I had an interesting case related to granting unrestricted access to a specific site collection for external specialists while restricting them from accessing any other sites in our SharePoint Online instance.
Case
We had deployed a Financial SharePoint App from one of the software vendors into a new site collection. Some time later, Head of our IT department asked me to grant unrestricted access for maintenance specialists of that vendor only to this site collection and ensure they cannot access anything else to comply with GDPR enforcement.
After a short discussion on available options, we discovered a couple of issues there
- As you probably know, adding external accounts to site Owners group does not provide absolutely unrestricted access to system areas of this site. The account must be added namely to Site Collection Administrators.
- Creating temporary regular “internal” O365 accounts was not an option as they would immediately become members of the virtual group “Everyone except external users”. In our case, this group had Read permissions configured in many other site collections including HR data for the employees, IT Service Desk, etc. There’s no way to remove an internal O365 account from “Everyone except external users”.
Established solution
Steps below assume you are a Global Administrator in your O365 Tenant.
1. Create a dummy Gmail or Outlook Online account then create a new Microsoft Account based on it.
- For example, vendorname@gmail.com
- You can register a new Microsoft Account in O365 sign-in window; there’s a link to do it.
2. Configure O365 Tenant-wide external sharing
- https://portal.office.com/adminportal/home#/homepage > Search for “Sites external sharing” > Adjust settings if necessary.
3. Configure external sharing in your target Site Collection to allow New and existing external users.
- https://portal.office.com/adminportal/home#/homepage > Search for “Manage sites” > Find your site collection > Adjust Sharing status to “New and existing external users (sign-in required)” and save changes.
- Make sure changes have been actually applied (it may take some time).
4. SharePoint Online does not support adding new external accounts directly to Site Collection Administrators. However, there’s a simple workaround. Open your site collection and add the Microsoft Account from p.1 to any SharePoint group of your site, for example, to site Visitors.
- You can find it under https://<your site collection>/_layouts/15/user.aspx
- If you are unable to add the external user to the group, check the settings of external sharing (see p.2 and 3 above).
5. After that, you will be able to add your Microsoft Account to Site Collection Administrators.
- Use https://<your site collection> /_layouts/15/mngsiteadmin.aspx
- After that, remember to remove this account from a site group to which you added it in p.4.
6. Adjust external sharing settings for your site collection to support Only existing external users.
- https://portal.office.com/adminportal/home#/homepage > Search for “Manage sites” > Find your site collection > Adjust Sharing status to “Only existing external users (sign-in required)” and save changes.
- Make sure changes have been actually applied (it may take some time).
- This sharing level provides correct functioning of external site collection administrators but prevents them from attempts to share the site collection with other externals.
7. Now try to sign-in using the Microsoft Account from p.1. This account should have unrestricted control over the target site collection while access to any other sites will be denied.
Known issues
Term Store does not seem to have any options to restrict Read access for external users. In our case, it did not have confidential data.
