blog.atwork.at

news and infos about microsoft, technology, cloud and more

How to use external users in SharePoint Online (with a cost-free Azure Active Directory)

We are using SharePoint Online (SPO) in many scenarios: for our own Intranet and we often create SPO Sites in our Office 365 tenant to collaborate with partners and for projects. Many projects last only for some months and after the work is finished the SPO site will be deleted.

Since we don´t want to create not-our-company-users in our own Active Directory (AD) or in our synced Azure Active Directory (AAD) and assign an Office 365 license from our tenant it´s convenient to use users from another AAD and share the SPO site with them.

We also want to use “sharing” which is a feature of SharePoint Online in Office 365. The “other” AAD can be a cost-free AAD!

Credits go to my colleague Martina Grom (@magrom), Office 365 MVP, for developing this scenario with me. Thanks!

The scenario

As described we want to collaborate with many persons, in different companies. For such scenarios SharePoint Online provides the “sharing” function (sorry, sharing with external users is not possible in SharePoint 2013 on premises). So it´s simple to invite any user with the “Share” link in the upper right corner of the SPO website.

image

We want to share a SPO site and then send the persons their individual login for that site. We don´t want them to have additional effort for filling out forms or similar administrative work before they can use the portal. They shall login and collaborate. That´s the idea.

So we want to accomplish these steps:

  1. Enable Sharing in a SPO site
  2. Create a new cost-free AAD in the Azure portal
  3. Create new users in the AAD
  4. Invite users in the SPO – and send them their portal login
  5. As user: Use the invitation and get access to the SPO site
  6. As user: E-Mails in SPO (for notifications etc.) shall be working even without Office 365 mailbox
  7. Manage user accounts in AAD with the Azure portal

We want to manage all users in a new AAD, so we can create, rename or delete user accounts centrally. That´s why we use an own AAD (without Office 365) where we can perform all these user operations. All users get a login name with our chosen AAD domain name.

Prerequisites

Before you can share a SPO site so you need to configure the site and enable external sharing (or check it) in the Office 365 SharePoint Administration site https://<domainname>-admin.sharepoint.com/_layouts/15/online/SiteCollections.aspx

Mark the SPO site and click “Sharing” in the ribbon menu. Set sharing to “external users” like here:

SNAGHTML17ac814

Also we need to have access to an Azure subscription. We need the Azure portal to manage our AAD.

The good, the bad and the ugly

Yes, you can use ANY email-address for sharing. (good)

But: Office 365 needs to check the login. For that Microsoft needs to know about the account (there´s no STS provider support built in right now). This means that you only can collaborate with persons who a) own a Microsoft Account (former: Live ID) or b) use an organizational account in AAD! (bad – but workarounded here)

We won´t have users to create their own new Microsoft Account. (ugly – we send them a ready to use login).

So let´s start with our configuration process.

Step 1 – Create a new AAD

You need an Azure subscription. Login in to the Azure portal and…

image

…create a new Azure Active Directory. In my case I call the new domain “partnerweb”, so the full created domain name is “partnerweb.onmicrosoft.com”.

image

After short time the AAD is created. I added some users in that directory: “Max”, “Martha” and so on. (I also added some users of our own synchronized AAD *@atwork.at into that new AAD… just for a convenient administration.)

SNAGHTML168144c

So the login name of the users are similar like here: max@partnerweb.onmicrosoft.com

Step 2 – Prepare the external users

Document the users and their passwords.
Additionally – to make it very convenient for the endusers - you can login with each user to set a new password. Or let them do the change password work.

It´s also a good idea to put the users into groups, especially when they are working in different companies, departments or projects.

SNAGHTML170bd47

Step 3 – Invite external users into SPO

Send emails to each external user with these data:

  • The URL address of the shared SPO site
  • The AAD login name: max@partnerweb.onmicrosoft.com
  • The password for the login

We want the endusers to use our AAD account for the authorization against Office 365.
After the initial login these credentials are the access to the SPO site.

Step 4 – Invite external users into SPO

Then, in the SPO site use the “Share” Link in the upper right corner.

image

Now type the email address. Use the “real” email address of the user you want to collaborate with.
Since the invitation goes out by email the recipient must have access to his mailbox!

image

In my sample I used (an already existing) Microsoft Account, but that doesn't matter what account it is. The important part is, that the user has access to this mailbox. Later this email address will be used for the email communication with that user.

The SPO notifies that the site is now shared with external users.

image

Step 5 – As user: Accept the invitation

The user receives the invitation. Now the user only has to click the link with the SPO site name (in here it´s Go to “dev”).

To ensure you´re not logged in with other credentials it´s a good idea to open a browser in Private Mode and copy the URL and open it manually…

image

The link usually goes similar like http://click.email.microsoftonline.com/?qs=<someID>.

