Step by Step – Invite External Users in SharePoint 2010 Online & Office 365

Last Updated: Based on May 25, 2012 Office 365 Update

NOTE: Please note that unless it’s stated, this article provides overview of SharePoint Online Standard for Office 365 Enterprise Customers. I personally think, this is most common deployment model for SharePoint Online for Enterprises.

External Sharing or Partner Access feature in SharePoint Online allows business users to invite external users on ad-hoc basis to view, share, and collaborate on their SharePoint Sites. Once a SharePoint Online Administrator enables external sharing, a site collection administrator can activate external sharing for the site they manage, and then invite external users to collaborate on sites, lists, and document libraries.

Conceptually this is SharePoint Extranet feature in SharePoint Online but if you are seasoned SharePoint On-premises professional, this feature has different concept than how extranet works on On-Premises. If you think of Office 365 and SharePoint Online, it’s nothing but huge Multi-Tenant extranet environment in cloud. If you host your intranet in SharePoint Online, it is deployed similarly as On-Premises SharePoint Claims environment and intranet users will access SharePoint Online using Microsoft Online Services ID as FBA users. E.g. Admin user in my Office 365 environment’s account name is “i:0#.f|membership|administrator@nikxpatel.onmicrosoft.com” similarly as on premises FBA user.

What this really means is your intranet users in SharePoint Online considered technically as extranet FBA users for Office 365 environment. If your intranet users in SharePoint Online considered as an extranet FBA users, how would you allow and collaborate with partners and customers?

SharePoint Online has come up with the new feature called “External Sharing” to allow your SharePoint Online intranet users to invite external partners and customers on demand basis by sending email notification. This is interesting move by design. Invited external users would login to the SharePoint Online using Microsoft Online Services ID or Windows Live ID like @hotmail.com, @live.com, or @msn.com. If external users don’t have Windows Live ID, they can associate their business email to the Windows Live ID but they must log in to the SharePoint Online using Live ID system.

In typical scenario, you would invite external users only using Live ID accounts or their business address associated with the Live ID account. In some other scenarios, you can also invite internal Office 365 accounts/Microsoft Online Services users in same tenant  where internal users want to collaborate and invite other internal users to share their site in same tenant. Inviting MOS users from external sharing feature would require pre-creating MOS ID either manually or using DirSync in the tenant.

Here is the high level overview of SharePoint Online Authentication Model.

Here is the step by step process of how to configure and invite external users in Office 365 SharePoint Online environment.

Step 1 – Activate external sharing from SharePoint Online Tenant

To enable site owners to invite external users, SharePoint Online administrator needs to activate external sharing from SPO Admin page. This is tenant level setting.

From the Site Collections Administration page, Allow external users access from Manage External Users page from Settings menu. If settings menu is disabled, please ensure none of the site collections are selected.

Step 2 – Activate external sharing from SharePoint Online Tenant from Site Collection

By activating partner access from SPO Admin site does not activate partner access for each user site collections. To activate partner access from each site collection, you must activate site collection feature – “Share Site with External Users”.

Step 3 – Invite Live ID or Business users as Visitors or Members

Once external sharing is enabled, site owners can send invitations to users who are not Office 365 accounts. To invite external user, click on the Share Site menu from the site actions menu and specify either business email or LIVE email addresses in either visitors or members of site.

As you can see, even though site owners have sent external invitations, external users are not added to the members or visitors group of the site until external user accepts and logs into the site.

Step 4 – Business user login through LIVE ID subsystem

After you invite the users, external users will receive an email with instructions on how to log on to SharePoint Online. If you don’t have LIVE ID (@hotmail.com, @live.com, or @msn.com), you must associate your business email to the LIVE ID. To associate a business email user name to the Live ID system, go to https://idsignup.live.com or http://www.passport.net or https://accountservices.passport.net/reg.srf/ or https://signup.live.com and follow the instructions. Since Live ID signup method and URLs are changing all the time, I would suggest to google “Live ID Signup”, if none of above URL works.

