Before external users can access your data, you should consider your organization’s existing policies and the information security risks.
When it comes to collaborating, Office 365 allows colleagues to check availability in Outlook, schedule a Skype for Business meeting, and share files in SharePoint, OneDrive for Business, or Office 365 Groups. While sharing within your organization is fairly simple, sharing with external users requires some planning.
External users can be anyone outside your organization – from partners to customers. A technical description of an external user is someone who does not have an account registered or licensed in your Office 365 tenant.
There are two types of external users – authenticated and anonymous:
- Authenticated users – Those who have a Microsoft account from another Office 365 subscription. Authenticated users can have the same permissions as any of the internal users within your organization. You can assign a license to them.
- Anonymous users – Those who can access a folder or document via a shareable link. Anonymous users can view, edit, or upload to the folder without having to log in with a username or password. Anonymous users cannot access sites, and you cannot assign licenses to them.
External Sharing: Where Do You Start?
Before you start allowing external users to access your data, you should consider the existing policies set by your organization.
Some of these policies may include:
- Is external sharing allowed for anyone (anonymous) or just authenticated users?
- Which domains should you allow or block in Skype for Business?
- What types of content should you not (or cannot) store in O365?
- Who can (and should) extend an invitation to an external user?
You may also find that your organization does not have policies in place that address the sharing of content with external users except through email. If this applies to your organization, you must configure your Office 365 tenant to limit external sharing until the proper policies and controls can be put into place, limiting the risk to the organization.
What Are Some Information Security Risks?
While external sharing is a great way to extend your organization to your partners, suppliers, and perhaps even your customers, you must account for certain risks.
Some of those risks include:
- Accidental sharing of sensitive content
- Sharing of content with other unintended external users (external users with full control might be able to do this)
- Changes made by anonymous users, which you cannot track
While these risks – and potentially others – may apply to your organization, there are processes, settings, and tools within Office 365 that can mitigate the risks.
Protect your corporate assets and intellectual property by making sure you:
- Implement and enforce governance for external sharing
- Consider using Azure Rights Management (RMS) to encrypt and restrict sharing of the data
- Implement Data Loss Prevention (DLP) policies to detect sensitive data automatically
- Send links, not attachments
- Grant minimum level of permissions to external users
- Disable external sharing on-site collections with sensitive data
- Disable anonymous sharing
What Can You Share With External Users?
External sharing can be configured separately for different capabilities in Office 365, but primarily for SharePoint Online, OneDrive for Business, Outlook, Skype for Business, and Office 365 Groups.
SharePoint Online and OneDrive for Business:
You can share an entire site, lists and libraries, and documents. Keep in mind that external users will need to authenticate to see all of these items while anonymous users can only see documents. Additionally, SharePoint gives you the ability to limit users who can share with external users.
Office 365 Groups:
- Conversations – External users don’t have access to conversation history, but they may participate if they receive an e-mail from a distribution list
- Files, Notebook, and Site – You can share an entire site, lists and libraries, and documents
- Calendar – No access
Exchange (Calendar):
You can share free or busy information with external users that include: time slots only, subject and location, or full details.
Skype for Business:
You can schedule meetings or chat with external users.
Conclusion
When it comes to sharing or collaborating with partners and customers, it is critical to include external sharing as part of your Office 365 governance and security planning.
Remember that a governance plan is not a guarantee for security compliance. Users and administrators must observe and follow good practices and policies to minimize the risks.
There are many aspects to external sharing that are unique to every organization. Your organization should make decisions on external sharing policies during the configuration planning phase for an Office 365 implementation project. That way, your organization can realize the value of Office 365 without not compromising your intellectual property, corporate assets, or legal compliance.