Hint #1: An interesting detail is that in reality ANY user can use this link to confirm the access to the SPO site (so in our sample another user as vmtest@outlook.com could use this link). The invited email address then is saved in the user profile, but that´s it.

Hint #2: The invitation link works only ONCE! If the first login is done the link is no longer valid. As admin you would need to create a new invitation if the first try was unsuccessful.

Step 6 – As user: Setup the account

After opening the invitation link Microsoft needs to know with what kind of account the user wants to login. So the user now can decide to use an existing Microsoft Account, or create a new Microsoft account (and fill out the form) with the link on the bottom, or use an existing Organizational account.

Since we want to manage all users in AAD and have prepared logins for them we now chose “Organizational account”.

image

Step 7 – As user: Login

Now the Office 365 login page follows – the same as you would open the SPO URL. The user should login with his provided AAD account (in our sample with max@partnerweb.onmicrosoft.com and the password).

image

After successful login the SPO site opens. The (new) user is already logged in and he is member of the "Member Group" in SPO, so he can collaborate with all other users in that SharePoint portal.

image

The SPO site is operational.

Good to know: E-Mail is working

The AAD user account has the email address of the invited users saved in the Work email property.

image

So the good news is that the user is reachable with his “real” email address. This means, we can use an AAD account for the whole authorization (where we don´t have an user mailbox since ist´s a cost-free AAD and there´s no Office 365 license added) and SPO can send emails to the Work email address (wherever the mailbox of the user is located).

If f.e. user max@partnerweb.onmicrosoft.com sets notifications for a list, he receives an email to his working email address vmtest@outlook.com. That´s the way we want.

image

Hint: If you are interested which properties are synced between AAD and SharePoint UserProfiles see our articles here:

External users can change their password easily

Since each Office 365 account is an AAD account, each user can change his password easily anytime in the Office 365 portal https://portal.office.com. Which is a nice feature.

image

“Shared with” information

The admin sees all users with access to the SPO site in the “Share” link with the menu “Shared with”. Our user “Max” is also in that list.

image

Also the invited users see these information – but only all external users (the shared ones, not the users in the SPO groups).

What can external users do - and what not?

Well, there´s a difference between “real” Office 365 users and “external” users. External users f.e. can´t (obviously) be site-administrator, they don´t have a MySite (no OneDrive for Business), they can´t change their user profile (f.e. the profile picture) and some other SharePoint features.

For all details see Adam Toth´s article Profiles and Pictures for Office365 SharePoint Online External Users. In the article Profiles and Pictures for Office365 SharePoint Online External Users Adam shows a way to for “Setting Permissions to Edit Profiles for external users”. If you are working with external users in SPO read these great posts.

Summary

We used the Azure portal for creating our own cost-free AAD, prepared the users and invited them to a SPO site. Since the external users are all stored in our own AAD we can manage them easily. The external users have the benefit of getting access to one or many SPO sites, they can change their password and collaborate.

So the whole cloud ecosystem works together perfectly – without costs for the external users. There´s a lot of experience ands research in this article, so we hope you can benefit from this step-by-step scenario which shows the possibilities of the Microsoft Online Services, Azure and Office 365.

Comments (21) -

  • MS

    1/12/2015 7:00:43 PM |

    I came to this post hoping it would solve all my sharepoint external user issues. Correct me if I am wrong here, is this really only an external user management solution? Essentially you are eliminating the need for the end user to create a Microsoft account, and can manage the external users in one place. You still are still sending the user 2 invite emails (one with new credentials they have to remember, a second from sharepoint) of which they need to coordinate. Then you have to hope they follow instructions from the credentials email to open the link from the second email in a private browser session. And, where do sharepoint notification emails go to? It would seem they would go to the onmicrosoft.com account and not the "real" email address. I am very frustrated with Microsoft on this topic.

  • Toni

    1/12/2015 8:34:15 PM |

    Hi MS,
    yes, you are right: In that ccenario we need 2 emails:

    One email to the enduser sent by ourselfes with their Login and Password and the one sent by SharePoint with the Invitation link.

    Since there´s definitely no other way to create the Invitation the user Needs to get this email. Of course, you can send the Invitation code to any temporary email address and use the link with your own user account to confirm the membership.

    The email address then is incorrect and can be changed later to the "real" user´s email address in the user profiles.

    Well, that´s the workaround if you want to use external users, controlled by yourself.
    I am personally not happy with that, but on the other hand this way is possible and - as mentioned - a workaround, and not a supported scenario.