After you associate your business email to the LIVE ID, when the user clicks the Accept link in the email, user will be asked to login through the Windows Live system.

With Live ID, Invited external users must login using Windows Live account by clicking Windows Live – Hotmail icon.

Step 5- User logs in and Added to the appropriate Site Security Group

As you can see, once external user successfully logged into the site, he is added to the appropriate site security group.

External users are authenticated against LIVE ID claims provider. If you visit User Details for the external user, there account would contain live.com as a provider. It is important to note here that external users invited via LIVE ID does not live in the SharePoint User Profiles, it lives in the Site Collection User Information List.

Step 7 – Revoke External user Access

Removing external user access is easy. As you would perform in standard SharePoint installation, just delete External User from site security group and external user site access will be revoked.

Additional Considerations

  • Cost Analysis – It’s Free, From May 2012 Update, Each Office 365 tenant has 10,000 free external users/Partner Access Licensees (PALs) that can be leveraged during external sharing
  • Inviting Users
    • You can have two different architecture to invite external users, either create office 365 accounts & invite them to login using MOS ID or invite them to login using their Live ID
    • According to Microsoft documentation, External users can be invited by users with full control permission like site collection administrators or site owners. It means, users in Site Members, Site Visitors, or custom security groups without full control permission, can’t invite external users. That’s not exactly true.  Based on my testing,
      • User must have “Manage Permissions” permission, technically user doesn’t require “Full Control” permission.
      • At top level site in site collection, you can invite external users as site owners or site visitors. As long as user with manage permission is owner of site owners and site visitors group, they can invite external users. This is interesting because by default “Site Owners” have full control permission. Owner of the Site Owners will have full control over Site Owners group and they can elevate themselves to the Site Owners if they need to.
      • At sub site level in site collection, you can invite external users as site members or site visitors, as long as user with managed permission is owner of site members and site visitors group, they can invite external users.
    • When you invite external users from the top level site, they are either invited as owners or visitors of the site.
    • When you invite external users from the sub sites, they are either invited as members or visitors of the site. You cannot invite external users as owners of the site from the sub site but once external user logs in at least once in the SharePoint site, you can manually add external users to the any SharePoint security groups including Site Owners.
    • You can’t invite external users into Custom Security Groups but you can manually add them once they logs in the site at least once.
    • Microsoft supports invited external users signing in to the service using a Microsoft Online Services ID. External sharing also supports Windows Live ID, including @Live.com, @Hotmail.com and @MSN.com user names, plus regional derivations of Live ID user names. External users can now use their business email address (ex: user@contoso.com) to authenticate when invited into an Office 365 customer’s site collection. To associate a business email user name to the Live ID system, go to https://idsignup.live.com or http://www.passport.net or https://accountservices.passport.net/reg.srf/ or https://signup.live.com and follow the instructions.
    • Inviting users will send out email to the external users. In this email, they can accept invitation and login using Hotmail Live ID system. In same email, they would have link to the site to bookmark for future login.
    • An external user invitation can be accepted only one time. The invitation email can be forwarded to another recipient who can use the invitation to access the SharePoint site. However, after the e-mail invitation has been accepted, it expires.
    • If you are inviting external users with non-live accounts like their business email, yahoos, or Gmail accounts, please ensure that their email is associated with live id prior to invitation. I have come across the office 365 login issues where users can’t login if they associate their non-live business emails with live account after invitation is sent.
    • Whether or not Manage external users is set to Allow, anonymous access is not allowed. Users must be authenticated before they can access Office 365 and SharePoint Online resources.
  • External Accounts Provisioning
    • External User accounts doesn’t have to be pre-populated in Office 365. Any external user email address associated with Live ID can be invited to access HuB
  • Concerns around User Accounts Governance
