1 00:00:02,559 --> 00:00:04,608 We have now entered the theory of what we 2 00:00:04,608 --> 00:00:07,165 can configure, let's go to the demo 3 00:00:07,165 --> 00:00:10,447 environment and configure external sharing 4 00:00:10,447 --> 00:00:15,006 settings at the tenant level. We are now 5 00:00:15,006 --> 00:00:17,053 in the demo environment and let me open up 6 00:00:17,053 --> 00:00:19,777 the browser here where I am in the 7 00:00:19,777 --> 00:00:22,723 SharePoint Online admin center. Now in 8 00:00:22,723 --> 00:00:24,862 order to go to the tenant sharing 9 00:00:24,862 --> 00:00:29,908 settings, we have to go under Policies to 10 00:00:29,908 --> 00:00:32,321 Sharing. Now something to be aware of is 11 00:00:32,321 --> 00:00:34,726 that as I have mentioned previously in 12 00:00:34,726 --> 00:00:38,469 this course is that as I'm recording this, 13 00:00:38,469 --> 00:00:41,071 SharePoint Online is somewhere between the 14 00:00:41,071 --> 00:00:44,922 new admin center and the old one, and for 15 00:00:44,922 --> 00:00:46,913 external sharing settings, most of the 16 00:00:46,913 --> 00:00:49,480 features have made it to the new admin 17 00:00:49,480 --> 00:00:51,931 center, but we're still going to have to 18 00:00:51,931 --> 00:00:55,188 go to the old admin center for other 19 00:00:55,188 --> 00:00:58,182 settings. Let's start with what is the 20 00:00:58,182 --> 00:01:00,448 most permissive setting that you want to 21 00:01:00,448 --> 00:01:04,312 have for content? Do you want anyone, new 22 00:01:04,312 --> 00:01:07,048 and existing guest, existing guest, or 23 00:01:07,048 --> 00:01:09,789 close down external sharing completely and 24 00:01:09,789 --> 00:01:12,205 keep it to only people in your 25 00:01:12,205 --> 00:01:14,648 organization? Now I'll tell you guys a 26 00:01:14,648 --> 00:01:16,964 funny story that is something that I find 27 00:01:16,964 --> 00:01:19,087 both funny and ashamed of myself just 28 00:01:19,087 --> 00:01:21,738 because I use PowerShell a lot to 29 00:01:21,738 --> 00:01:24,190 configure those settings. For at least a 30 00:01:24,190 --> 00:01:26,933 few months I thought that this whole 31 00:01:26,933 --> 00:01:30,907 square here was only a picture just to 32 00:01:30,907 --> 00:01:32,855 give an idea of what it looks like most 33 00:01:32,855 --> 00:01:35,368 permissive to the least permissive. 34 00:01:35,368 --> 00:01:38,246 However, it turns out that you can 35 00:01:38,246 --> 00:01:40,956 actually play with them and those are how 36 00:01:40,956 --> 00:01:44,417 the settings are configured. So you can 37 00:01:44,417 --> 00:01:46,033 change the settings here for both 38 00:01:46,033 --> 00:01:48,717 SharePoint and OneDrive for Business, and 39 00:01:48,717 --> 00:01:50,679 something that you need to be aware of, 40 00:01:50,679 --> 00:01:52,560 and I know this is a SharePoint Online 41 00:01:52,560 --> 00:01:55,682 course, but this is so close with OneDrive 42 00:01:55,682 --> 00:01:58,552 for Business is that the OneDrive for 43 00:01:58,552 --> 00:02:01,394 Business cannot be more permissive than 44 00:02:01,394 --> 00:02:04,923 the SharePoint ones. So as I drag this one 45 00:02:04,923 --> 00:02:07,003 lower, you'll see that the OneDrive for 46 00:02:07,003 --> 00:02:10,440 Business one will also be dragged lower. 