Learn how to configure Office 365 SharePoint Online sites for extranet business-to-business collaboration with admin managed partner users.
Note: This SharePoint Hybrid Extranet Site feature is currently a First Release feature.
SharePoint Online offers you the flexibility to configure extranet sites that are intended for cross organization collaborations and at the same time control that only administrators can bring in new external partner users to the tenancy. This feature enables you to configure SharePoint Online sites for the external collaborations but only with guests partner users that already brought in to your tenancy.
Office 365 Enterprise 3 or Enterprise 5 Subscription
Restrict sharing only to existing guests in the directory
At the tenant level there is a new setting, ‘Allow sharing only with the external users that already exist in your organization’s directory’, that controls sharing only with the existing partner users in the directory. SharePoint Online Tenant Administrators can invite or add the business partner guest users to the directory or restrict external sharing to only guest partner users in the directory. This turns off the user-based invitations approach within SharePoint Online.
Important: By setting this restriction for SharePoint Online, it also applies it to OneDrive for Business in your tenant.
At the Site Collection level, the same new setting is introduced so that Admin can decide whether a site is to be externally shared or not.
Create your partner facing O365 site collection
Before you begin, plan what partner facing site collections you need. For example, in your https://contoso.sharepoint.com tenant, create https://contoso.sharepoint.com/sites/adatumpartner.To create an Extranet site in Office 365 for existing external members only
Sign into Office O365 as a Global or SharePoint Online admin.
Go to the SharePoint Admin Center.
On the Site Collections tab, select New.
Select Private Site Collection.
In the New Site Collection dialog box:
In the Title box, type a name for the site collection.
In the Web Site Address drop-down lists, select a domain name and a URL path—either /sites/ or /teams/—and then type a URL name for the site collection.
In the Template Selection section, in the Select a language drop-down list, choose a language for the site collection. It is important to select the appropriate language for the site collection, because once it is chosen, it cannot be changed. You can enable the SharePoint multiple language interface on your sites, but the primary language for the site collection will remain the one you select here.
In the Template Selection section, under Select a template, choose the template that most closely describes the purpose of your site collection. For example, if your site collection will be used for a team collaboration, choose Team Site.
In the Time Zone box, select the time zone that’s appropriate for the location of the site collection.
In the Administrator box, type the user name of your site collection administrator. You can also use the Check Names or Browse button to find a user to make site collection administrator.
In the Storage Quota box, type the number of megabytes (MB) you want to allocate to this site collection. Do not exceed the available amount that displayed next to the box.
In the Server Resource Quota box, type the amount of resources you want to allocate to the site collection. This number is a combination of performance metrics (such as processor time and un-handled exceptions) that pertain to code in sandbox solutions. When the level exceeds a daily quota, the sandbox is turned off for this site collection.
Select OK. The new site collection will appear in the URL list, and the site collection administrator can start to create and manage sites.
In the SharePoint Admin center, check the box next to your new site collection. From the ribbon, click Sharing.
In the Sharing dialog box, select Allow sharing only with the external users that already exist in your organization's directory. By selecting this option, external sharing is allowed in this site collection and all sites under it but only with the existing external users in the tenant’s directory.
You can also set external sharing at the tenant level using the SPO PowerShell cmdlet:
Set-SPOTenant using the SharingCapability ExistingExternalUserSharingOnly parameter. To set it at the site collection level use Set-SPOSite cmdlet.
Notes: If this setting is configured at the Tenant level, then no user in any site collection in that tenant can invite external users.
If an invitation is allowed at the tenant level and this option is set at the site collection level, then no invitations to new users allowed for that site collection.
Note that if there is another site collection where invitations are allowed, then external users can be invited from that site collection. It is important you configure appropriate sharing capability settings for each site collection in the tenant.
(Optional) Click Turn off sharing for non-owners in all sites in this site collection. This will ensure that only site owners can bring new users to this site collection.
SharePoint Hybrid B2B Extranet Sites
If you currently have a SharePoint on-premises deployment and are considering a hybrid connection with Office 365 to leverage the power of the cloud for your Extranet needs, see Onboarding to SharePoint Hybrid Extranet Sitesfor details.
End Users Sharing Experience
Once the administrator has configured this setting at the Tenant Level, following is the experience that end users will see in the site collection where this setting is enabled:
Sharing your site with new external users who aren’t in the directory: If you attempt to share your site with new external users by typing in their email address, you will be prohibited from sharing with those users.
Sharing with existing partner users who are already in the directory: If you attempt to share your site with existing partner users in the directory by typing in their email address, you will be able to select the user and successfully share.
Programmatic way to set Admin Managed Guests Only setting
Using the PowerShell cmdlet, Set-SPOTenant or Set-SPOSite, you can configure sharing only with the admin managed guests at the Tenant level or Site Collection level.
Using the Set-SPOTenant cmdlet along with SharingCapability parameter and with the new parameter “ExistingExternalUserSharingonly”. Using the Set-SPOSite cmdlet you can configure this setting at the given site collection level.
Example 1: In this example, sharing is restricted to existing external users sharing only at the tenant level:
Set-SPOTenant SharingCapability ExistingExternalUserSharingOnly
Example 2: The following example sets it at the Site Collection level:
Set-SPOSite SharingCapability ExistingExternalUserSharingOnly
Note: The new PowerShell parameters listed above are available as of SharePoint Online Management Shell version 16.0.4915.1200, which can be downloaded here: SharePoint Online Management Shell.
Auditing and Reporting of Guest Users
The Office 365 activity report in the Office 365 Compliance Center is used to view Office 365 user and admin activity within your company. The report can be filtered by date and user activity events to monitor SharePoint Online Extranet guest users activity.
For details on how to monitor the status of your extranet guest accounts, see Search the audit log in the Office 365 Protection Center.
Assigning Licenses to Partner Users
Guest user accounts have limited capabilities in SharePoint Online. See Manage external sharing for your SharePoint Online environment for details on those features and what additional capabilities can be provided. If you determine that your partner users need additional functionality, such as the ability to create team sites, you can assign SharePoint Online licenses to these user accounts. See SharePoint Licensing Options for more information.
Use the AAD PowerShell cmdlet, Set-MsolUserLicense, to assign the needed Office 365 licenses to your partner user accounts in your corporate tenant.
Note: Assigning an EXO license to Guest partner users, is not a supported scenario.