Microsoft just announced the ability to share content with external users without requiring an Office 365 or Microsoft account.

“If your OneDrive and SharePoint Online external sharing settings are set to allow sharing with new external users, new external users (that have a file or folder securely shared with them) will be able to access the content without needing an Office 365 account or a Microsoft account. Instead, recipients who are outside of your organization will be sent an email message with a time-limited, single-use verification code when they access the file or folder. By entering the verification code, the user proves ownership of the email account to which the secure link was sent.”

This is a great advancement and it will hopefully remove the primary obstacle that prevents external users from having a good experience when attempting to accept and act on invitations to access content.

Why you should be careful when sharing with external users

At Cloud Navigator we have used external sharing extensively to collaborate with customers on IT projects.  We also use the feature from time to time when we are collaborating with partners to develop proposals together.  SharePoint is a great platform for these activities.

We also use SharePoint for our internal purposes–HR and employment documentation, contracts, policies, and other private internal business content.

When you share content with an external user in OneDrive or SharePoint Online, a user account is created.  In SharePoint, a user profile is created.  This user is also placed in a SharePoint group with access privileges for the content you have shared.  What you may not be aware of at the time of sending the share invitation is that the group that user will be placed in may have access privileges extending far beyond the content you have shared.  That means there is the potential for the external user to access private content to which you didn’t intend for them to gain access.

That’s bad.  It get worse.  At the time of the share and user profile creation in SharePoint, the group that the user is added to may only have rights to access the content you shared, but later on someone else in your organization might extend the rights to other content, thereby sharing unintended content with the external user.  Without the proper controls in place, an external user might be able to give other external users inappropriate access in the same way.

I found an old blog post that explains some of the rights an external user can receive:

Understanding External Users in SharePoint Online

How to avoid the danger

The only way to prevent someone from accidentally giving inappropriate access to an external user is through vigilant IT governance and informed SharePoint deployment planning.  The first step is understanding the unintended consequences that may accompany external sharing.  We recommend developing IT Governance strategies that include monitoring/review of user accounts in Office 365 and SharePoint, as well as a review of site permissions and group access rights.