How to use external users in SharePoint Online (with a cost-free Azure Active Directory)

2014-12-06 | Toni Pohl

We are using SharePoint Online (SPO) in many scenarios: for our own Intranet and we often create SPO Sites in our Office 365 tenant to collaborate with partners and for projects. Many projects last only for some months and after the work is finished the SPO site will be deleted.

Since we don´t want to create not-our-company-users in our own Active Directory (AD) or in our synced Azure Active Directory (AAD) and assign an Office 365 license from our tenant it´s convenient to use users from another AAD and share the SPO site with them.

We also want to use “sharing” which is a feature of SharePoint Online in Office 365. The “other” AAD can be a cost-free AAD!

Credits go to my colleague Martina Grom (@magrom), Office 365 MVP, for developing this scenario with me. Thanks!

The scenario

As described we want to collaborate with many persons, in different companies. For such scenarios SharePoint Online provides the “sharing” function (sorry, sharing with external users is not possible in SharePoint 2013 on premises). So it´s simple to invite any user with the “Share” link in the upper right corner of the SPO website.

image

We want to share a SPO site and then send the persons their individual login for that site. We don´t want them to have additional effort for filling out forms or similar administrative work before they can use the portal. They shall login and collaborate. That´s the idea.

So we want to accomplish these steps:

  1. Enable Sharing in a SPO site
  2. Create a new cost-free AAD in the Azure portal
  3. Create new users in the AAD
  4. Invite users in the SPO – and send them their portal login
  5. As user: Use the invitation and get access to the SPO site
  6. As user: E-Mails in SPO (for notifications etc.) shall be working even without Office 365 mailbox
  7. Manage user accounts in AAD with the Azure portal

We want to manage all users in a new AAD, so we can create, rename or delete user accounts centrally. That´s why we use an own AAD (without Office 365) where we can perform all these user operations. All users get a login name with our chosen AAD domain name.

Prerequisites

Before you can share a SPO site so you need to configure the site and enable external sharing (or check it) in the Office 365 SharePoint Administration site https://<domainname>-admin.sharepoint.com/_layouts/15/online/SiteCollections.aspx

Mark the SPO site and click “Sharing” in the ribbon menu. Set sharing to “external users” like here:

SNAGHTML17ac814

Also we need to have access to an Azure subscription. We need the Azure portal to manage our AAD.

The good, the bad and the ugly

Yes, you can use ANY email-address for sharing. (good)

But: Office 365 needs to check the login. For that Microsoft needs to know about the account (there´s no STS provider support built in right now). This means that you only can collaborate with persons who a) own a Microsoft Account (former: Live ID) or b) use an organizational account in AAD! (bad – but workarounded here)

We won´t have users to create their own new Microsoft Account. (ugly – we send them a ready to use login).

So let´s start with our configuration process.

Step 1 – Create a new AAD

You need an Azure subscription. Login in to the Azure portal and…

image

…create a new Azure Active Directory. In my case I call the new domain “partnerweb”, so the full created domain name is “partnerweb.onmicrosoft.com”.

image

After short time the AAD is created. I added some users in that directory: “Max”, “Martha” and so on. (I also added some users of our own synchronized AAD *@atwork.at into that new AAD… just for a convenient administration.)

SNAGHTML168144c

So the login name of the users are similar like here: max@partnerweb.onmicrosoft.com

Step 2 – Prepare the external users

Document the users and their passwords.
Additionally – to make it very convenient for the endusers - you can login with each user to set a new password. Or let them do the change password work.

It´s also a good idea to put the users into groups, especially when they are working in different companies, departments or projects.

SNAGHTML170bd47

Step 3 – Invite external users into SPO

Send emails to each external user with these data:

We want the endusers to use our AAD account for the authorization against Office 365.
After the initial login these credentials are the access to the SPO site.

Step 4 – Invite external users into SPO

Then, in the SPO site use the “Share” Link in the upper right corner.

image

Now type the email address. Use the “real” email address of the user you want to collaborate with.
Since the invitation goes out by email the recipient must have access to his mailbox!

image

In my sample I used (an already existing) Microsoft Account, but that doesn't matter what account it is. The important part is, that the user has access to this mailbox. Later this email address will be used for the email communication with that user.

