Wednesday, September 27, 2017

Setting Up Office 365 Extranet

     While trying to configure a 2016 hybrid SharePoint environment, I wanted to explore the features of a O365 Extranet. Having never set one up before, I turned to Microsoft for articles on how to simply set it up. I found many articles on what they were and why they would be useful, even pitfalls to avoid. However, I never came across a step by step guide, or if I did, it seemed like it was written pretty early in the lifecycle and Microsoft had already made changes to the product that made the article null and void. So, I ended up spending vast amounts of time getting my environment set up and configured as securely as possible. It is possible that I am spoiled as Extranet Collaboration Manger for On Prem takes about 10 minutes using the helpful wizard. What you find below are the notes of the steps that I took. Hopefully you find these instructions and are able to get your o365 extranet configured in much less time than it took me!

     I should note that before enabling external sharing for SharePoint, you'll have to make sure it's enabled for your Office 365 tenant as a whole. This can be found under the Security & Privacy tab of your Settings menu within your Tenant Admin Console. There, you can control external sharing globally first.

  1. From the Tile screen click on admin
  2. Next click on Security & privacy link in the left Nav

3. Click the Edit button and ensure that “Let users add new guests to the organization” is set to.
4. From your Office 365 home screen, navigate to your Admin center

  1. From the Admin center, choose the "Admin Centers" tab on the left-hand side and then "SharePoint .” This will take you to the SharePoint admin settings page, where you can configure external sharing.

  1. Click the "Sharing " link to view all of the sharing options.

The image you see is not the default image but the settings that were chosen for our specific environment.

Here are the available options that you can choose from when configuring external sharing:

"Don’t allow sharing outside of your organization."

This option will turn off sharing to anyone outside your organization – Very well named

"Allow sharing only with the external users that already exist in your organization’s directory."

This option tells your SharePoint environment that only existing users can be granted access to content in your tenant. But you may be saying to yourself that you do not want external users in your Azure AD. When an External User is added to your organization, They are added to your Azure Active Directory, just as a guest.  In the below image you can see two users that were invited and added as Guest users in my Azure AD.

An admin can manually create these external users in their Azure Active Directory via the Azure Portal, but SharePoint will not facilitate the creation of new users through its' sharing interface. For some, this option may be desireable as you may want your SharePoint Admin to create all the external users. If you want to delegate some onboarding to internal users, keep reading.

"Allow users to invite and share with authenticated external users."

Enabling sharing with authenticated external users means allowing your employees to invite new guest users to your directory and share specific content with them, without an administrator’s direct approval.

"Allow users to invite and share with authenticated external users and using anonymous access links."

Authenticated external users can be invited to log in and view or edit documents, but anonymous users can also be shared with if the owner of the document chooses to share an anonymous link. Be VERY careful with this option. For the most part, I think you will want to avoid this option.
Depending on which option you chose, you should now be able to browse out to a SharePoint site and click the Share option on the page and start your external collaboration.

Monday, September 11, 2017

Allowing Site Sponsors to View Registrations and Invitations List

“Extranet Collaboration Manager”, or ExCM, was designed to leverage SharePoint’s native permissions levels, and, in a few cases, add some additional security capabilities that can help an organization to better secure and govern SharePoint usage in an extranet scenario.  One of these additional features is ExCM’s Site Sponsor feature.

An ExCM Site Sponsor is a special permission level that can be granted to any user (internal or external), regardless of the SharePoint permission level that user has.  Once granted the Site Sponsor permission, the user is able to manage a pre-defined set of external user accounts in a given extranet site.  (Read more about the ExCM Site Sponsor feature here.)

In many cases a Site Sponsor is able to do everything she needs to do by simply using the out-of-the-box settings.  However, one thing that a Site Sponsor cannot do out-of-the-box is see the list of Extranet Invitations and Extranet Registrations for her site.  This is because both of those lists are automatically maintained by ExCM at the Site Collection level and by default require Site Collection Administrator permissions.  Sometimes we are asked how this can be “tweaked” so that Site Sponsors can see these two lists. 

Below are the steps you can use to set up your Site Sponsor to view the Registrations and Invitations for a site collection:

From your Windows Explorer, open your “SharePoint Designer” program.

Once your SharePoint Designer is open, click on “Open Site.”

Setting up Anonymous Registration

When dealing with Extranets, the primary job of a Farm Administrator is to make sure their Extranet is set up with the proper security to only allow users who are part of the organization or who are invited to have access to an extranet site collection. They are the “Gatekeepers” of your Extranet.

“I am the Key Master... are you the Gatekeeper?”

(Ghostbusters 1984)