Share files externally in Microsoft Teams
External approvals are indispensable for collaboration in most companies. Office 365 offers you very fine-tuned controls for setting up approvals. However, these are distributed across multiple Admin Centers. Therefore, setting up external shares can be a little worrisome for administrators.
There are controls at the highest level that affect everything below. But the closer you get to each group, team, and site, the finer the controls are, and you may not have been aware of them before.
It’s very likely that your users will need to collaborate with someone outside the company at some point. If you don’t have an existing system for external sharing, let your users decide when and how to share files externally in Microsoft Teams. The risk may not be obvious yet, but once data leaves your system, you lose all control over where it goes. Do you really know what happens to your data once it is in the hands of external users? Does using External User Manager to manage external users in Microsoft Teams possibly make sense for you?
External access vs. guest access
It is important to know exactly where and how to configure these functions in Azure AD, Microsoft Teams, SharePoint Online and OneDrive for Business. In the user interface of your Team Admin Center you may notice the term “External Access”. This term makes the subtle but important difference between external access and guest access:
- External access (federated) grants access to an entire domain, which means that the participant only has access to the federated chat with one other user at a time.
- However, the participant has no access to the Teams or team resources of the inviting company.
- Guest access gives an individual the ability to access resources such as channel conversations and files.
Since we are dealing with external approvals here, our focus is on granting guest access.
As an Office 365 Admin you should be able to access the Azure Active Directory Portal directly via a link in your Admin Center. Here you can view your guest users, create new ones and manage the approval settings for your B2B guest users.
How to share files externally in Microsoft Teams
In Microsoft Teams, share files externally by granting guest access. Here’s what you need to do to set everything up in a safe way.
In your organizational relationship (i.e. B2B) settings, you can set these controls more precisely. Should guest users be able to search the directory? Do you want to allow members or owners to invite guests? You’ll also find settings that allow you to set up one-time access codes via email for guests and collaboration restrictions in domains.
To share files externally in Microsoft Teams, the first step is to enable this feature for Office 365.
You can enable your sharing settings in the Microsoft 365 Admin Center under Settings → Security and Privacy. You must then enable sharing at the Office 365 Groups level as well.
Go to “Services and Add-ins” in the Office 365 Group Settings. Here you will find two options.
Should guests be granted access to groups?
Are owners allowed to add these guests?
If you select the first option but not the second, your operations or AD team must add all guest users in both the directory and each group. This requires a lot of manual work, but provides more security if you are uncomfortable with the idea of allowing group owners to invite guest users.
Finally, we come to the Microsoft Teams Admin Center. From there, go to Organization-wide settings → guest access → Enable guest access in Teams. After enabling this setting, you can further fine-tune how guests can use the service (e.g.: Can they delete messages? Can they use GIFs?). Allow a few hours for the setting to take effect.
If you want SharePoint to transfer your settings for external shares to Azure B2B, proceed as follows:
- In the Microsoft 365 Admin Center Settings →, access services and add-ins → SharePoint
- Set the “Users can share with:” option to “Only existing guests”.
If, on the other hand, you want SharePoint to function independently of Azure B2B and have its own list of external shares, proceed as follows:
- In the Microsoft 365 Admin Center Einstellungen→ call up services and add-ins → SharePoint
- Set the “Users can share with:” option to “Everyone”
This allows all users, even anonymous users, to use SharePoint.
Further fine tuning can be done via the guest access settings for each site.
With External User Manager you can manage your external users even better using approval workflows, access control, and reporting.
External sharing mostly comes up in projects with partners or collaborations with another company. As an alternative, you could just send the files by email – however that invites issues with different versions, insecurities about which file is the latest and correct version etc. With external sharing, everyone has access to the same file, which is always up-to-date.
It can be, which is why you need to think about security settings and governance regulations in advance. Without any guidelines, your users are able to share files and data however they like. They may not intend anything bad to come from it, but once the files are out of their hands, controlling what happens afterwards is impossible. Thankfully, Microsoft offers a lot of settings and options for deciding what can be shared and with whom.
In short, external access is the little brother of guest access, with less rights. For more detailed information, please reference the blog article above.
To start, go to the Microsoft 365 Admin Center and select Settings and then Security and Privacy.
As a second step, external sharing has to be enabled for Office 365 Groups, too. In order to do so, select the Office 365 Group Settings and then “Services and Add-ins”.
This topic is easy to implement but complex to explain, so please read the full blog post before going ahead.
In the Office 365 Group Settings, you can select “Guests should be granted access to groups” and not “Owners are allowed to add these guests”.
This means new guest users have to be added manually to Azure Directory as well as the Office 365 group.
If you like this additional level of security, but are averse to the additional manual effort, you might want to check out our External User Manager for a request and approval workflow for inviting guest users.
In the Microsoft Teams Admin Center, there are further options to drill down the settings for guest access. You can find these in the “org-wide settings” under “guest access”.
Yes, you can set up SharePoint’s external sharing to work independently from Azure B2B! Even if you have restricted guest access and external sharing for Azure B2B, you can make it widely available for SharePoint. For this, go to Microsoft Teams Admin Center settings, then “call up services and add-ins” and select “SharePoint”. Here, select “Everyone” for “Users can share with” – allowing even anonymous users to have access to SharePoint. This can, again be finetuned in the settings for each individual SharePoint site.