Office 365 provides companies with a very powerful tool, especially for cross-company collaboration. With just a few clicks, O365 users can share documents with external users, or invite external users to collaborate in virtual workspaces (teams, SharePoint sites) – and off you go.

This can quickly become confusing. That’s why companies using O365 need governance for external sharing to maintain control and visibility of content shared with external parties. The following governance aspects and questions have to be considered:

  • How do we deal with external users?
  • Who can invite external users into a virtual workspace at all?
  • What happens to the access of external users to a virtual workspace, or to a document when the project is finished?
  • How do I make sure that external users accept the mandatory secrecy agreement before access?
  • Can I digitize certain processes?
  • How can I actively manage external users over their entire lifecycle?


How does one arrive at such a governance for “external sharing”? In order to answer the above-mentioned questions, a procedure in 4 steps has proven itself in practice with our clients:


1. governance concept for “external sharing” with O365

Experience with our customers has shown us that the requirements and framework conditions for governance are very customer-specific. Therefore, it is important to define a tailor-made governance for “external sharing”. Specifically, we develop a governance concept that covers the specific security requirements of a customer or company. Office 365 and Azure offer a complete set of possibilities to implement governance end-to-end.


2. Office 365 “low-code” customization for an improved user experience

Unfortunately, the authorization control in Office 365 is currently still quite confusing. This often confuses our customers more than it supports them. Although there are a number of instructions from Microsoft, see e.g. “External sharing overview”, but there are usually many open questions; What is the difference between Office Groups or SharePoint Groups? Where do I have to add users, in SharePoint online or Exchange online? Who has access where and with what permissions?
For this purpose, we have developed a simplified authorization dialog that provides the required functionality intuitively and integrates seamlessly into SharePoint online.


3. User Life Cycle Management

As mentioned at the beginning of the article, it is often important for companies that external users cannot simply be added or authorized in a hurry – but must, for example, agree to a non-disclosure agreement/NDA. Workflow tools such as AgilePoint, Flow/Logic Apps can be used to map a meaningful process for this.
When an external user is added, a process is started immediately. Within the process the external user is asked to enter additional information about himself (e.g. phone number) and to confirm an NDA. This information is then routed to the responsible owner of a virtual workspace, who then decides whether the external user should have access. Only from this point on will a user artifact be created in the Azure AD and authorized on the corresponding site.
The external user is now also in a lifecycle management process which, for example, provides that authorizations must be reconfirmed after 30 days, or that in the case of an updated NDA, renewed approval can be forced by the user.


4th Management Portal for External Users

A user management portal is ideal for owners of virtual workspaces to be able to manage “their” external users in one place. In the User Management Portal, the owners can e.g. withdraw permissions from the external users, block individual users or, as already mentioned, force a renewed acceptance of the NDA. The conversion of this functionality can be realized over the Office Graph interface.


Do you also have questions about the authorization of external users with Office 365? Then you should definitely talk to us. We will be happy to advise and support you in your implementation of a tailor-made governance for external sharing with Office 365. Contact us today in Contact for a first non-binding discussion – we look forward to hearing from you.



The following 4 screencasts show the presented solutions on a demo environment.


Step 1: Internal user invites external user to a SharePoint site with the authorization dialog (SPFx) developed by 1stQuad.


Step 2: External user receives an invitation mail and is prompted to enter further profile information.


Step 3: SharePoint Site Owner must confirm the access for the external user.


Step 4: External user receives an e-mail confirmation and can log in to the SharePoint site.