1
00:00:02,734 --> 00:00:04,722
Now that we have seen how sharing works in

2
00:00:04,722 --> 00:00:07,461
SharePoint Online, let's start by learning

3
00:00:07,461 --> 00:00:09,807
what settings we can configure at the

4
00:00:09,807 --> 00:00:13,417
tenant level. The first setting is really

5
00:00:13,417 --> 00:00:16,265
what is the most permissive levels that

6
00:00:16,265 --> 00:00:19,425
users can share to? You've got four

7
00:00:19,425 --> 00:00:22,611
options, and the first one and the most

8
00:00:22,611 --> 00:00:24,857
permissive is anyone. This basically

9
00:00:24,857 --> 00:00:28,493
allows users to share files using both

10
00:00:28,493 --> 00:00:32,479
authenticated users and anonymous users.

11
00:00:32,479 --> 00:00:36,811
Next up is new and existing users, which

12
00:00:36,811 --> 00:00:39,151
allows users to share with external

13
00:00:39,151 --> 00:00:42,101
authenticated accounts so inviting new

14
00:00:42,101 --> 00:00:44,868
authenticated users to have access to

15
00:00:44,868 --> 00:00:49,226
documents, sites, and so on, but not

16
00:00:49,226 --> 00:00:51,914
allowing anonymous users in. The next one

17
00:00:51,914 --> 00:00:54,708
that's a bit more restrictive is existing

18
00:00:54,708 --> 00:00:58,085
guests only. This would allow external

19
00:00:58,085 --> 00:01:00,951
guests that exist in your Azure Active

20
00:01:00,951 --> 00:01:04,103
Directory either through Azure B2B or

21
00:01:04,103 --> 00:01:07,105
other methods, but really an end user

22
00:01:07,105 --> 00:01:10,379
cannot invite a new external user from

23
00:01:10,379 --> 00:01:12,889
SharePoint without going through IT,

24
00:01:12,889 --> 00:01:15,107
unless of course you have a custom

25
00:01:15,107 --> 00:01:17,581
external user provisioning system, but we

26
00:01:17,581 --> 00:01:20,493
won't really get into that in this course.

27
00:01:20,493 --> 00:01:23,413
The last option and the most restrictive

28
00:01:23,413 --> 00:01:26,731
one is only people in your organization,

29
00:01:26,731 --> 00:01:29,489
which would block users from inviting any

30
00:01:29,489 --> 00:01:33,641
sort of external user in SharePoint. Next

31
00:01:33,641 --> 00:01:35,390
option, and this is really if you have

32
00:01:35,390 --> 00:01:39,307
chosen to allow anonymous users, you can

33
00:01:39,307 --> 00:01:41,546
have extra configuration options around

34
00:01:41,546 --> 00:01:45,492
them. The first one is the maximum length

35
00:01:45,492 --> 00:01:49,291
of time until an anonymous link expires.

36
00:01:49,291 --> 00:01:51,981
This way you can set an expiration on how

37
00:01:51,981 --> 00:01:55,219
long an anonymous link will work, but

38
00:01:55,219 --> 00:01:57,993
let's say for example it cannot be longer

39
00:01:57,993 --> 00:02:00,767
than seven days, because that's the cap

40
00:02:00,767 --> 00:02:04,057
that you put at the tenant level. The next

41
00:02:04,057 --> 00:02:07,061
option which I really like is setting the

42
00:02:07,061 --> 00:02:10,026
maximum permissions for anonymous links.