The SPO notifies that the site is now shared with external users.

image

Step 5 – As user: Accept the invitation

The user receives the invitation. Now the user only has to click the link with the SPO site name (in here it´s Go to “dev”).

To ensure you´re not logged in with other credentials it´s a good idea to open a browser in Private Mode and copy the URL and open it manually…

image

The link usually goes similar like http://click.email.microsoftonline.com/?qs=<someID>.

Hint #1: An interesting detail is that in reality ANY user can use this link to confirm the access to the SPO site (so in our sample another user as vmtest@outlook.com could use this link). The invited email address then is saved in the user profile, but that´s it.

Hint #2: The invitation link works only ONCE! If the first login is done the link is no longer valid. As admin you would need to create a new invitation if the first try was unsuccessful.

Step 6 – As user: Setup the account

After opening the invitation link Microsoft needs to know with what kind of account the user wants to login. So the user now can decide to use an existing Microsoft Account, or create a new Microsoft account (and fill out the form) with the link on the bottom, or use an existing Organizational account.

Since we want to manage all users in AAD and have prepared logins for them we now chose “Organizational account”.

image

Step 7 – As user: Login

Now the Office 365 login page follows – the same as you would open the SPO URL. The user should login with his provided AAD account (in our sample with max@partnerweb.onmicrosoft.com and the password).

image

After successful login the SPO site opens. The (new) user is already logged in and he is member of the "Member Group" in SPO, so he can collaborate with all other users in that SharePoint portal.

image

The SPO site is operational.

Good to know: E-Mail is working

The AAD user account has the email address of the invited users saved in the Work email property.

image

So the good news is that the user is reachable with his “real” email address. This means, we can use an AAD account for the whole authorization (where we don´t have an user mailbox since ist´s a cost-free AAD and there´s no Office 365 license added) and SPO can send emails to the Work email address (wherever the mailbox of the user is located).

If f.e. user max@partnerweb.onmicrosoft.com sets notifications for a list, he receives an email to his working email address vmtest@outlook.com. That´s the way we want.

image

Hint: If you are interested which properties are synced between AAD and SharePoint UserProfiles see our articles here:

External users can change their password easily

Since each Office 365 account is an AAD account, each user can change his password easily anytime in the Office 365 portal https://portal.office.com. Which is a nice feature.

image

“Shared with” information

The admin sees all users with access to the SPO site in the “Share” link with the menu “Shared with”. Our user “Max” is also in that list.

image

Also the invited users see these information – but only all external users (the shared ones, not the users in the SPO groups).

What can external users do - and what not?

Well, there´s a difference between “real” Office 365 users and “external” users. External users f.e. can´t (obviously) be site-administrator, they don´t have a MySite (no OneDrive for Business), they can´t change their user profile (f.e. the profile picture) and some other SharePoint features.

For all details see Adam Toth´s article Profiles and Pictures for Office365 SharePoint Online External Users. In the article Profiles and Pictures for Office365 SharePoint Online External Users Adam shows a way to for “Setting Permissions to Edit Profiles for external users”. If you are working with external users in SPO read these great posts.

Summary

We used the Azure portal for creating our own cost-free AAD, prepared the users and invited them to a SPO site. Since the external users are all stored in our own AAD we can manage them easily. The external users have the benefit of getting access to one or many SPO sites, they can change their password and collaborate.

So the whole cloud ecosystem works together perfectly – without costs for the external users. There´s a lot of experience ands research in this article, so we hope you can benefit from this step-by-step scenario which shows the possibilities of the Microsoft Online Services, Azure and Office 365.

Categories: Azure, Cloud, DirSync, English, Microsoft, Office365, Security, SharePoint

Source: https://blog.atwork.at/post/2014/12/06/How-to-use-external-users-in-SharePoint-Online-with-a-cost-free-Azure-Active-Directory