  • MS

    1/12/2015 9:51:29 PM |

    Thanks for the ideas. I like sending the invite to an inbox I have access to, clicking the link and linking the microsoft account, then changing to the real address. Extra work, but it is cleaner to my end customer. Couple questions on AAD, does a user created there automatically have a microsoft account (so using the organizational account option from the invite link just works with no more info required)? And how does someone reset their password for the AAD account since it is not linked to their "real" email address?

  • Toni

    1/14/2015 2:27:21 PM |

    Hi MS,

    yes, I also tested with sending invites to one of my addresses - this works, but these emails must be unique.

    So sending many invites to f.e. myemail@outlook.com does not work - your need one email per Invitation, f.e. myemail1@outlook.com, myemail2@outlook.com and so on (it can be ANY email address). [I f.e. used a 30day Trial Office 365 tenant, created some users with PowerShell, used them for sending the invite to and deleted them afterwards.]

    Then open the email, copy the Invitation link, Login in a new browser with the desired AAD account (like in my example with user1@partnerweb.onmicrosoft.com or. similar), use the copied URL and get Access to the SPO as this external user.

    Any user in AAD is an organizational user - not a Microsoft account. Right now These are completely different account types, on against AAD and the other is only for individuals managed completely by MSFT.

    Then the user object in the SPO user Management should be corrected to the "real" email address.

    The external user (again with the @partnerweb-account) can change his password anytime in the https://portal.office.com Portal - it´s not an Office 365 user, but any AAD user can use this Portal for performing that action.

    hth!


  • MS

    1/14/2015 9:38:40 PM |

    Toni, thanks so much. I think this is the solution I was looking for. The portal.office.com for resetting passwords looks great, I thought I was going to need a paid AAD plan to do that. Regarding the unique email address, I noted that also. A workaround can be to use a gmail account, they allow you to place periods (.) anywhere in the username. Using this you can fake out Sharepoint using "usernam.e@gmail.com", then "userna.m.e@gmail.com", etc.

  • JMT

    1/27/2015 7:15:29 PM |

    Did I understand correctly ?
    1- create user in AAD with his Professional email address Smith@company-work.com
    2 - send confirmation link to that address, so that Smith could validate his account
    3 - invite Smith to join SPO site using his Professional email address Smith@company-work.com; of course you previously have managed all options in your tenant and site collection regarding external users & invitations.
    Unfortunately, I am afraid having missed something, eg using an Outlook.com in the process

  • Maurits Knoppert

    2/3/2015 3:20:45 PM |

    I tried to make the steps from this blogposts. But somewhere there is something going wrong.

    * I have made a new AAD. ouders.onmicrosoft.com
    * I made some new external users in this AAD.

    * I have enabled external sharing for a site.
    * I share this site with an external user I have made. I share this site with his real mailadress.

    *Then there is a problem. The user receives an email with link to the site. the user sign in with the username and pasword i have made in Azure.

    Then there is an error. (This user mknoppert@ouders.onmicrosoft.com can't be found in the adresslist from heldringscoh.sharepoint.com)

    Am I doing something wrong?

  • Martin

    2/13/2015 3:40:43 PM |

    Maurits, try activating the account for the user first (login with generated password, then change it and then send to user along with sharing invitation). I had the same issue and this solved it.

  • Vince

    3/9/2015 1:09:04 PM |

    Thanks for your awsome blogpost.
    We implent it and everything works like a charm !
    Many Thanks !

  • laurent

    3/10/2015 9:16:46 PM |

    hello

    we just ran into the same issue or somewhat similar and found a slightly easier solution.

    it turns out that you can create a user account into office 365 without any assigned license and this allows you to share documents/sites etc. with them through Sharepoint Online.

    the steps we used:

    go into Office 365 admin.
    create user with name and last name + email address (the email address shouldn't be functional) and password.
    go back to sharepoint and add the user to a group or share a specific document folder with them.

    if they have access to the main site, then all they need is to go to the correct address: yoursite.sharepoint.com and login via office 365 with that email address.

    et voila! Smile

  • ben

    5/7/2015 9:56:12 PM |

    Can you not add the Security Group specifically to a sharepoint group?  I'd rather manage all external users and group in the AAD portal than in both the AAD and Sharepoint groups.

    e.g. if you create a sharepoint "ext-company1" group and add the AAD security group "co1", and add "user1" to "co1", then you wouldn't need to mess with the sharepoint group anymore and just maintain membership in AAD on the "ext-company1" group.  I'm not seeing where SPO will allow you to add users/groups from the 'new' directory created.