    • External users can be invited as Site Owners. If external users are site owners with full control permission, they can invite other external users  to potentially any person in the world as long as they can log in through LIVE system. This may cause huge governance and security issue.
    • Since Microsoft doesn’t provide any reporting or insight tool to manage external users at the tenant level, keeping track of external users used throughout tenants especially if you have multiple site collections would be nightmare. You must visit each site collections and review User Information List to review external user access. This can be huge governance issue.
  • External User Accounts Maintenance
    • External Users are stored in the Site Collection – User Information List once they login at least once. This list is accessible from ~SiteCollectionURL/_catalogs/users/detail.aspx, They are not stored in the SharePoint User Profiles. User Info is stored in Site Collection User Information List in live.com#emailaddress format (e.g. live.com#patenik2@yahoo.com). At the time of writing this guide, there are no automated tools available to manage user information list for Office 365. You must manage this list for each site collection. You can filter this list by Title and other fields to quickly search User Information List.
    • If you remove user from the Security Groups, you can add it again or add in other security groups like visitors or owners, by directly verifying against as a live claims provider in people picker – live.com#patenik2@hotmail.com
    • You can deactivate external sharing for specific site collections by deactivating “External user invitations” feature from the Site Collection Features page. Deactivating the External user invitations feature on the site collection does not block access to external users who previously had access to sites and content, it only prevents future invitations from being sent. To prevent an external user from accessing a site once permission was granted, you must either explicitly remove the user’s name from the site permissions page or disable external sharing for all site collections.
    • After SharePoint Online is set to allow external user access to all site collections, a SharePoint Online administrator can disable External Users by denying external users from the SharePoint Online Administration page. This prevents any new invitations from being sent, and prevents current external users from accessing sites or content by denying them access. If you change the setting back to Allow, any external users who had permission to access sites and content will automatically be granted those permissions.
  • Feature Limitations– External users will have functionality similar to a kiosk user and will have same limitations as kiosk users
    • They can’t be an Office 365 Tenant  administrator and SharePoint Online Administrator – They can’t access Office 365 Admin and SharePoint Online Admin Sites – it means they can’t manage tenant level users, user profiles, term store etc.
    • They can be Site Collection Administrator, or Site Administrator
    • They can view documents using Office Web Apps but they can’t edit documents using Office Web Apps – They can view or update SharePoint List items but External users can only view documents, they can’t edit/collaborate on the documents or update word, excel, or any other office documents
    • They can’t have My Sites
    • They can’t access anything beyond site collection or sites they have been invited to.
    • They can’t search anything outside of site or site collection they are invited to – They can’t search User Profiles,  They can’t search other sites or site collections they don’t have access to
    • They can’t add any additional storage to the company’s overall pooled storage quota
Additional Resources

Hope this will be helpful. Enjoy!!!!

Advertisements
This entry was posted in SP2010 Online. Bookmark the permalink.

3 Responses to Step by Step – Invite External Users in SharePoint 2010 Online & Office 365

  1. Debadi Roy says:

    Hi Nikhil,
    This is really a helpful information. Just one question. Can we set item level permission for these external user ?

    Thanks and regards

    • Nik Patel says:

      Thanks Debadi.. Like I have responded via email, you can add users for item level permissions, once they are invited and logged in to the site. You can’t add them in item level permission and invite them in current version of SharePoint Online. Once users logs in, they are added to the User Information list at the site collection level which would allow you add users to the item level permission.. Although, this will change with SharePoint Online 2013 version where you can invite users to the document level..

      Nik

  2. NIk, thank you for this it is very well done. One item I would share with you in that in my experience and understanding you can only invite users to your team site or the what I call the base level site so it would be prudent to make sure that team site is rather public in nature.
    Once an invitee or PAL accepts the invitation they then have access to team site. Once you see they are in a group on the team site you can then change their permissions to match what they really need access to.

    Again thank you for the article.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s