Manage external users locally or with other tenancies
Sesha Mani, Prinicipal Program Manager for hybrid, demonstrated the three external sharing options in Office 365 today:
- No external sharing
- External sharing that requires authentication. An invitation is sent to an external user. When the user clicks the link, the user is required to authenticate with a Microsoft account. (If the user doesn't have a Microsoft account, they can create one on the fly)
- External sharing with guest links. A link is sent that contains the access token. Any user with the link can access the resource. This is the 'easiest' sharing, for users, but is obviously less secure--a user with the link can forward it to anyone, post it on social media, etc. The link is the access.
What hasn't existed to date is an option to share with an external user with a federated identity--with their identity from a trusted organization. Or the ability to manage users in Office 365 from a database of external users, much like you would use behind a forms-based authentication (FBA) configuration on-prem.
Sesha then gave us a look into how his team is thinking about hybrid sharing (and identity management) support. He was a bit constrained on time, so there are some open questions for us to follow up. But very cool stuff and, as the slide suggests, this is aimed at addressing SharePoint 2016, 2013 and even 2010 hybrid environments.
Important: This is futures stuff, so don't be surprised if Microsoft's direction and implementation is refined over time.
In "Scenario 1", the customer manages partner users locally, for example in a SQL database or in a separate "partners" Active Directory domain. Partner users can then be synchronized to Office 365 from the on-prem identity store. The user identities in Office 365 will be 'flagged' as external users (the term in use is "restricted user").
In this, and other, scenarios, the primary customer organization will be able to turn off the 'user-to-user invitation' (share-by-email) model, and rather simply enable management of users from the existing trusted identity provider.
Sesha showed the result. On the "Active Users" page, he showed users who are "Synced with Active Directory". As a 'user', access can then be granted to SharePoint content.
"Scenario 1.1" was one that Sesha didn't detail, but based on the slide is a scenario in which trust of an external organization has been established by the organization, on-prem, with ADFS. Presumably, those users could then be sync'ed into the Office 365 tenancy and, again, flagged as an external/restricted user.
"Scenario 2" is the announcement I've been waiting for: You will be able to share with external users in other Office 365 tenancy--easily. And the external user will have a seamless (SSO) experience browsing from their tenancy into the shared resources.
Admins can configure an allow list and a block list, specifying which domains can or cannot be shared with. The current thinking is there will be both an "allow" and a "block" master list at the tenancy level, based on domain names. The allow/block list will be able to be modified at the site collection level.
Not mentioned, but implied on the slide, is a B2B opt-in, which I assume means when Contoso decides to trust Adatum, an administrator of Adatum will accept the invitation on behalf of the Adatum tenancy.
A variation of "Scenario 2", "Scenario 3", allows all users from a partner tenancy, to be trusted. I wasn't clear, based on Sesha's brief discussion, whether this implies that the allow/block list (which he did mention in Scenario 2) is really domain-based or perhaps user-based. The latter would be particularly cool!
Behind the scenes, it appears that the vision and work of the team will result in external users being "first class citizens" from a directory identity perspective. However, as they will be flagged as restricted, they will not be able to browse organizational resources (e.g. user lists) as broadly as internal users. Makes sense.
Then, as first-class identities, those external users could be granted access to resources--i.e. SharePoint content. One interesting question, which was only partially answered due to time restrictions, is whether, then, external users will be able to be granted granular permissions.
Currently, external users can only be given permission to an entire site, or to an individual file. In theory, the new vision would allow an organization to grant an external user permission to a folder, to a library or list, or even to an individual list item. That would be fantastic! Hope this comes to fruition!
How does this affect licensing? Effectively, the answer is a SharePoint-appropriate "Working on it..." Current licensing allows an organization to share with external users for free, using the 'share by email' model that's currently in place. The business model has not been worked out yet.
In my opinion, it will make great sense for Microsoft to support external sharing for free, with any user who can demonstrate they have an Office 365 license. Scenarios 2 and 3 make this easy. Scenarios 1 and 1.1 would be trickier, but could be done by asking a user--on very first logon--to enter an Office 365 credential, much as the share-by-email invitation does today.
From the highest level, these scenarios are absolutely fundamental to support the new world of dynamic teams. So my guess is we will see significant and fast progress in this area.
Still to be developed: Better solutions to user lifecycle, particularly with external users.