Skip to content
  • Home
  • About
Search
Close

Nathan Wells

SharePoint | Office 365

Category: Extranets

New Office 365 Feature: Per-Group Sharing Controls

June 12, 2017 nathanwells20141 Comment

When you’re thinking about enabling collaboration with external/third party users in your organisation’s Office 365 tenant, there are a lot of things you need to think through, agree, and design around. These include:

  • Which applications will you allow external sharing in (SharePoint Online, OneDrive for Business, Office 365 Groups)?
  • Will you enable member sharing, or require site owner approval when content is externally shared?
  • Will you enable or disable anonymous links?
  • How/where will you use domain restrictions?
  • Is there anywhere you’ll disable external sharing completely?
  • How will you encourage users not to share content with consumer identities?
  • What processes will you put in place to manage/maintain external user permissions and guest invites?
  • How will you tweak your IA (information architecture) to encourage good practices for external sharing/permissions management, e.g. sharing at the site/library level rather than per document?
  • Will you enforce MFA (multi-factor authentication) on guest users?
  • And lastly, but perhaps most importantly, will you use Azure AD B2B Collaboration or the traditional SharePoint Online external sharing model?

Now though, there’s one more thing you can add to that list: Per-Group Sharing Controls.

This new feature – which hits first release tenants in June 2017 – will give Office 365 administrators a little bit of extra control over who and how information can be shared with external/third party users in SharePoint Online and OneDrive for Business.

There are two new settings, the details of which I’ve lifted from Microsoft’s blog post on the subject:

  1. Let only users in selected security groups share with authenticated external users – With this option, you can specify one or more Office 365 security groups which contain the users who you want to allow to share with authenticated external users. Users in these security groups will not be able to send anonymous links.
  2. Let only users in selected security groups share with authenticated external users and using anonymous links – With this option, you can specify one or more Office 365 security groups which contain the users who you want to allow to share with authenticated external users and by using anonymous links. (This option doesn’t appear unless you have enabled anonymous access links for the tenant.)

pgsc

The current set of options that the Per-Group Sharing Controls build upon are relatively coarse. The options available are: external sharing is disabled completely; external sharing with anonymous links is enabled; external sharing with only authenticated users is enabled; and sharing with users who already exist in your organisation’s directory (AKA the Azure B2B option). These options are available at both the tenant scope and site collection scope, though the site collection settings cannot be less restrictive than those defined at the tenant level (i.e. most restrictive setting wins).

The new functionality gives some extra granularity on top of these existing settings. You now have three separate audiences of users that can have different levels of external sharing ability:

  1. Users who are unable to share content externally (by virtue of not belonging to a group specified for either option);
  2. Users who can share authenticated links; and
  3. Users who can share authenticated links and anonymous links.

But unfortunately, the feature can only be defined at the tenant scope, not per site collection. How it’s going to play with the existing set of options is also slightly unclear at the time of writing, but I’ve been informed that the site collection settings will take precedence. For example, if anonymous sharing is disabled at the site collection level, even users in the security group that can share anonymous links will not be able to do so in that site collection. This suggests that the best way to get set-up for these new controls is to allow anonymous sharing in each site collection in all but exceptional circumstances, and control who is actually allowed to undertake this action via the new Per-Group Sharing Controls.

Also worth noting here that this new feature only covers security groups (i.e. the thing that would once have been defined as a mail-enabled distribution list). It doesn’t cover Groups, as in, Office 365 groups. Confusing, but an important distinction.

It will be interesting to have a play with these new settings when they start rolling out, but for now, it’s one more thing to consider when you’re setting up your organisation for collaboration with third parties.

Extranets

Extranets – SharePoint vs. External Sharing vs. Yammer

August 21, 2015August 21, 2015 nathanwells2014Leave a comment

Introduction

Extranets are a pretty common requirement for organisations with a B2B sales model. They allow companies to collaborate more easily with clients, suppliers, and other third parties who are not part of their internal network. Over the last half-decade or so, SharePoint has become a widely-adopted means of delivering extranet capabilities. But is it actually the best solution available, even just within the Microsoft product stack?

