Table of Contents
Office 365 External Guest Access
If you want to share data secure and in an universal way across all modules in Office 365 you could follow these steps to achieve that situation.
Please notice that you first need to restrict the number of users that can create office 365 groups: Manage Office 365 Group Creation
SharePoint Configuration
Resources
https://docs.microsoft.com/en-us/sharepoint/restricted-domains-sharing https://docs.microsoft.com/en-us/sharepoint/turn-external-sharing-on-or-off
Settings
Go to the sharepoint admin portal: https://shift-admin.sharepoint.com/ → sharing
Sharing outside your organization:
- Allow sharing only with the external users that already exist in your organization's directory
- Allow sharing only for external users who are already in your directory. These users may exist in your directory because they previously accepted sharing invitations or because they were manually imported
Default Link Type
- Direct - specific people
- Direct links are accessible only by users who already have permission to access the document or folder
Default Link Permission
- View
Additional Settings
- Limit external sharing using domains
- Allow sharing only with users from these domains
- Add the required domains. See below for how to manage the allowed domain list.
- Prevent external users from sharing files, folders, and sites that they don’t own
- External users must accept sharing invitations using the same account that the invitations were sent to
Sharing per site
If required it is also possible to further restrict individual sites from sharing:
- Go the the new SharePoint Online admin center: https://shift-admin.sharepoint.com/_layouts/15/online/AdminHome.aspx#/home
- Go to active sites
- Click the site you want to restrict
- On the right a new screen appears. Scroll down and click Change in the external sharing part
- It's only possible to restrict, not to setup less restrictive sharing. To disable sharing click:
- Only people in current organization. No external sharing allowed.
- Click save
Skype for Business Configuration
Almost all settings are already transferred to the new Teams and Skype portal. But you can still configure the list of domains collaboration is allowed with:
- Go to the Skype legacy portaal: https://webdir1e.online.lync.com/LSCP → Organizations → External Communications
- External Access: On only for allowed domains
- Blocked or Allowed Domains
- Add the required domains. See below for how to manage the allowed domain list.
Office 365 Configuration
Resources
Groups Settings
Go to https://portal.office.com/adminportal/home → Settings → Services & Add-ins → Office 365 Groups
- Let group members outside the organization access group content: On
- Let group owners add people outside the organization to groups: On
Sharing Settings
Go to https://portal.office.com/adminportal/home → Settings → Security & privacy → Sharing → Edit
- Let users add new guests to the organization: On
Azure AD Business-to-business User Settings
External User Settings
Go to https://portal.azure.com → Azure Active Directory → User Settings → External Users
- Guest users permissions are limited: Yes
- Admins and users in the guest inviter role can invite: Yes
- Members can invite: Yes
- Guests can invite: No
Collaboration restrictions:
- Allow invitations only to the specified domains
- Add the required domains. See below for how to manage the allowed domain list.
Require MFA for Guest Accounts
Resources
Policy Settings
Go to https://portal.azure.com → Security → Conditional Access → Policies
- New Policy
- Name: Always require MFA for Guest Accounts
- Assignments
- Users and Groups: Include all guest users
- Cloud Apps: All cloud apps
- Access Controls
- Grant Access: Require multi-factor authentication
- Enable policy: On
Note: Ask someone to check the settings before you enable the policy. Making errors could get you locked out.
Teams Configuration
Resources
https://docs.microsoft.com/en-US/microsoftteams/set-up-guests https://docs.microsoft.com/en-US/microsoftteams/let-your-teams-users-communicate-with-other-people
Guest Access
Go to https://admin.teams.microsoft.com/dashboard → Org-Wide Settings → Guest Access
- Allow guest access in Microsoft Teams: On
- Make private calls: Off
- All others default on ON
External access
Go to Org-Wide → External access
- External Access: On
- Allowed domains is automatically imported from the skype portal, also see below for how to manage the allowed domain list.
Teams Configuration
Go to Org-wide settings → Teams settings
- Allow users to send emails to a channel email address: On
- Add the required domains. See below for how to manage the allowed domain list.
- Click Save
Go to Org-wide settings → Teams upgrade
- Coexistance mode: Islands
- Click save
This enables teams and skype users to chat with each other
Manage Allowed Domain list
Keep a transparent list of all allowed domains and use this list for all modules within office 365. An exaple could be:
Module | SharePoint and OneDrive | Skype for Business | Teams | Teams Channel Email | Azure AD External Users |
---|---|---|---|---|---|
Allowed Domains | microsoft.com customer.nl getshifting.com | microsoft.com customer.nl getshifting.com | microsoft.com customer.nl getshifting.com | microsoft.com customer.nl getshifting.com |
|
Remarks | Imports the list from Skype for Business |
The getshifting.com domain (your own) might not be required but I am not sure about that. = Shortlist on Adding Domains =
SharePoint & OneDrive
- Go to https://shift-admin.sharepoint.com/ → sharing
- Additional Settings → Limit external sharing using domains → Allow sharing only with users from these domains
- Add the domain
Skype for Business
- Go to the Skype legacy portal: https://webdir1e.online.lync.com/LSCP → Organizations → External Communications
- Blocked or Allowed Domains
- Add the domain
Azure AD External Users
- Go to https://portal.azure.com → Azure Active Directory → User Settings → External Users (Manage external collaboration settings)
- Add the domain at the bottom
Teams
- Go to https://admin.teams.microsoft.com/dashboard → Org-Wide Settings → External access
- Allowed domains is automatically imported from the skype portal
- Org-wide settings → Teams settings
- Allow users to send emails to a channel email address: On
- Add the domain at the bottom