SHIFT-WIKI

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


o365externalguestaccess

Office 365 External Guest Access

If you want to share data secure and in an universal way across all modules in Office 365 you could follow these steps to achieve that situation.

Please notice that you first need to restrict the number of users that can create office 365 groups: Manage Office 365 Group Creation

SharePoint Configuration

Resources

Settings

Go to the sharepoint admin portal: https://shift-admin.sharepoint.com/ → sharing
Sharing outside your organization:

  • Allow sharing only with the external users that already exist in your organization's directory
    • Allow sharing only for external users who are already in your directory. These users may exist in your directory because they previously accepted sharing invitations or because they were manually imported


Default Link Type

  • Direct - specific people
    • Direct links are accessible only by users who already have permission to access the document or folder


Default Link Permission

  • View


Additional Settings

  • Limit external sharing using domains
    • Allow sharing only with users from these domains
      • Add the required domains. See below for how to manage the allowed domain list.
  • Prevent external users from sharing files, folders, and sites that they don’t own
  • External users must accept sharing invitations using the same account that the invitations were sent to

Sharing per site

If required it is also possible to further restrict individual sites from sharing:

    • Go to active sites
    • Click the site you want to restrict
    • On the right a new screen appears. Scroll down and click Change in the external sharing part
      • It's only possible to restrict, not to setup less restrictive sharing. To disable sharing click:
        • Only people in current organization. No external sharing allowed.
    • Click save

Skype for Business Configuration

Almost all settings are already transferred to the new Teams and Skype portal. But you can still configure the list of domains collaboration is allowed with:

  • Go to the Skype legacy portaal: https://webdir1e.online.lync.com/LSCP → Organizations → External Communications
    • External Access: On only for allowed domains
    • Blocked or Allowed Domains
      • Add the required domains. See below for how to manage the allowed domain list.

Office 365 Configuration

Resources

Groups Settings

Go to https://portal.office.com/adminportal/home → Settings → Services & Add-ins → Office 365 Groups

  • Let group members outside the organization access group content: On
  • Let group owners add people outside the organization to groups: On

Sharing Settings

Go to https://portal.office.com/adminportal/home → Settings → Security & privacy → Sharing → Edit

  • Let users add new guests to the organization: On

Azure AD Business-to-business User Settings

External User Settings

Go to https://portal.azure.com → Azure Active Directory → User Settings → External Users

  • Guest users permissions are limited: Yes
  • Admins and users in the guest inviter role can invite: Yes
  • Members can invite: Yes
  • Guests can invite: No


Collaboration restrictions:

  • Allow invitations only to the specified domains
    • Add the required domains. See below for how to manage the allowed domain list.

Require MFA for Guest Accounts

Resources

Policy Settings

Go to https://portal.azure.com → Security → Conditional Access → Policies

  • New Policy
    • Name: Always require MFA for Guest Accounts
  • Assignments
    • Users and Groups: Include all guest users
    • Cloud Apps: All cloud apps
  • Access Controls
    • Grant Access: Require multi-factor authentication
  • Enable policy: On
Note: Ask someone to check the settings before you enable the policy. Making errors could get you locked out.

Teams Configuration

Resources

Guest Access

Go to https://admin.teams.microsoft.com/dashboard → Org-Wide Settings → Guest Access

  • Allow guest access in Microsoft Teams: On
  • Make private calls: Off
  • All others default on ON

External access

Go to Org-Wide → External access

  • External Access: On
  • Allowed domains is automatically imported from the skype portal, also see below for how to manage the allowed domain list.

Teams Configuration

Go to Org-wide settings → Teams settings

  • Allow users to send emails to a channel email address: On
    • Add the required domains. See below for how to manage the allowed domain list.
    • Click Save


Go to Org-wide settings → Teams upgrade

  • Coexistance mode: Islands
  • Click save
This enables teams and skype users to chat with each other

Manage Allowed Domain list

Keep a transparent list of all allowed domains and use this list for all modules within office 365. An exaple could be:

Module SharePoint and OneDrive Skype for Business Teams Teams Channel Email Azure AD External Users
Allowed Domains microsoft.com
customer.nl
getshifting.com
microsoft.com
customer.nl
getshifting.com
microsoft.com
customer.nl
getshifting.com
microsoft.com
customer.nl
getshifting.com
Remarks Imports the list from Skype for Business
The getshifting.com domain (your own) might not be required but I am not sure about that. = Shortlist on Adding Domains =

SharePoint & OneDrive

  • Additional Settings → Limit external sharing using domains → Allow sharing only with users from these domains
  • Add the domain

Skype for Business

Azure AD External Users

  • Go to https://portal.azure.com → Azure Active Directory → User Settings → External Users (Manage external collaboration settings)
  • Add the domain at the bottom

Teams

  • Go to https://admin.teams.microsoft.com/dashboard → Org-Wide Settings → External access
  • Allowed domains is automatically imported from the skype portal
  • Org-wide settings → Teams settings
  • Allow users to send emails to a channel email address: On
  • Add the domain at the bottom
o365externalguestaccess.txt · Last modified: 2021/09/24 00:25 by 127.0.0.1