This post will discuss the case for delivering extranet capabilities using Yammer, and the trade-offs compared to more traditional, SharePoint-based approaches. It also considers a third option, which is a subset of the SharePoint-based approach available within Office365 called External Sharing. It will assess the strengths and weaknesses of the three options, and suggest the criteria that would cause an organisation to choose one approach over the others.

What is an Extranet?

An extranet is basically an intranet that can also be accessed – at least partially – by authorised external users. It enables businesses to exchange information securely over the internet, and work more closely with one another.

So an extranet can – in theory – be used for anything an intranet is used for. But in my experience, the four most common use cases by far are:

  • Document management (creating, editing, reviewing, and sharing documents);
  • Discussions (informal, transient conversations);
  • ‘Official’ communications (such as announcements); and
  • Business Process Management/automation.

SharePoint Extranet

SharePoint provides the ability to securely extend an organisation’s private network to provide a subset of the information and functionality available on the rest of the system. Extranet content tends to be hosted within the internal network, and made available through an edge network (or separate environment isolated within a perimeter network) to authenticated, authorised users. In layman’s terms, you can – in theory – do anything with a SharePoint Extranet that you can do with your normal SharePoint platform hosted on the internal network. However, you have the added headache of dealing with a lot of extra infrastructure, network configuration, and user management/authentication requirements. There is a lot of thinking to be done up front about exactly how you architect your information to ensure a suitable “Chinese wall” between different third parties, and how you manage user accounts for external companies.

SharePoint extranet

SharePoint Online External Sharing

SharePoint Online (in Office365) allows you to build a SharePoint Extranet in much the same way as SharePoint Server (though without some of the infrastructure headaches associated with being on-premises or in a private cloud). However in SharePoint Online, you also have the additional option of enabling something called ‘External Sharing’. Activating this functionality allows you to invite external users to the system via a simple email notification. Users can share information at the site level, or at an individual item/document level. External people can authenticate to the SharePoint Online instance using either a work account (Office365 user ID stored in Azure AD, be it the third party’s Azure AD or the hosting organisation’s own Azure AD), or using a privately managed, personal Microsoft user ID (such as Hotmail.com or Outlook.com). Additionally, it’s also possible to share a temporary guest link to a piece of content. It’s a pretty convenient way of granting access information, but likely to give your InfoSec team a collective aneurism once they get into the detail about how difficult it is to manage and revoke access that has been granted.

external sharing

Yammer

Another Microsoft product to add to the mix when it comes to delivering extranet capabilities is Yammer. Yammer is an Enterprise Social Network (ESN) platform that Microsoft acquired a few years ago, and is gradually becoming more and more tightly integrated with the rest of the Office365 product suite. It provides much better conversational functionality than SharePoint, but – being an ESN – does not provide anything like the same Web Content Management or Enterprise Content Management capability. It also falls way behind SharePoint in terms of personalisation and extensibility, but – in fairness – it’s not trying to compete with SharePoint: it’s a packaged product that you have very little control over, and does what it’s designed to do (i.e. social) very well. In terms of how it can be used to deliver an extranet, it is possible to create ‘external networks’ that act like sub-networks of an organisation’s main ESN. Third parties can then be invited by administrators or network members (depending on how you configure it) to join the external network via an email link.

Yammer external network

Assessing the tools

There are a number of criteria by which you can compare and contrast the capabilities of the three options presented above. Each of the approaches has its pros and cons, strengths and weaknesses, in relation to the other two. Below, I’ve put together a list of the criteria by which I would judge an extranet tool, and given a Harvey Ball score against each. Naturally, you may have different criteria that are important to you and your organisation, and you may put a different weighting against certain criteria. Additionally, you’ll probably disagree with some of my ratings and comments, or want to include additional options that are a hybrid of the ones discussed above. But this assessment at least provides a starting point!

