaborate securely with external partners is one of the major benefits of M365. But finding your way through multiple layers of settings is not always straightforward. This article sets out the important considerations and walks you through the steps you need to take.

An organisation’s IT systems and files are located behind layers of protection, from the physical lock on the server room door to the firewalls and login credentials that secure shared drives on the corporate network. This ‘defence in depth’ approach is analogous to a castle with a moat, drawbridge, sturdy walls, and so on. It is very effective against external threats. However, the castle analogy is less accurate these days as the boundary around the organisation becomes ever more porous. It’s not just a matter of shutting out the unknown anymore. Employees expect to be able to collaborate with external partners and customers as a normal way of doing business.

The extensive collaboration features of Microsoft 365 should mean the days of sending email attachments back and forth are long gone.  However, if you have responsibility for setting up external sharing in your environment, it’s not always easy to figure out what settings are available and how they interact with each other. This guide is designed to clear a path through the available options. It also highlights the importance of planning. Deciding how best to manage external guests and sharing permissions shouldn’t be attempted in an ad hoc manner. The considerations span governance, IT security and partner strategy and need to be thought through carefully.  It’s worth bearing in mind that the default settings in M365 tend to favour openness and collaboration, rather than restrictions. You will need to be aware of potential implications for security and data protection compliance.

Part 1: Onboarding your external guest

Let’s start with getting your guest into Azure Active Directory (AAD). AAD is responsible for authentication when a user logs in to M365. You need to be an IT Global Admin to add your external business partners to AAD. The Admin adds their email address and creates a password.  The guest then receives an email inviting them to join your domain as a guest.

Before you arrange that, you’ll need to check some organisation-wide settings in AAD. From the AAD Admin Center, go to External identities => external collaboration settings.




The key questions here are 1) do you want all employees (‘members’ of AAD) to be able to invite external guests? 2) do you want all guests to be able to invite other guests? 

Scroll down to see an option to enable one-time codes for authentication. If your guest’s organisation does not have AAD, and the guest doesn’t have a personal Microsoft Account (MSA), they will be prompted to authenticate using a one-time code sent to their email address (you can disable this).

Scroll further down to see the option to restrict invites to a list of the domains of your business partners. This could be a useful security measure. OTOH, you might have problems further down the line if employees are confused about why a new partner can’t be invited. You might also have trouble remembering where this setting is (as is often the case with Microsoft portals)!



Part 2: set organisation-wide settings in M365