This post is part of the overall MS-700 Exam Study Guide. Links to each topic as they are posted can be found here.
In this section I will go through the following topics relating to configuring and managing external and Guest Users in Microsoft Teams.
- Configure SharePoint and OneDrive organizational level sharing settings
- Manage external file sharing setting for OneDrive users
- Manage external file sharing setting for SharePoint sites
- Manage external access-federated domains
In this section of the External and Guest user topic, I look specifically at external sharing configuration for Teams.
Configure SharePoint and OneDrive organizational level sharing settings
As I’ve detailed before in this guide, Teams does not operate in a silo. It relies on other aspects of the Microsoft 365 platform to service things like file sharing (SharePoint / OneDrive) and mail / calendaring (Exchange Online). With that in mind, the SharePoint and OneDrive external sharing settings define the level of sharing available in Teams. Specifically, files shared from within a Teams channel (or private channel) are shared from the SharePoint site of the Teams Microsoft 365 Group and files shared in chat or meetings are shared from the sharing users OneDrive.
The SharePoint Online organizational sharing settings control the level of external sharing available in the tenant. In the SharePoint Online Admin Center, under Policies -> Sharing, the levels for SharePoint and OneDrive are defined (Figure 1).
The settings can be defined separately for SharePoint and OneDrive (Note: OneDrive cannot be less restrictive than SharePoint) and the levels of sharing available are:
- Anyone: This allows anonymous links to be sent out and files to be shared with any external user
- New and existing guests: This ensures that users who receive external shares must be guests in the tenant however it allows the sharing user to invite them
- Existing guests: This ensures that users who receive external shares must be guests in the tenant however users will not be able to share to new guests unless they have been invited
- Only people in your organization: No external sharing will be allowed
Note: These settings can also be defined on a per-site level
In addition to the high-level sharing settings, the below controls can also be configured from the More external sharing settings section as shown in Figure 2:
- Limit external sharing by domain – Limit which external domains can be shared with. This can also be set on a per site level
- Allow only users in specific security groups to share externally – Restrict external sharing to a specific group of users
- Guests must sign in using the same account to which sharing invitations are sent – Does not work with anonymous links, when a link is shared external guests must use the same account that the link was shared with to redeem it
- Allow guests to share items they don’t own – Does not work with anonymous links, prevent guests from resharing items shared with them
- Guests access to a site or OneDrive will expire automatically after this many days – Remove access from guests after a period of days
- People who use a verification code must reauthenticate after this many days – External users (not including AAD guest users) who user verification code to authenticate must reauthenticate after a period of days
Manage external file sharing setting for OneDrive users
OneDrive global sharing permissions are manage via the SharePoint admin center using the settings shown in Figure 1. OneDrive sharing settings here apply to all OneDrive sites and cannot be less restrictive than the SharePoint setting. In addition to the global setting, specific users OneDrive sharing settings can be controlled from the user accounts OneDrive tab in the Microsoft 365 Admin Center as shown in Figure 3. The most restrictive setting applies so if the tenant wide settings are restricted then the per user setting cannot be less restrictive.
Manage external file sharing setting for SharePoint sites
The SharePoint Online global settings shown in Figure 1 control the level of sharing for the entire tenant. This can also be controlled on a per-site basis by opening the site policies from the SharePoint Admin Center and modifying the external sharing setting which provides the same options as the tenant-wide settings (Figure 4).
The per-site sharing settings can also be controlled using sensitivity labels as I detailed in this post about Protecting Office 365 Groups with Sensitivity Labels.
Manage external access-federated domains
File sharing for external domains is controlled via the Limit external sharing by domain shown in Figure 2. This does not apply to anonymous links so to use this effectively, the tenant or site setting should be restricted to at lease new and existing guests. Controlling file sharing will prevent files being shared from OneDrive or SharePoint but will not block Teams messages. This is controlled by a different setting in the Teams Admin Center (TAC).
External messaging (which is distinct from messaging with guest users) is controlled via the External access page in the Users section of the TAC shown in Figure 5. This setting can be configured to allow specific domains, block specific domains or turn federation on or off completely.
Note: This setting does not impact chat with guest users who are invited to the tenant
In addition to this, the settings shown in Figure 6 control federation with Personal Teams or Skype users respectively.
In this article I looked at how to control sharing and federation with external users. External users are different from guest users who are invited into the tenant using Azure AD B2B. In the next article, I will show how to control guest accounts in Teams.