47 00:02:10,440 --> 00:02:13,511 And as I raise the SharePoint one, I can 48 00:02:13,511 --> 00:02:16,014 also raise the OneDrive for Business one. 49 00:02:16,014 --> 00:02:18,937 So really, if you want to have different 50 00:02:18,937 --> 00:02:20,803 settings between SharePoint and OneDrive 51 00:02:20,803 --> 00:02:23,684 for Business, the SharePoint ones need to 52 00:02:23,684 --> 00:02:27,170 be more permissive. So let's leave it at 53 00:02:27,170 --> 00:02:28,710 anyone for now and for OneDrive for 54 00:02:28,710 --> 00:02:31,927 Business we're going to put it to anyone 55 00:02:31,927 --> 00:02:35,408 as well. Now scrolling down, let's go into 56 00:02:35,408 --> 00:02:38,987 the advanced settings. Do we want to limit 57 00:02:38,987 --> 00:02:42,375 external sharing by domain? Let's say that 58 00:02:42,375 --> 00:02:47,215 we do, and here I can add domains. After 59 00:02:47,215 --> 00:02:50,000 the pop-up opens, I have the option to 60 00:02:50,000 --> 00:02:52,998 allow only specific domains or block 61 00:02:52,998 --> 00:02:56,138 specific domains. I cannot have both of 62 00:02:56,138 --> 00:02:59,577 them so I cannot allow domain 1, domain 2, 63 00:02:59,577 --> 00:03:03,130 and domain 3 and block another one. So 64 00:03:03,130 --> 00:03:05,984 it's really one or the other. So let's say 65 00:03:05,984 --> 00:03:07,834 that we're going to allow only specific 66 00:03:07,834 --> 00:03:10,145 domains, and we're going to do 67 00:03:10,145 --> 00:03:14,768 globomantics.org, pluralsight.com, and 68 00:03:14,768 --> 00:03:18,907 we're also going to add contoso.com in 69 00:03:18,907 --> 00:03:22,128 here. Let's click on OK, and you see they 70 00:03:22,128 --> 00:03:25,414 have been added. Now one that is not 71 00:03:25,414 --> 00:03:27,626 turned on by default, but I always 72 00:03:27,626 --> 00:03:30,475 recommend that you do is guests must sign 73 00:03:30,475 --> 00:03:33,567 in using the same account to which sharing 74 00:03:33,567 --> 00:03:36,122 invitations were sent. This forces people 75 00:03:36,122 --> 00:03:39,831 that you invite them with vlad@ 76 00:03:39,831 --> 00:03:41,777 globomantics.com. Well, they're going to 77 00:03:41,777 --> 00:03:43,454 have to sign in with vlad@ 78 00:03:43,454 --> 00:03:45,953 globomantics.com ; they're not going to be 79 00:03:45,953 --> 00:03:48,714 able to use other Microsoft accounts such 80 00:03:48,714 --> 00:03:51,902 as their Hotmail one. And also, do I want 81 00:03:51,902 --> 00:03:53,972 to allow guests to share items that they 82 00:03:53,972 --> 00:03:58,424 do not own? We're going to put it at no. 83 00:03:58,424 --> 00:04:00,079 Next up, let's take a look at the links. 84 00:04:00,079 --> 00:04:03,195 First of all, what is the link that is 85 00:04:03,195 --> 00:04:07,075 selected by default? Specific people, only 86 00:04:07,075 --> 00:04:09,871 people in your organization, or anyone 87 00:04:09,871 --> 00:04:13,782 with the link. Let's put it to specific 88 00:04:13,782 --> 00:04:16,634 people so only, so by default the user 89 00:04:16,634 --> 00:04:19,374 that shares has to specify somebody for 90 00:04:19,374 --> 00:04:23,009 that share to be done. It cannot just 91 00:04:23,009 --> 00:04:25,713 copy, copy, like click, copy/paste, and 92 00:04:25,713 --> 00:04:28,594 make it work. Now the advanced settings 93 00:04:28,594 --> 00:04:31,371 for the anonymous links. I can set the 94 00:04:31,371 --> 00:04:34,495 limit so I can say that anonymous links 95 00:04:34,495 --> 00:04:37,999 must expire in maximum three days. This 96 