External Collaboration in Microsoft 365 Guide

We have created a guide to help you configure external collaboration in Microsoft 365. We'll explore the available options and walk you through the process of adding external users to Teams and other collaboration applications.

Enabling MS Teams Guest Access & external sharing in Azure AD Amin Center

External collaboration and sharing in Microsoft 365 are governed by the B2B external collaboration settings in Azure AD. If guest-sharing is restricted in Azure AD, it overrides any sharing settings in Microsoft 365. This setting is enabled by default but can be configured or disabled by following the steps below:

To set external collaboration settings:

• Log in to Azure Active Directory at https://aad.portal.azure.com.
• In the left navigation pane, click Azure Active Directory.
• Click External Identities.
• On the Get Started screen, in the left navigation pane, click External Collaboration settings.
• Make sure to select either Member users or users assigned to specific admin roles who can invite guest users. This includes guests with member permissions, or anyone in the organization can add Guests to Teams.
• If you made changes, click Save.

Image: Microsoft Teams Guest access settings in Admin Center

Check the Collaboration Restrictions settings to make sure the domains of the Guests you want to collaborate with are not blocked. You can also add specific domains to block them.

To limit guests from seeing directory data for other guests, go to the Guest user access restrictions section and choose either:

• Guest users have limited access to properties and membership of directory object settings.
• Guest user access is restricted to properties and memberships of their own directory objects.

Enabling Guest Access & External Collaboration in Microsoft 365 Admin Center

To allow Microsoft Teams guests to access your Microsoft 365 environment, enable the appropriate global settings. Once this option is enabled, users can start working with external users. How to add someone external to Microsoft Teams and other services:

• Sharing files
• Sharing folders
• Add external contacts to Groups, or SharePoint sites.
• Add external user to Teams

This will create a Guest account in your Azure AD, which is enabled by default in your Microsoft 365 Global Admin settings.

This setting is enabled by default, but if you are looking to disable it, or configure it, follow the steps below:

• Microsoft 365 admin center > Settings > Org settings > Security & privacy tab > Sharing.
  Note: only Global Administrator roles can complete this action.

How to set SharePoint Organization-Level External Sharing Settings

• In the Microsoft 365 admin center, in the left navigation pane, under Admin centers, click SharePoint.
• In the SharePoint admin center, in the left navigation pane, under Policies, select Sharing.
• Ensure that external sharing for SharePoint or OneDrive is set to Anyone or New and existing guests. (Note that the OneDrive setting cannot be more permissive than the SharePoint setting.)
• If you made changes, select Save.

Image: External collaboration sharing settings in M365 admin center

SharePoint & OneDrive advanced sharing settings

• Navigate to SharePoint Admin Center > Policies > Sharing

SharePoint Organization-Level Default Link Settings

The default file and folder link settings determine the link option that will be shown to users by default when they share a file or folder. Users can change the link type to one of the other options before sharing if desired.

Keep in mind that this setting affects SharePoint sites in your organization, as well as OneDrive.

Choose a link from any of the following types which are then selected by default when users share files and folders:

• Anyone with the link: Choose this option if you expect to do a lot of unauthenticated files and folder sharing. If you want to allow Anyone links but are concerned about accidental unauthenticated sharing, consider one of the other options as the default. This link type is only available if you’ve enabled Anyone sharing.
• Only people in your organization: Choose this option if you expect most file and folder sharing to be with people inside your organization.
• Specific people: Consider this option if you expect to do a lot of file and folder sharing with guests. This type of link works with guests and requires them to authenticate.

To set the SharePoint and OneDrive organization-level default link settings

• Go to Sharing in the SharePoint admin center.
• Under File and Folder links, select the default sharing link that you want to use.
• If you made changes, click Save.
  
  

To set the permission for the sharing link, under Choose the permission that’s selected by default for sharing links:

• Select View if you do not want unauthenticated users to change the files and folders.
• Select Edit if you want to allow unauthenticated users to change the files and folders.
• Note: The above two permission options can be applied not only for guests/external users but also for internal users. The permission option you choose is determined by self-discretion.

To set permissions for links that allow sharing with anyone:

These links can give these permissions: sub-pane,

From the Files drop-down list:

• Select View and Edit if you want to allow unauthenticated users to change the files.
• Select View if you do not want unauthenticated users to change the files.

From the Folders drop-down list:

• Select View, Edit, and Upload if you want to allow unauthenticated users to change the folders.
• Select View if you do not want unauthenticated users to change the folders.

Image: SharePoint external sharing and collaboration settings for files and folders

SharePoint site-level external sharing settings

To edit the file and folder-sharing settings specific to each SharePoint site, you also need to check the site-level sharing settings for that site.