Assessments

Conclusion

SharePoint provides richer functionality, greater flexibility and extensibility, and (arguably) better risk mitigation/compliance than Yammer. But Yammer is a good fit if your Extranet is mainly for conversations/discussions (perhaps with a little bit of document sharing thrown in), or if you need to get something live quickly and cheaply.

Personally, I have found Yammer to be an excellent tool for collaborating with clients; getting quick answers to questions and discussing important decisions, risks, issues, and plans. It is poor for document management, but if you are just publishing finished deliverables for the third party to see and discuss, it does the job. SharePoint is the only viable option if you have any desire to automate processes, or you need any form of web content management functionality. It is also a much better fit if you are creating and editing documents collaboratively with third parties.

External Sharing is a nice option to have on the table on top of a standard SharePoint Extranet, but I’m not a fan of the lack of manageability associated with this option. It’s tough to govern how/when users share files (really, they should share on a per site basis, not per file). It’s impossible to manage third party accounts that aren’t hosted in your own organisation’s Azure AD instance, and if a third party doesn’t have an Azure AD instance, they have to use personal Microsoft IDs. If you wish to keep tabs on sharing and ensure compliance, there is management overhead associated with maintaining and revoking shares and guest links. But that said, it is a quick, convenient, accessible way to extend SharePoint to third party organisations and allow them to access your information.

So really, the best option depends on what you want from your Extranet. My recommendation would be to investigate the benefits you are hoping to achieve from increasing collaboration with suppliers, clients, partners and other third parties, and to investigate exactly what your users desire from the tool.

Do you agree with my recommendations and assessment? Do you have a different option that you use to deliver Extranet functionality? Let me know in the comments!

Thanks for reading.

Recent Posts

  • How and When to Adopt the Modern UI in SharePoint – Part 2/2
  • How and When to Adopt the Modern UI in SharePoint – Part 1/2
  • New Office 365 Feature: Per-Group Sharing Controls
  • Planning for the Azure CDN Capabilities in Office 365
  • Tinfoil Hat Predictions for SharePoint and Office365 in 2021

Recent Comments

Chad on How and When to Adopt the Mode…
Mike Strubbe on How and When to Adopt the Mode…
JSW on How and When to Adopt the Mode…
Damien on Planning for the Azure CDN Cap…
Antoine Troost (@apr… on New Office 365 Feature: Per-Gr…

Archives

  • September 2017
  • July 2017
  • June 2017
  • May 2017
  • January 2016
  • September 2015
  • August 2015
  • July 2015
  • June 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014

Categories

  • Extranets
  • Governance
  • Hybrid
  • Migration
  • Modern UI
  • Office365
  • OneDrive for Business
  • Operating Model
  • Performance
  • SharePoint 2013
  • SharePoint 2016
  • SharePoint Online
  • strategy

Tags

adoption avepoint business case Cal change management content E1 E3 enhancements experiences external sharing Follow foreign governance groups Group Site housekeep housekeeping Impact Assessment incident management intranet language language packs license licensing Localisation localise Machine Translation Service map mapping metalogix microsoft migrate migration Modern Experience Modern Library Modern List Modern Site Modern UI move MTS MUI multilingual o365 OD4B ODFB office365 Office 365 on-prem onedrive onedrive for business operating model operations policies problem management procedures roadmap roi search sharegate sharepoint sharepoint 2013 SharePoint 2016 sharepoint online source SP2016 SPOL strategy support taxonomy translate Translation Variations vision yammer

Blogroll

  • Discuss
  • Get Inspired
  • Get Polling
  • Get Support
  • Learn WordPress.com
  • Theme Showcase
  • WordPress Planet
  • WordPress.com News
Blog at WordPress.com.
Back to top
  • Follow Following
    • Nathan Wells
    • Already have a WordPress.com account? Log in now.
    • Nathan Wells
    • Customize
    • Follow Following
    • Sign up
    • Log in
    • Report this content
    • View site in Reader
    • Manage subscriptions
    • Collapse this bar
 

Loading Comments...