00:04:37,999 --> 00:04:41,018 way users cannot make anonymous links that 97 00:04:41,018 --> 00:04:44,325 last forever, and I can also restrict for 98 00:04:44,325 --> 00:04:47,431 files if anonymous links can view or edit 99 00:04:47,431 --> 00:04:50,975 or only view, and for folders if they can 100 00:04:50,975 --> 00:04:54,252 view or view, edit, and upload. Let's put 101 00:04:54,252 --> 00:04:58,508 it at view as well. Now you can see that 102 00:04:58,508 --> 00:05:01,870 for other settings we have to go to the 103 00:05:01,870 --> 00:05:04,549 classic sharing page, and whatever one we 104 00:05:04,549 --> 00:05:07,974 click out of those two options, it will 105 00:05:07,974 --> 00:05:11,454 bring us to the same spot. So let's go to 106 00:05:11,454 --> 00:05:13,712 the see the rest of the settings in the 107 00:05:13,712 --> 00:05:16,111 classic page. A lot of the settings will 108 00:05:16,111 --> 00:05:19,019 be the same so sharing outside of the 109 00:05:19,019 --> 00:05:23,304 organization. You see we have the same 110 00:05:23,304 --> 00:05:24,764 settings. Something that is really 111 00:05:24,764 --> 00:05:26,509 important is that we haven't clicked Save 112 00:05:26,509 --> 00:05:29,876 yet on this one so that's why the changes 113 00:05:29,876 --> 00:05:33,553 will not be seen in this view. We need to 114 00:05:33,553 --> 00:05:37,321 click Save on the other one before it's 115 00:05:37,321 --> 00:05:39,302 visible. Now let's talk about who can 116 00:05:39,302 --> 00:05:41,764 share outside of your organization. I can 117 00:05:41,764 --> 00:05:43,942 let only users and selected security 118 00:05:43,942 --> 00:05:47,099 groups share with authenticated external 119 00:05:47,099 --> 00:05:50,322 users, and let users in selected security 120 00:05:50,322 --> 00:05:52,512 groups share with authenticated external 121 00:05:52,512 --> 00:05:56,359 users and using anonymous links. So now if 122 00:05:56,359 --> 00:05:59,702 a site is configured to be able to 123 00:05:59,702 --> 00:06:02,569 anonymous links; however, I have this set 124 00:06:02,569 --> 00:06:05,548 up, only people inside the group will be 125 00:06:05,548 --> 00:06:08,932 able to do it. If my site is configured to 126 00:06:08,932 --> 00:06:11,799 only allow sharing with logged-in users 127 00:06:11,799 --> 00:06:15,344 and I have people that are allowed to 128 00:06:15,344 --> 00:06:17,667 share anonymous, the maximum is still 129 00:06:17,667 --> 00:06:21,995 logged-in users. So this does not open any 130 00:06:21,995 --> 00:06:25,212 loophole. It simply filters down even more 131 00:06:25,212 --> 00:06:29,916 on who can share inside. Now I have the 132 00:06:29,916 --> 00:06:31,163 default link type, default link 133 00:06:31,163 --> 00:06:33,570 permissions that we have looked at as 134 00:06:33,570 --> 00:06:35,857 well. In that case we would have 135 00:06:35,857 --> 00:06:39,202 configured it to direct and view, and now 136 00:06:39,202 --> 00:06:41,767 also additional settings, again limit 137 00:06:41,767 --> 00:06:44,884 external sharing using domains, prevent 138 00:06:44,884 --> 00:06:47,780 external users from. Something that just 139 00:06:47,780 --> 00:06:50,230 happened here is once you click on a 140 00:06:50,230 --> 00:06:52,563 checkbox, it will actually bring you back 141 00:06:52,563 --> 00:06:54,957 to the top because depending on what you 142 00:06:54,957 --> 00:06:56,930 click, you're