A couple posts ago I wrote that external user sharing is confusing with the new Office 365 but I’m glad to report that things have changed for the better (not unexpectedly) just recently.

So now when you share a site with the new Office 365 for an external contact they will receive an email like:

Clicking on the link they will now be taken to:

which is MUCH clearer that it used to be (see the previous post for what it was like)!

It is still recommended that you have an existing Windows Live Id already created and if so you select the Microsoft Account option at the top.

You’ll then be taken to the familiar Office 365 login, from which you’ll need to select Sign in with Windows Live ID at the bottom of the page, which I think is still a little confusing to an external (non-Office 365) user.

However, if you are already signed into the browser with Windows Live ID, you will see the above screen, with most of the details already in place. To me this is much more obvious. So, there’s a tip, before an external user clicks on the sharing link from Office 365 get them login with their Windows Live Id to:

http://login.live.com

just to make things easier. Would of course be nice to not have to do that to keep things simple but I’ll take any change that come.

The great thing overall is that it demonstrates how quickly these things are being improved so I would expect further changes in the very near future. Keep them coming Microsoft.

It is best practice to create security groups and assign these groups rights in SharePoint, for once the security groups have been correctly configured there is no need to return and fiddle with SharePoint securities if new users get added for example. All that now needs to be done is to add the new user to the appropriate security group. When they are added they automatically receive the appropriate rights in SharePoint simply because they are part of the security group that already has assigned SharePoint rights. Thus, you only ever need to add the security groups to SharePoint once. You should never add individual user rights they should all be done via security groups.

To do this with Office 365 you’ll need to login to the administration portal.

Then select the Security Groups from the menu on the left hand side under the Management heading. This will display any existing security groups.

To create a new security group select the New link.

You’ll then be asked to provide a name and description for the security group. My advice, when it comes to specific SharePoint Security groups is to always start them in the same way. That way they will appear together in a list. Here I have chosen to create the security group SP-Accounts-RO.

Once you have created the group you need to add users to the group. You can return later and edit this if you need to. To add users simply place a check in the box to the left of their name and press the Add link.

When complete you should see the security group listed. Remember what name you used.

If you visit your SharePoint site and select Site Actions then Site Settings from the top left.

Now select Site Permissions in the top left under the Users and Permissions heading.

By default SharePoint securities inherit. This means areas have the same rights as the area directly above them in the hierarchy. To create unique rights you’ll need to select the Stop Inheriting Permission button. Press OK to proceed past the warning confirmation dialog you receive.

You should now see that you can select existing groups and users and remove them if desired.

To add the security group just created press the Grant Permissions button.

In the dialog that appears enter the security group name into the Select Users area at the top (here SP-Accounts-RO).

In the Grant Permissions area you can elect to give this user or group direct permission or make them part of an existing SharePoint Group. In this case we’ll elect to make the newly created security group part of the existing SharePoint group, Team Site Visitor, which has Read permissions to the site. Remember, adding something to a pre-existing group will provide that user or group access to everything the group has access to the site. Thus, by adding the newly created security group to the SharePoint Team Site Visitors group every user in the security group will effectively have read permissions to every part of the site, not just the one being edited here. If you don’t want that then only give the user or group direct permissions (i.e. the second option above).

Once complete you should now see the name of the newly created security group appear in SharePoint as shown above. In this case, since we made it a member of Team Site Visitors group in SharePoint that is where it appears.

SharePoint security is easy if you map it out before and implement it using this best practice. In my opinion, no user should be granted direct access to a SharePoint site, they should be part of a security group and that security group is assigned rights in SharePoint.Configuring things this way is gong to reduce confusion and make it less likely you’ll assign the wrong rights, which is easy to do as securities become more complex.

Remember, distribution groups are typically used so lots of users can receive e-mail sent to a single e-mail address. The primary purpose of a security group is to assign permissions to a large group of users instead of assigning permissions to individual users one at a time. If you’re a Microsoft Online e-mail organization, use security groups if you need to assign users permissions to resources in other hosted online services such as Microsoft SharePoint Online.

If you are not aware, the next version of SharePoint Online from Office 365 allows much easier file sharing with external parties. As part of this sharing you can require the external user to require a login for the file. So is that handled? So let’s look at this purely from an external users point of view.

Initially the external user will receive an email like that shown above that invites them to open a shared file. They simply click on the filename link.

Since the option to require a login to access this file was selected during sharing they now see this screen that says they must sign in with a Hotmail or User ID. You will also notice that in the lower right there is an option to Sign up for a Hotmail account. We’ll come back to that in a moment.

Let’s say they do have a Hotmail account so they click the icon on the left. This is where they end up.

If I enter a Hotmail address in the User ID field Office 365 detects this and now prompts you to Sign in at Hotmail.com via a link at the bottom of the page. Hmm…I did already tell you I had a Hotmail account no?

If instead of the left hand link the user selects the icon on the right hand side of the screen corresponding to a User id they end up at the same Office 365 login screen. If they have an Office 365 login (from another tenant) they can login and access the file but in our case the external user doesn’t have this.

Now if the user clicks the link at the bottom of the original page to sign up for Hotmail, guess where they end up? Yup, same Office 365 login screen. Can you see anywhere on here that tells a user how to register for a Hotmail account? Neither can I.

The only real option, if the external user hasn’t given up yet, is to select the Sign in with a Windows Live Id at the bottom of the page. That then takes them to a screen shown above where there is finally a link to sign up for Hotmail as shown above.

So if they now try and sign up the only option they receive for a Microsoft account name is @hotmail.com or @live.com. I can’t see many external users wanting to sign up for an additional email account can you?

Honestly, this is all too confusing for external users who probably just want to see a file. I also reckon that even signing up for a Hotmail account to access a protected file is not easy either. Why can’t the sign up for Hotmail link at the first page actually take you to location where you can actually sign up? Hmmm…all too hard for my liking.

My solution? If you really want to require a password for access to a shared file with an external user get them to create Microsoft Live ID first at:

http://login.live.com

As you can see above, at least when you do that you can specify the email address of the account. This means the external user can make it same as the email account they already have! It also means they don’t get an additional Hotmail or Live email box.

Once a Windows Live ID has been created in this way, linked to the external users original email address, they can use this to login to access the restricted shared file. Problem here is that you need to do that BEFORE they can access the file. More pain.

So for a pure external user, with no existing Hotmail, Office 365 or Live ID, sharing restricted files from SharePoint Online 2013 is going to require a lot of customer support. I certainly hope Microsoft improves this process over time. I really, really do. Office 365 is still in Preview, so fingers crossed.

Here is a great short video that demonstrates how easy it is to create really slick public facing web site in the upcoming version of Office 365.