When it comes to collaborating, Office 365 allows colleagues to check availability in Outlook, schedule a Skype for Business meeting, and share files in SharePoint, OneDrive for Business, or Office 365 Groups.  While sharing within your own organization is fairly simple, sharing with external users requires some planning.  External users can be anyone outside your organization; this can include partners and customers.  A technical description of an external user, is a user who does not have an account registered or licensed in your Office 365 tenant.

There are two types of external users – authenticated and anonymous.

Authenticated users are users with a Microsoft account from another Office 365 subscription.  Authenticated users can have the same permissions as any of the internal users within your organization.  You can assign a license to them.

Anonymous users are users who can access a folder or document via a shareable link.  Anonymous users can view, edit, or upload to the folder without having to log in with a username or password.  Anonymous users cannot access sites, and you cannot assign licenses to them.

Where do you start?

Before you can start allowing external users to access your data, you should consider the existing policies set by your organization.  Some of these policies may include:

  • Is external sharing allowed for anyone (anonymous) or just authenticated users?
  • Which domains should be allowed or blocked in Skype for Business?
  • What types of content that cannot or should not be stored in O365?
  • Who can (and should) extend an invitation to an external user?

You may also find that your organization does not have policies in place that address the sharing of content with external users except through e-mail.  If this applies to your organization, it’s important that your Office 365 tenant is configured to limit external sharing until the proper policies and controls can be put into place, thus limiting the risk to the organization.

What are some of the security risks?

While external sharing is a great way to extend your organization to your partners, suppliers, and perhaps even your customers, there are risks that must accounted for.  Some of those risks include

  • Accidental sharing of sensitive content
  • External users with full control might be able to share content with other unintended external users
  • Changes made by anonymous users cannot be tracked

While these risks, and potentially others, apply to your organization, there are processes, settings, and tools within Office 365 that can mitigate the risks and protect your corporate assets and intellectual property.

  • Implement and enforce governance for external sharing
  • Consider using Azure Rights Management (RMS) to encrypt and restrict sharing of the data
  • Implement Data Loss Prevention (DLP) policies to automatically detect sensitive data
  • Send links, not attachments
  • Grant minimum level of permissions to external users
  • Disable external sharing on site collections with sensitive data
  • Disable anonymous sharing

What can you share?

External sharing can be configured separately for the different capabilities in Office 365, but primarily for SharePoint Online, OneDrive for Business, Outlook, Skype for Business, and Office 365 Groups.

SharePoint Online and OneDrive for Business: you can share an entire site, lists and libraries, and documents.  Keep in mind that the external users will need to authenticate to see all of these items while anonymous users can only see documents.  Additionally, SharePoint gives you the ability to limit users who can share with external users.

SharePointOneDriveSharing

Office 365 Groups:

  • Conversations – no access to conversation history, but may participate by receiving an e-mail sent to the distribution list
  • Files, Notebook, and Site – you can share an entire site, lists and libraries, and documents
  • Calendar – no access

Office365GroupsSharing

Exchange (Calendar): you can share free/busy information with time only, with subject and location, or full details

CalendarSharing

Skype for Business: you can schedule meetings or chat

SkypeforBusinessSharing

When it comes to sharing, or collaborating with partners and customers, it is critical to include external sharing as part of your Office 365 governance and security planning.  Remember that a governance plan is not a guarantee for security compliance, users and administrators must observe and follow good practices and policies to minimize the risks.