To set site-level sharing settings navigate to Share Point Admin Center:

• In the left navigation pane, expand Sites and select Active Sites.
• Select the site on which you want to share files and folders with guests.
• Scroll right across the row (in which the selected site is present) and click anywhere in the External Sharing column.
• From the page that pops up, click the Policies tab.
• Under the External sharing pane, click Edit.
• Ensure that sharing is set to Anyone or New and existing guests.
• If you made changes, click Save.

Image: SharePoint external sharing and collaboration settings

Note: You can set defaults for link type and permissions and expiration settings for Anyone links for each site. When set at the site level, these settings override the organization-level settings. If Anyone links are disabled at the organization level, Anyone will not be an available link type at the site level.  

Image: SharePoint online external sharing advanced options for external collaboration

How to Enable or Disable External Sharing & Guest Access in Individual SharePoint Sites

If your organization is in need of sharing more than just a file or a folder within OneDrive or SharePoint, you may choose to allow external collaboration with Guests within entire SharePoint sites.

The default site-sharing options are listed below:

Image: SharePoint online site sharing options

SharePoint site sharing is affected by the organization-wide SharePoint settings. If the organization-wide settings change, the practical sharing setting for the site may also change. So, if you select a less restrictive setting for the site, and later the organization-level setting is changed to a more restrictive one, the site will operate at the new, more restrictive level.

For instance, if you select Anyone, but the organization-level setting is later changed to New and existing guests, the site will only allow new and existing guests. But if the organization-level setting is set back to Anyone again, the site will allow Anyone links again.

These settings described below apply to both site sharing and file and folder sharing. (Anyone sharing is not available for site sharing. If you choose Anyone, users will be able to share files and folders by using Anyone links, and the site itself with new and existing guests.) If the site has a sensitivity label applied, that label may control the external sharing settings.

Note: Only SharePoint administrator roles can edit these settings. Sharing settings for channel sites can only be changed by using the Set-SPOSite PowerShell cmdlet.

• Navigate to SharePoint Admin Center >Active sites > select the site > Policies tab > Edit External sharing

How to enable and disable external sharing & Guest access in Office 365 Groups

Guest access in Microsoft 365 Groups allows external partners, suppliers, vendors, and consultants to collaborate with your team by accessing group conversations, files, calendar invitations, and the group notebook.

To effectively collaborate with Guests, it's recommended to use Microsoft Teams, which offers a unified experience for both internal and external collaboration. However, before inviting guests to Teams, Guest access must be enabled and configured in the admin center, as Teams membership is governed by Microsoft Groups.

Navigate to Microsoft 365 admin center > Settings > Org settings > Microsoft 365 Groups

Image: SharePoint online external collaboration and site-sharing options

It's important to know that organizations with certain licenses like E3 or higher can use Azure Dynamic Security Groups. This means Azure creates an All Users group that automatically updates as new members join the tenant, including Guest accounts. This feature is included with Azure Premium P1.

Image: SharePoint online external collaboration external sharing configuration

Organizations may be concerned that Guests can view the entire group's membership, including names and emails, by being a member of the All Users Security Group generated by Azure. If you do not want this to happen, follow the steps below to remove Guests from the group.

Below is what a Guest may see with the default settings:

Image: What a guest may see with the default settings. 

Edit the Rule syntax to follow the pattern below (see here for more on rules)

Image: Microsoft 365 group external sharing

Once the Dynamic Group refreshes its membership, the number will update to reflect only accounts from within your organization. 

Following this change, Guests will only be able to see and find Groups they are explicitly added to (assuming there are no other non-standard dynamic groups granting them access). Below is the updated view for a Guest: 

How to Enable & Disable Microsoft Teams External Access for Guests

To allow Guests Access to Microsoft Teams and its associated SharePoint site, and view files in the Files tab, you need to enable Guest access in Azure AD Admin Center and permit adding external users to Teams in Microsoft 365 Admin Center.

Configure Guest sharing in organization-wide and site-specific settings via SharePoint Admin Center. Microsoft Teams membership is governed by Microsoft Groups settings, so ensure Guest access is enabled and configured via Microsoft 365 Groups in the Microsoft Admin center.

You can control Microsoft Teams Guest Access limitations once these settings are enabled.

Check out our blog to learn more about Microsoft Teams' default Guest settings and how to change them.

Unleash the Full Power of Micrsoft365 with Orchestry

Most organizations are not using Microsoft 365 to its full potential.

Orchestry makes Microsoft 365 simple for all users.

Orchestry  is an adoption and governance platform that allows End Users, Workspace Owners, IT admins, and organizations to take full advantage of Microsoft 365.

To see Orchestry in action, request a demo!