not going to see the same 143 00:06:56,930 --> 00:06:59,384 things. So it happened to me on video so 144 00:06:59,384 --> 00:07:01,802 I'll just do it again so that you see it. 145 00:07:01,802 --> 00:07:04,406 I will click here. It brings me back to 146 00:07:04,406 --> 00:07:08,146 the top and then I can configure it. If I 147 00:07:08,146 --> 00:07:10,985 unclick it, it will again bring me back to 148 00:07:10,985 --> 00:07:14,402 the top as the page refreshes. So I always 149 00:07:14,402 --> 00:07:16,534 forget on which one it does it; that's why 150 00:07:16,534 --> 00:07:19,108 it took me a bit by surprise, but don't 151 00:07:19,108 --> 00:07:21,123 worry. Sometimes as you change certain 152 00:07:21,123 --> 00:07:23,958 settings, it will bring you back to the 153 00:07:23,958 --> 00:07:26,232 top and it will hide certain things. Like 154 00:07:26,232 --> 00:07:29,013 if I click don't allow sharing outside 155 00:07:29,013 --> 00:07:32,945 your organization, it will hide all of the 156 00:07:32,945 --> 00:07:35,925 sharing settings that cannot be done. If I 157 00:07:35,925 --> 00:07:39,454 do anonymous, they will appear back. Other 158 00:07:39,454 --> 00:07:43,306 settings about notifications are, do you 159 00:07:43,306 --> 00:07:44,908 want to email, and this is really about 160 00:07:44,908 --> 00:07:46,779 OneDrive for Business; do you want to 161 00:07:46,779 --> 00:07:49,266 email OneDrive for Business owners when 162 00:07:49,266 --> 00:07:52,216 other users invite additional external 163 00:07:52,216 --> 00:07:54,911 users to shared files. External users 164 00:07:54,911 --> 00:07:57,806 accept invitations to access files, and 165 00:07:57,806 --> 00:08:01,037 anonymous access link is created or 166 00:08:01,037 --> 00:08:03,602 changed. You will have noticed that some 167 00:08:03,602 --> 00:08:06,292 of the settings in the slides we have not 168 00:08:06,292 --> 00:08:08,426 seen in the new admin center or the 169 00:08:08,426 --> 00:08:10,813 classic one, and this is because they're 170 00:08:10,813 --> 00:08:13,446 PowerShell only. Those settings are the 171 00:08:13,446 --> 00:08:17,607 copying somebody as a Bcc or a shared 172 00:08:17,607 --> 00:08:20,857 mailbox on every single invitation, and 173 00:08:20,857 --> 00:08:24,775 this needs to be done using PowerShell 174 00:08:24,775 --> 00:08:26,068 using the Set-SPOTenant, 175 00:08:26,068 --> 00:08:30,252 -BccExternalSharingInvitations $true, and 176 00:08:30,252 --> 00:08:33,466 -BccSharingInvitationList, which is a 177 00:08:33,466 --> 00:08:35,401 comma-separated list of emails that need 178 00:08:35,401 --> 00:08:38,662 to be copied. You can also set the 179 00:08:38,662 --> 00:08:41,682 -CustomizedExternalSharingServiceUrl, 180 00:08:41,682 --> 00:08:44,352 which is the link that is proposed to 181 00:08:44,352 --> 00:08:46,460 users when they try to share something, 182 00:08:46,460 --> 00:08:49,112 but they're not allowed to. So feel free 183 00:08:49,112 --> 00:08:51,332 to put the URL of your sharing governance 184 00:08:51,332 --> 00:08:55,469 policy or where they can reach out to IT 185 00:08:55,469 --> 00:08:59,324 when this happens. This it for configuring 186 00:08:59,324 --> 00:09:02,060 tenant settings. Now that we have seen how 187 00:09:02,060 --> 00:09:03,850 to configure external sharing at the 188 00:09:03,850 --> 00:09:11,000 tenant level, let's take a look at how to do it at the site level.