A recent attempt to share a site collection provisioned by the new "Create Site" link in SharePoint Online revealed that in order to share the site collection with external users you must change the sites "SharingPolicy" property from the default
ExternalUserSharingOnly to enable new external user invitations. This must be done with the Set-SPOSite PowerShell Cmdlet
The Back Story
I recently had a project that required providing External User access to a newly provisioned Office 365 Group's site collection in SharePoint Online. Simple, right... Just click the Share icon on the home page, and invite the external user. Wrong!
In the past, when working with clients we (ThreeWill) have provisioned a SharePoint site collection per client to manage projects and invited clients as external users. This has been working great for quite a while.
Now with the option to use Office 365 Groups and some of the new features in SharePoint Online, including the provisioned site collection (which is hidden from the Office 365 SharePoint Admin panel), we started using Office 365 Groups to manage the projects. Once created, we use the PnP PowerShell Cmdlets to add standard lists and libraries. This worked really well, until we wanted to share a new project site based on an Office 365 Group with a new external user.
For a new client project, the project's Scrum Master attempted to share the site with a client as an an external user with an outlook.com address. But the email never seemed to be sent for the request. He did what I would have done and clicked the Members link at the top right of the page and then selected Add Members. But this didn't work.
Next, he tried to navigate to Site Permissions and then "Share Site Only", but this didn't work either.
In the end, after some digging, I found the Use PowerShell to manage Office 365 Groups - Admin help article. This states that:
By default, all SharePoint site collections that are part of an Office 365 Group have the sharing setting set to Allow sharing only with the external users that already exist in your organization’s directory. To change this setting, you can use the Set-SPOSite Windows PowerShell cmdlet.
You must use
Set-SPOSite to set the
SharingCapability property to enable sharing with new external users. This property determines what level of sharing is available for the site. The possible values are:
- Disabled – external user sharing (share by email) and guest link sharing are both disabled
- ExternalUserSharingOnly – external user sharing (share by email) is enabled, but guest link sharing is disabled
- ExistingExternalUserSharingOnly - (DEFAULT) Allow sharing only with the external users that already exist in your organization’s directory
- ExternalUserAndGuestSharing - external user sharing (share by email) and guest link sharing are both enabled
To update this property, you must log in to your tenant using
Connect-SPOService to perform the operations. Once you have connected to your tenant admin site, then run the
Get-SPOSite command to determine the current
SharingCapability setting of the site collection associated with the Office 365 Group.
PS C:\> Connect-SPOService -Url https://your-tenant.sharepoint.com PS C:\> (Get-SPOSite -Identity https://your-tenant.sharepoint.com/teams/groupname).SharingCapability ExistingExternalUserSharingOnly PS C:\>
Now change the setting to enable new external user invitations.
PS C:\> Set-SPOSite -Identity your-tenant.sharepoint.com/teams/groupname -SharingCapability ExternalUserSharingOnly
I noted before that nothing our Scrum Master tried worked. Unfortunately, even with the
SharingCapability property configured properly this did not work for me (let me know if it works for you). In order to make the external sharing request, I had to edit the site permissions and then invite the external user.
This now enabled us to invite outlook.com and hotmail.com accounts to the Office 365 Group based site collection as we normally would.
Office 365 Groups, the integrations built to take advantage of them, and the increasing capabilities of Office 365 in general are compelling for sure. However, this really tripped me up and the fact that we had to use PowerShell since this is currently not configurable in the SharePoint Admin UI, is really disappointing. The fact that there is currently no indication that this setting is set (remember this is hidden from the admin page), and there is no warning about the property value when trying to send and external invitation made determining the issue more challenging than it needed to be.
Hopefully, based on Christophe Fiessinger's recent appearance on the HyperFish podcast, there will be a way to manage this through the UI in the future, but keep this in mind for a while.
HTH - let me know if you have had the same experience or if you know any details about these features by leaving a comment below.