This procedure will establish the necessary steps required to allow guest access to a SharePoint Site. Additionally, there will be the inclusion of known errors that are encountered due to process break down as well as troubleshooting aid.
Configuring Internal Access for External Domains
- Access the Cross-Tenant Access Settings – Azure Active Directory portal, select Add Organization supplying either the Tenant ID or Domain Name associated with the desired External Identity. Finalize the addition by selecting Add.
- If done correctly the addition should now be listed below, select the Inbound Access hyperlink for the newly added org entry.
- A redirect will occur, from the new window we will be enabling Customized Settings for both B2B Collaboration and Trust Settings. Starting with B2B Collaboration we will be Allowing Access for all External Users, Groups and Applications from the External Identity. Select Save before moving to Trust Settings.
- Once B2B Collaboration has been configured we will move to Trust Settings, we will be enabling Trust MFA from Microsoft Entra Tenants this will leverage the existing MFA credentials that the external user has already registered with their own tenant. Additionally, we will be configuring Automatic Redemption so external users will not have to interact with the consent prompt that is sent for first time invitation acceptance. Select Save to finalize Inbound Access customization.
- If done correctly Inbound Access should now be set to Configured for the newly added org entry.
Note:
Some External Identity entries while they possess different Domain Names point to the same Tenant, the Azure system prevents duplicate External Identity entries.
However, it is necessary to validate that the Domain Name is present within the designated Invitation Allow List present in the External Collaboration Settings and SharePoint Admin Center portals, failure to do so will result in External Users not being able to access the desired SharePoint Site.
- Once the External Domain has been added and configured, we will be moving to the External Collaboration Settings – Azure Active Directory portal to create an allowance for the external domain to receive invitations from our designated end users. From the portal we will scroll down to the Collaboration Restrictions section and add the domain name for the newly configured org entry, select Save to finalize the invitation allowance.
- After the necessary steps have been followed within the Azure Active Directory portal, we will need to move to the SharePoint Admin Center to finish the initial set up required to successfully send an invitation that allows external access. You can access the SharePoint Admin Center through the M365 Admin Center portal.
- Once inside the SharePoint Admin Center, locate the Sharing portal under the Policies tab, select the drop down next to More External Sharing Settings. You will see the restricted sharing allow list, select Add Domains, and supply the domain name for the newly configured org entry. Select Save to create the entry.
- Prior to leaving the page, scroll down to the bottom of the page and select Save to finalize the allowance process.
- Now that the necessary prerequisites have been configured, we will proceed into how to initiate the delivery of an invitation to a SharePoint site.
Sending a SharePoint Site Invitation
- From the Active Sites portal under the Sites tab locate the desired SharePoint site that you wish to extend external access to. If you are not the owner of the site or a member of the designated security group allowed to distribute invitations, you can give yourself temporary ownership to complete the invitation process. This can be done by selecting the Site Name, specifying the Membership blade, and selecting Add Owners.
- A new window will be displayed where you can supply the necessary account to add temporary ownership to, select Add to give temporary ownership.
- After ownership has been granted, access the SharePoint Site. In the new window select the Members icon in the top right of the page, a pop out will be displayed where you will select Add Members. A prompt will be displayed where you can either supply the name of a member of within the tenant or Go to Outlook, we will be using the latter to invite allowed external users.
- You will be redirected to the Outlook web app, if the SharePoint group is not displayed locate the site from the left pane. Once selected locate the Members tab followed by Add members. A window will be displayed where you will be able to supply the necessary user for the external domain you previously allowed to receive invites. If done correctly the user will appear in the list below, finalize the invitation process by selecting Add.
- If done correctly the intended recipient(s) should receive an invitation in their Outlook inbox within a 15-minute window.
Expected Behavior for User Receiving Invite
- The user receiving the invite should receive the invite for the SharePoint site access in their Outlook inbox. From the email they should select the Go to SharePoint option to view the SharePoint Site.
- The user accepting the invite will need to fulfill basic authentication requirements for the account that the invitations was specified for. Once completed the user should be able to view the SharePoint site.
Error Handling Based on User Feedback
The following list includes screen captures of Errors that could impact External User access to the SharePoint site either due to process break down or configuration constraints as well as possible ways to hotfix the issue.
- Outlook Web App 500 Error – This is a known error within the Microsoft Community that occurs when attempting to establish a connection with a Microsoft web application. A verification error when authenticating the account causes an indefinitely loop that causes a timeout. Administrators trying to fulfill the SharePoint invitation steps utilizing the Outlook web app might encounter this error.
- The most common ways to alleviate this issue:
- Clear browser cache and cookie history.
- Temporarily remove all administrative roles except Global Admin.
- Verify that your account is allowed to access Outlook on the Web.
- Clear browser cache and cookie history.
- AADSTS500212 Error – This error is associated with default settings or configured organizational settings for an External Identity entry being set to block outbound access for B2B Collaboration. If an External User sends you this, you will need to inform them that their administration has revoked outbound access to external resources, and they will need to create a trusted External Identity within their tenant and configure the outbound access to allow.
- How to alleviate this issue:
- Something Went Wrong Unknown Issue – This error is associated with the external domain not being included within the Allowed domain list to receive invitations of the External Collaboration Settings – Azure Active Directory and the More External Sharing Settings section of the SharePoint Admin Center. External Users that have received an invitation to a SharePoint site but have not had their external domain configured properly within the tenant will encounter this error.
- How to alleviate this issue:
- Follow the steps listed in the Configuring Internal Access for External Domains section of this article to alleviate the error impacting the users.
- AADSTS50020 Error – This error is associated with an External User trying to authenticate from a SharePoint Invitation with an account that was not specified to receive the invitation. In policy we require that the account provided to receive the invitation for SharePoint Site access must also be the same account used to authenticate when accessing the portal. External Users who have received an invitation but attempt to authenticate with an account that is different from the account that received the invitation will experience issues.
- How to alleviate this issue:
- Verify with the External User that when they accept the invitation and are prompted to authenticate that they are providing the credentials for the account that has received the invitation; inform them that failure to do so is restricted in policy and if they desire to access the SharePoint Site from a different address that Management will need to process the request.
- If the request had been approved by Management, complete the steps listed in the Configuring Internal Access for External Domains section of this article for the newly desired Domain, making sure that the External Identity entry and the necessary Allowed Domain entries for invitation receiving are completed as well.
Need Assistance?
Reach out to your Customer Success Manager to discuss how a Sittadel cybersecurity analyst can assist in managing these tasks for you. New to our services? Inquire about arranging a consultation to explore optimizing your Azure environment for painless management.