Azure AD and SharePoint Online / OneDrive for Business Part 2

Welcome back. Today I will do a high level overview of the the options available for sharing information from within SharePoint Online and OneDrive for Business.

A SharePoint Online/OneDrive for Business subscription is associated with an AAD instance. Users that exist outside of that AAD instance are considered “external” users. Microsoft has configured four primary options for sharing information within SharePoint Online / OneDrive for Business. These options are:

  1. Don’t allow sharing outside your organization
  2. Allow sharing only with the external users that already exist in your organization’s directory
  3. Allow external users who accept sharing invitations and sign in as authenticated users
  4. Allow sharing with all external users, and by using anonymous access links

This link has a great explanation of the differences in each option from a functionality perspective, but I’ll spend some time on explaining what these things mean from an Azure AD perspective.

Option 1 is self explanatory if you read the above link so I won’t be covering that one.

Option 2 limits a user to sharing information with users who are directly members of their AAD instance or have already been configured as guest users. When a user attempts to add a user that doesn’t fall into those two categories, he or she observes the following error when attempting to share a SharePoint Online site (wonderfully descriptive by the way MS):


The error when attempting to share a OneDrive for Business folder is much more informative:


Option 3 limits a user to inviting users who have or obtain a Microsoft Live ID or Azure AD identity. When the user receives the invite and authenticates to AAD, the user is provisioned into destination AAD as a guest user. My next post will spend more time talking about guest users.

Option 4 is similar to Option 3 but additionally allows for anonymous access via shared links.

These sharing options can be configured at the subscription and site collection level.

For more information on these options and how to configure them, take a read through the links below.

In my next post I’ll spend some time examining the different methods to add guest users and how the method of adding the user can affect the ability to share with that guest user. Additionally, I’ll spends some time exploring how a guest user looks from an attribute perspective.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s