Pete Saloutos - Fotolia


Access for Office 365 external users a concern for admins

Microsoft added external access for Office 365 Groups, which means administrators must contend with confidentiality and lifecycle issues until the service matures.

Just how much trust can IT put in external guests on the messaging platform?

Microsoft touts Office 365 Groups as a way for businesses to collaborate in the cloud. The platform enables teams to store documents, assets and conversations related to particular projects. But there had always been an issue with Groups functionality where Office 365 external users -- contractors, outside consultants and vendors -- could not collaborate within the group.

That's been somewhat fixed after Microsoft added support for external guests to Office 365 Groups in September 2016, but there are still some limitations and considerations for Windows administrators.

The Azure Active Directory guest user

Access for Office 365 external users centers on the concept of a guest user in Azure Active Directory, the cloud directory that stores user information for Office 365 tenants. Whether you subscribe separately to Azure Active Directory or not, all Office 365 tenants have it. Essentially, an Azure Active Directory guest user is an account that corresponds with an email address. The main difference is the email address can be on any domain -- Gmail, Outlook, another Office 365 hosted tenant or another service -- and it should work. This guest user account is basically the resource in Active Directory used to control access to the various features within an Office 365 Group instance.

Adding Office 365 external users

To add guest users, go to Outlook Web Access on Office 365, open the group and then select Members and then Guests from the three-dotted menu on the right. Click Add Members to add a guest, and then enter the guest's email address.

A concern many administrators would have with giving Office 365 external users corporate access is the threat of data loss.

Behind the scenes, Office 365 checks if a guest user object for that email address exists. If it does, access rights are granted to that guest user for the object in question. If a guest user object does not exist, Office 365 creates it and adds the necessary permissions. Office 365 then sends an email message to the guest user with a link to the shared object and another link with information on how to leave the group.

If the guest user has a Microsoft account that matches the email address entered in Office 365, then the guest will authenticate with that account. If not, the user will be sent to to create a special account within that Office 365 tenant.

J. Peter Bruzzese, a Microsoft Office 365 MVP, says that businesses have the option of three enterprise plans with varying prices and applications. They also may add à la carte applications to the plan they choose, but should always monitor costs. Bruzzese also addresses bundling and migration of Office 365 enterprise plans, as well as differences between Office 365's cloud-based telephony and Skype for Business on-premises systems.

Within an Office 365 group, an external user can:

  • Join a conversation within a group mailbox. Office 365 sends messages for the guest to their external email account. Guest users can also send meeting requests to a shared calendar for a group and can search for conversations they have been a part of within their inbox.
  • Use the mechanism for single document sharing like an internal user. After a current user sends an invitation to edit a document in a SharePoint Online, the guest user can make changes to that document. 
  • Access document libraries and search through those documents within SharePoint Online. Guest users gain access through a modified version of the Files view in Office 365.
  • View shared OneNote notebooks and attachments sent through OneDrive for Business in Outlook.

Administrative concerns

A concern many administrators would have with giving Office 365 external users corporate access is the threat of data loss. How can administrators keep private content in the collaboration site and prevent users from forwarding or downloading it? Also, how do administrators manage the collaboration lifecycle of Office 365 external users and cut off their access when a project has finished?

Microsoft has some protections against threats:

  • Guests can only interact with Office 365 Groups instances through a browser -- an exception is for the individual email notifications that go to the inbox.
  • Guests cannot look at Global Address List (GAL) information, such as organizational hierarchy.
  • Guests cannot view or interact with information saved with information rights management protection.
  • Guests do not appear in the GAL for tenant-based users.
  • Guests cannot become owners of Office 365 Groups.
  • MailTips will warn users of Outlook on the Web and the desktop Outlook application before they send items via email within a group. The warning states that the group has guest users; it is intended to empower users to prevent the leak of confidential material.

Those protections are not as robust as a data loss protection scheme or an on-site appliance, but the beauty of the cloud is that Microsoft can tweak security and improve it over time.

Next Steps

Yammer integration with Office 365 Groups raises questions

Office 365 Groups retools Microsoft's collaboration efforts

Cloud adoption key for Office 365 Groups inclusion

Dig Deeper on Office 365 and Microsoft SaaS setup and management