SharePoint External Sharing Best Practices
This article applies to: Office 365 Productivity Bundle
On our Overview of External Sharing page, we describe the differences between a Microsoft Account and a Work/School Account. Cornell email addresses are already associated with their owners’ work account. Cornell email addresses should not be associated with a Microsoft Account.
Once external users are invited to a site, it is easy to grant them permission to other sites (SharePoint will recognize them as having accounts and they will appear in the PeoplePicker as site users). Ensure that you know the identity of users who are invited through email and consider confirming their identity before granting an external user access to content.
When you share a site with an external user:
- They will inherit the permissions assigned.
- They will be able to see the names of other site users in the people picker.
- They will be able to view document metadata.
- Other people who use your site and other site collection users have the ability to grant different permissions to these users.
An external user invitation can be accepted only once; when used, it expires. If an external user forwards the invitation to someone else, whoever is first to use the link to access the content wins. Explain to your external users that they should not forward the invitation. (This does not apply to guest links; these work for anyone who clicks them.)
To use an email address such as firstname.lastname@example.org (NOT a cornell.edu address) to log on to a SharePoint Online site, the email address must first be associated with Microsoft account. You can register an email address with your Microsoft account by following the steps at Create a Microsoft Account. The user’s personal email address should be entered as the username (the third field on the page) to create/associate that account with a Microsoft account.
There is no global way to see a list of all the sites to which an external user has access.
There is also no global way to see a list of all documents that have been shared externally.
Create separate permission group(s) for just external users.
Create a subsite that has unique permissions, and then share only that subsite with external users.
If external sharing was enabled and is later turned off for a site collection, all existing external user permissions for that site collection will be permanently deleted.
The SharePoint Online Admin (not the local Site Collection Admins) can see the list of external users with access to a site collection; they also have the option to remove a user’s access to a site collection. (Note: Even after an external user’s access it removed, that user will still be shown in the people picker.)