43
00:02:10,026 --> 00:02:13,332
So you can say that for example for files,

44
00:02:13,332 --> 00:02:15,602
anonymous users can only view, but cannot

45
00:02:15,602 --> 00:02:18,603
edit or you can allow them to view and

46
00:02:18,603 --> 00:02:22,341
edit. You can also set the permissions for

47
00:02:22,341 --> 00:02:25,235
folders, allowing anonymous users either

48
00:02:25,235 --> 00:02:28,113
only view permissions on folders or view,

49
00:02:28,113 --> 00:02:32,125
edit, and upload. The next possible

50
00:02:32,125 --> 00:02:34,971
setting is which users can share outside

51
00:02:34,971 --> 00:02:37,913
your organization. By doing this, you can

52
00:02:37,913 --> 00:02:40,233
limit what users are allowed to share

53
00:02:40,233 --> 00:02:43,056
externally, and you can do this at two

54
00:02:43,056 --> 00:02:45,447
different levels. First of all, which

55
00:02:45,447 --> 00:02:48,156
users are allowed to share with

56
00:02:48,156 --> 00:02:50,575
authenticated external users, and then

57
00:02:50,575 --> 00:02:53,206
another set of users that are allowed to

58
00:02:53,206 --> 00:02:56,259
share with both authenticated and

59
00:02:56,259 --> 00:02:59,676
anonymous users. What this really allows

60
00:02:59,676 --> 00:03:02,897
you to do is to implement a way in which,

61
00:03:02,897 --> 00:03:05,467
for example, users have to go through

62
00:03:05,467 --> 00:03:07,994
training before being able to share

63
00:03:07,994 --> 00:03:10,464
externally. Let's say that after level-one

64
00:03:10,464 --> 00:03:12,943
training they're allowed to share with

65
00:03:12,943 --> 00:03:15,205
authenticated users and after their

66
00:03:15,205 --> 00:03:18,321
security or level-two training, they can

67
00:03:18,321 --> 00:03:21,410
also share with anonymous. So as you can

68
00:03:21,410 --> 00:03:23,561
see, even if you make the most permissive

69
00:03:23,561 --> 00:03:25,917
level anonymous, there is lots of checks

70
00:03:25,917 --> 00:03:28,542
that you can put in place to make sure

71
00:03:28,542 --> 00:03:31,146
it's done within your organizational

72
00:03:31,146 --> 00:03:34,298
standards. Another really useful setting

73
00:03:34,298 --> 00:03:37,802
is the default link type. This is the link

74
00:03:37,802 --> 00:03:40,411
type that's created by default when a user

75
00:03:40,411 --> 00:03:44,020
clicks to share or copy a link so it

76
00:03:44,020 --> 00:03:46,692
really looks at default behavior. The

77
00:03:46,692 --> 00:03:49,927
choices are direct, internal, or anonymous

78
00:03:49,927 --> 00:03:53,402
access. You can also set a default link

79
00:03:53,402 --> 00:03:56,468
permission to either be view or view and

80
00:03:56,468 --> 00:03:59,315
edit. If you look at the combination of

81
00:03:59,315 --> 00:04:01,763
those settings, the most permissive one

82
00:04:01,763 --> 00:04:04,064
would be for the default link to be

83
00:04:04,064 --> 00:04:06,940
anonymous and with edit permissions, while

84
00:04:06,940 --> 00:04:09,932
the most restrictive one would be direct

85
00:04:09,932 --> 00:04:13,737
with view permissions only. You can also

86
00:04:13,737 --> 00:04:15,518
limit external sharing by domain and

87
00:04:15,518 --> 00:04:19,198
you've got two options. You can set it to

88
00:04:19,198 --> 00:04:21,693
allow only specific domains, so really

89
00:04:21,693 --> 00:04:25,585
kind of a white list. This would allow you

90
00:04:25,585 --> 00:04:28,098
to, for example, have a known list of

91
00:04:28,098 --> 00:04:30,526
partners and only be able to share with

92
00:04:30,526 --> 00:04:33,776
those known partners. You could also block

93
00:04:33,776 --> 00:04:35,963
specific domains. So basically you would

94
00:04:35,963 --> 00:04:38,651
allow all of the domains, except the ones

95
00:04:38,651 --> 00:04:41,835
you put on the list. A good example for

96
00:04:41,835 --> 00:04:45,290
that is if you wanted to block all public

97
00:04:45,290 --> 00:04:47,881
consumer addresses such as Hotmail,

98
00:04:47,881 --> 00:04:51,297
Outlook, and so on, so people are forced

99
00:04:51,297 --> 00:04:54,700
to share with the business email

100
00:04:54,700 --> 00:04:56,477
addresses. It's important to remember that

101
00:04:56,477 --> 00:04:59,216
those limitations of course do not apply

102
00:04:59,216 --> 00:05:02,462
when a link of type anyone is created.

103
00:05:02,462 --> 00:05:04,693
Some additional settings that we can

104
00:05:04,693 --> 00:05:06,999
configure are for example, preventing

105
00:05:06,999 --> 00:05:09,786
external users from sharing files,

106
00:05:09,786 --> 00:05:13,362
folders, and sites that they do not own.

107
00:05:13,362 --> 00:05:15,911
We can also force external users to accept

108
00:05:15,911 --> 00:05:18,848
sharing invitations using the same account

109
00:05:18,848 --> 00:05:22,308
that the invitation was sent to. You can

110
00:05:22,308 --> 00:05:24,891
also force recipients to continuously

111
00:05:24,891 --> 00:05:28,806
prove account ownership every X number of

112
00:05:28,806 --> 00:05:31,114
days in order to make sure that they still

113
00:05:31,114 --> 00:05:33,878
have access to that email address, and you

114
00:05:33,878 --> 00:05:37,062
can also set a customized external sharing

115
00:05:37,062 --> 00:05:40,621
policy URL that your users will see if

116
00:05:40,621 --> 00:05:42,497
they try to share something, but they're

117
00:05:42,497 --> 00:05:45,784
not allowed to. The last part before we go

118
00:05:45,784 --> 00:05:48,923
into the demo are notifications. You can

119
00:05:48,923 --> 00:05:51,371
configure SharePoint to add an email

120
00:05:51,371 --> 00:05:55,277
address as Bcc on all of the external

121
00:05:55,277 --> 00:05:57,618
sharing invitations so if you have a

122
00:05:57,618 --> 00:05:59,860
security team that wants to be aware of

123
00:05:59,860 --> 00:06:02,805
everything or you want to keep a log and

124
00:06:02,805 --> 00:06:10,000
maybe automatically track them from that inbox, it's an option that you have.