In part 1 we have looked at the different sharing options available to end users when sharing files in Office 365. Now will look at the backend settings available to provide different combinations of sharing. As we will learn, some of the setting at the tenant level will impact the sharing experience in Microsoft Teams.
This a three-part blog series about Microsoft Teams where I cover sharing in Office 365 and Microsoft Teams from different perspective: user, administrator and advisor.
Let's start with the settings that are related to the end user options shown in Part 1. They can be found In the SharePoint Admin Centre:
Since January 2020 the default can also be set to People with existing access via PowerShell
The SharePoint and OneDrive settings at the tenant level are closely connected and accessible from either Admin Centre. The OneDrive setting can be more restrictive than the SharePoint setting, but not more permissive. This setting is not a default setting for new sites, it’s used to show available sharing options to users.
Each SharePoint and OneDrive site has its own sharing settings that can be set independently.
One important gotcha is that even if Anyone is configured at the tenant level, new sites are created with New and existing Users. This might not be what you'd expect, but it is probably a safety measure to avoid accidental sharing.
Similarly, if the default sharing link at tenant level is Anyone with the link, the default link in a new sites becomes People in your organisation. OneDrive sites appear to be created with Anonymous On and Anyone with the link by default.
To understand the behaviour of the different settings let's first understand two important concepts: Guests and Office 365 Groups.
Guest access is included with
The total number of guests that can be added is based on the Azure AD licensing (Usually 5 guests per licensed user).
Modern SharePoint team sites are powered by Office 365 Groups, including Microsoft Teams. These groups live technically in Azure AD, so we can also call them Azure AD groups. The security model is different than traditional security groups: in one Azure AD group we now have two permission levels, Owner and Member.
This is a major paradigm shift for two reasons: because Office 365 groups is the foundation of most Office 365 services, we can now manage one group to provide access to multiple services. By now you are probably aware that creating an Outlook group creates a SharePoint site, a shared mailbox, a shared calendar and a OneNote notebook. The same happens when you create a Team in Microsoft Teams, you get all of the above plus a Planner.
The other important consequence of this new model is that Office 365 Groups take an identity and access management function (group creation, maintenance and membership) and places it in the hands of end users without their knowledge! Because by default every user in the organisation can create a group. That's why governance becomes such an important topic and deserves attention from the very beginning.
Other properties of groups:
Once guests have been added to a group, they will have access to all the resources associated with that group. For example if you create a new Group in Outlook and invite guests, they will get access to the Group's shared mailbox and calendar, the OneNote notebook and the Group's files (store in SharePoint). This is because creating a group, depending on the location, will create other associated services.
For more information about what guests can do in an Office 365 Group see Adding guests to Office 365 Groups
The sharing model has different layers and it starts from Azure:
One of the easier available option is to allow or block sharing with specific domains. You can create a deny list (more permissive) where you can add e.g. Gmail.com, Outlook.com and other public domains you want to restrict; all other domains will be allowed. An allow list on the other hand is more restrictive because only the domains specified there are available for sharing.
There are different levels to apply an allow/block domain list
At the moment it's not possible to apply an allow/block domain list to a specific Group.
Sharing Settings available in Azure:
The following settings can be found in Azure AD, in the Organisational relationships section.
With the Guest Inviter role, you can give individual users the ability to invite guests without assigning them a global administrator or other admin role.
Currently, Microsoft Teams doesn't support the guest inviter role. At a minimum the Members can invite toggle must be set to Yes for guest access to work in Microsoft Teams.
In the Office 365 Admin Centre, under Security and Privacy, there is a Sharing setting which is the equivalent of Members can invite in Azure, which basically allows any user in the organisation to invite guests.
There is another setting in the Admin Centre (Settings -> Services -> Office 365 Groups) and it essentially allows guests to access group resources. Without this enabled, collaboration in Office 365 services will be limited to individually shared files.
To have guest access working seamlessly in Microsoft Teams, there are many dependencies that need to be configured:
In Microsoft Teams there are two type of access, External Access and Guest Access
External access (Federation) gives access permission to an entire domain
Guest access gives access permission to an individual.
Guests, once invited in Microsoft Teams, have almost the same level of access as Members. The only difference is that they cannot share a chat file, add apps, and create a Team.
When creating a new Team in Microsoft Teams you can choose its security level: public or private.
In Public Teams, anyone in the organisation can join without owners approval. Members can add internal users but only Teams owners can invite guests
In Private Teams only Owners can add members and guests. Members can invite internal org users, but Owners must approve.
As you can see there are a lot moving parts for governing sharing, external or guests access in Office 365. As we will see in Part 3, it's important that decisions on the various configuration are made in line with the company's policies, so that the right balance between ease of use and data protection is achieved.
News, trends, insights and opinions
about the modern workplace