  • Bob

    6/30/2015 9:06:20 PM |

    Thank you so much for this information. Once I got the sequence right it worked like a charm. It takes a while for the Profiles in SPO to update, but it definitely is better than having the users verify the e-mail and all the other steps that never seem to work quite right. You do need to login to the site after you create the AAD user. One update, I tried to use Office 365 users and my experience has been that they just go straight in and the external user gets set to what ever e-mail was in the sharing invite. It never gave me the option to login with the AAD as an Organizational User. This prevented me from using a trial account as suggested and I did try. I may have a setting that is preventing this. I do have a hosted website that includes 250 mailboxes that are totally outside of Office 365, so I am using those. The tip on only using a e-mail address once seems to be true, so just delete old ones and create a different e-mail user. I had overlooked AAD, so this is a real benefit. Hope Microsoft keeps it and makes it better.

  • Henry

    7/18/2015 4:16:28 AM |

    Hello Toni,

    Great idea and this would be great for my company as well.   I am also aware of that  unlicensed Office 365 users can access sharepoint; however, according to this  forum post Microsoft seems to indicate that this is a bug and that eventually it will be disabled.     community.office365.com/en-us/f/148/t/277278

    Do you know if this config is supported by Microsoft?  

    Thank you
    Henry

  • apfelsine

    10/25/2015 3:37:58 AM |

    Hi there,

    I did follow your instructions and ran into an issue at step seven - User Login.
    My new partner user receives an error during login.

    That didn't work

    We're sorry, but steven@pinpointsystems.onmicrosoft.com can't be found in the apfelsine.sharepoint.com directory. Please try again later, while we try to automatically fix this for you.

    Any suggestion what the issue is ?

    Regards

  • Toni Pohl

    11/25/2015 6:36:18 PM |

    Hi!

    For avoiding "We're sorry, but username@somedomain.onmicrosoft.com can't be found in the yourdomain.sharepoint.com directory. Please try again later, while we try to automatically fix this for you." I recommend this steps:

    1. Send an invitation to ANY email address and then copy the sent hyperlink with the invite (click.email.microsoftonline.com/?qs=1234567890...).
    2. After that login (in a browser in private mode) with your AAD user in the https://portal.office.com. Open another tab and copy the hyperlink in the address URL.
    3. This should give you access to the SPO site (with your logged in AAD user) - the AAD user should be in the members group of that SPO Site (like https://<yourdomain>.sharepoint.com/<OptionalSomeSiteName/>_layouts/15/people.aspx?MembershipGroupId=7)
    4. Then (some minutes/possibly hours later) change the work email address of the AAD user to his "real" email address. (The AAD user himself cannot change his work email address in his SharePoint User Profile settings, so the Admin has to change that.)

    This scenario still works by November 2015.
    hth! Toni

  • Manu

    12/15/2015 4:45:02 PM |

    Hi Toni,

    Is there someway to validate the domain of external users so the site is shared with only users from a specific domain.

    For example I want one of my O365 sites to be shared with users from abc.com and xyz.co.uk

  • Sooraj

    1/18/2016 12:47:03 PM |

    Good Article Tony

    Quick question : How do we add external users to this new AD using Powershell , When i tried using Add-MsolUser , Its showing me an exception as Domain is not verified . How we do bulk insert of external users to this custom AD ?  

  • tareq

    2/7/2016 6:20:55 PM |

    Hi,

    I tried this but when I try to setup an alert I get this error:

    You do not have an e-mail address.
    Alert has been created successfully but you will not receive notifications until valid e-mail or mobile address has been provided in your profile.

    I added a custom domain on AAD  instead of on.mic... domain not sure if that is the issue. Any ideas what I may have missed or done wrong?

  • Eddy

    6/4/2016 3:08:58 AM |

    Just as Sooraj asked,
    Is there anyway to use PowerShell to manage these users?

    Everything I've tried so far has not worked. Really need to find a way to manage these users through PowerShell. Any direction would be appreciated.

  • Prabhu

    11/18/2016 12:29:29 PM |

    Looks we are expecting the same solution for our project. But unfortunately we are not able to complete the process.

    1.Added account AAD.(prabhu.bala2@opawarepoc.onmicrosoft.com)
    2.External Sharing is enabled and shared the site to end user(bprabhu_ece@yahoo.co.in)
    3.Clicked the link from mail box and used the AAD account.

    Am getting below error message.



    That didn't work
    You're trying to accept your invitation with prabhu.bala2@opawarepoc.onmicrosoft.com.

    This item was shared with bprabhu_ece@yahoo.co.in. This organization's policy requires you to accept the invitation using the account that it was shared with.

    Please try accepting the invitation again with bprabhu_ece@yahoo.co.in.
    Here are a few ideas:
    Click here to sign in with the correct account to proceed to this site.
    This will sign you out of all other Office 365 services that you're signed into at this time.
    If you're using this account on another site and don't want to sign out, start your browser in Private Browsing mode for this site (show me how).

    Any help would be appreciated.


Loading