Last week I was doing a last check-up on my slide deck and demos for SharePoint Saturday London (June 24th, 2017) when I noticed the user interface for sharing in the modern UI had changed. I updated my slides accordingly and showed the new UI last Saturday for the first time in a session of mine. People were impressed, and so was I. It looks slick and intuitive, but there’s still some things you really want to know about the various sharing options, so I decided to write a blog article about this.
First let me show you the classic sharing / get link dialog.
This one we all know, right? The behaviour of the dialog above was already depending on settings in de SharePoint Admin Center. For example, the “no sign-in required” option was only available when anonymous access links were enabled. And the default link type you’d get when clicking get link, would be depending the default link type set in that same SharePoint Admin Center. In the new modern UI, this is all still the case, but the sharing dialog looks like this now:
Quite different, much nicer, and much more intuitive too!
Before I start explaining the new sharing dialog screen, let’s discuss the various options of the back-end settings. Quite important, to my opinion, and not too many admins know about these options.
External sharing settings on tenant level
First thing you want to decide on, is if you want to allow sharing with external users. Please note that this is a setting that you can change at the site-collection level as well (which I’ll discuss later in this article), but you can’t allow external sharing on a site-collection level when you restrict it at the tenant level. My advice is to enable external sharing on the tenant level, including anonymous access links (but set a maximum number of days for the lifespan of these links), and then restrict external sharing on a per site-collection basis where required (for example HR sites or Legal sites or internal projects).
You can find the tenant-wide external sharing settings in three different places (!) in your tenant. The settings are connected though. So if you change them in one place, they are updated in the other two places as well.
First place: Office 365 Admin Center –> Settings –> Services & add-ins –> Sites
Second place: SharePoint Admin Center –> Sharing
Notice how you have more granularity here, compared to the Office 365 Admin Center, in what people can do with files or folders that are shared through anonymous access links?
Third place: OneDrive Admin Center –> Sharing
Here you have even more granularity, because here you can differentiate between external sharing in SharePoint and in OneDrive. The interesting thing is, that OneDrive settings can never be less strict than SharePoint settings. If you choose to disable external sharing with anonymous users for SharePoint sites, you cannot enable that for OneDrive sites. Still, you have more options here, so my advice is to always use the OneDrive Admin Center to change your tenant wide external sharing settings.
External sharing settings at site collection level
As discussed in the previous section about sharing settings on the tenant level, my recommendation is to enable sharing with external users on the tenant level. Why? Because you can always restrict sharing on a per site collection basis. You can do that either from the SharePoint Admin Center, or with PowerShell.
In the SharePoint Admin Center you select the site you want to change the sharing settings for, and then click the Sharing button in the ribbon.
You’ll then see options that are very similar to the sharing settings on the tenant level, but now they’ll only apply to the selected site collection Also, there’s an option to limit external sharing by domain. This option is available on the tenant level too, but on a site collection level it makes much more sense. This is where you want to restrict external sharing with just that one company you are working with on a certain project, or the audit company that requires access to just your quality control documents, or where you want to make sure the customer is the only one who can access confidential documentation.
This feature is also useful if you want to block consumer email domains like hotmail.com or gmail.com.
The second way I mentioned as a method to set external sharing capabilities on a per site collection basis, is PowerShell. This is especially useful for site collections that are attached to Office 365 Groups, because these site collections are not listed in the SharePoint Admin Center. So PowerShell is the only way to change the settings for these site collections.
The cmdlet you can use to change the settings, is the following:
Set-SPOSite -Identity https://<tenant>.sharepoint.com/sites/<site> -SharingCapability <Disabled/ExistingExternalUserSharingOnly/ExternalUserAndGuestSharing/ExternalUserSharingOnly>
The four options correspond to the same four options you have in the various Admin Centers, but in my opinion they are a little bit confusing, so here’s what each of the four mean:
– Disabled = Don’t allow sharing outside your organization
– ExistingExternalUserSharingOnly = Allow sharing only with the external users that already exist in your organization’s directory
– ExternalUserAndGuestSharing = Allow sharing to authenticated external users and using anonymous access links
– ExternalUserSharingOnly = Allow users to invite and share with authenticated external users
You can also set up external domain allow or block lists through PowerShell, with respectively the SharingAllowedDomainList or SharingBlockedDomainList parameter, in combination with SharingDomainRestrictionMode.
Set-SPOSite -Identity https://<tenant>.sharepoint.com/sites/<site> -SharingDomainRestrictionMode AllowList - SharingAllowedDomainList “portiva.nl microsoft.com”
Set-SPOSite -Identity https://<tenant>.sharepoint.com/sites/<site> -SharingDomainRestrictionMode BlockList - SharingBlockedDomainList “hotmail.com gmail.com”
Set-SPOSite -Identity https://<tenant>.sharepoint.com/sites/<site> -SharingDomainRestrictionMode None
The only setting you cannot change on the site collection level (not through the UI, nor through PowerShell) is the maximum number of days for the lifespan of anonymous access links. This is always a tenant wide setting.
Default sharing link
The default sharing link setting is the setting that defines the behaviour of the Share and Copy link buttons in the action bar. This is also something you can set up in multiple places, both the SharePoint Admin Center and the OenDrive Admin Center. But NOT in the Office 365 Admin Center.
Let’s explore the different options.
The first option is the Direct option. This is my favourite option, but this is also the option that is not selected by default in Office 365 tenants. The reason this option is my favourite, is because this option gives you a direct link to a document, without changing the permissions of that document.
Here’s the option in the Admin Center:
This is what it looks like when you click the Share button.
The actual link looks like this: /sites/site/Shared%20Documents/Vivamus%20a%20tellus.docx?d=wceed666a04024cfcae0088584facf80b
You can still add people, and then the permissions will change, but the link will remain the direct link to the document. This is a bit strange to me, because when you click the drop down with link types, you’ll notice there is also a link type People with existing access. That is the link type I would’ve expected. This option doesn’t really make sense anymore in my opinion if it is not being used as a default link type.
The second option is the Internal option. This will create a guest link, but not one that is anonymously accessible. All internal users that have an Office 365 license assigned, have access to this guest link.
This is the default selected option in the Share dialog:
And this is what the actual link looks like: /sites/site/_layouts/15/guestaccess.aspx?guestaccesstoken=HHiOF5Z9GZio8Ki0b7dRsU9GnWl2XJo3gOEQPORRd%2fQ%3d&docid=2_1ceed666a04024cfcae0088584facf80b&rev=1
Then the third and final option, Anonymous access. This option will create a link that is accessible to anyone who clicks the link. No user sign-in is required.
Here’s what the dialog will look like when you click the Share button:
And the actual link will look like this: /sites/site/_layouts/15/guestaccess.aspx?docid=1ceed666a04024cfcae0088584facf80b&authkey=AZakgWcsbZ3d0w-1Durv0p0&expiration=2017-07-28T15%3a39%3a55.000Z
When you first create an anonymous link to a document, the date that will be filled in, is already the maximum number of days later that you have specified in the Admin Center.
You can of course always change the date, for example if you want a link to live for only 7 days. But you cannot change it to a later date, then this will happen:
There’s one more thing I’d like to point out when it comes to external sharing. There’s a very useful option in both the SharePoint Admin Center and OneDrive Admin Center, where you can decide if external users are allowed to share items that they don’t own. Be careful though, because this option is formulated differently in the respective Admin Centers. Enabling it in the one, means a disabled setting in the other.
SharePoint Admin Center:
OneDrive Admin Center:
That’s it. Hope this article helps you in understanding external sharing in SharePoint Online. Happy sharing!