External Users Access Change in Office 365
If you receive the Office 365 Message Center Update Notifications you know that it’s rare to see a “Major Update Notification” that you must act upon quickly, but that is exactly what we received on Saturday February 24th. Starting on March 23, 2018 external users will no longer belong to the following groups in SharePoint Online: Everyone, All Authenticated Users and All Forms Users. While this does not directly impact any of the Office 365 customers we are engaged with on a regular basis I am sure it will impact some organizations in a major way.
As Microsoft noted in their notification most organizations are not using these groups to grant permissions to external users and they have alternate methods available for folks to setup their tenants to still enable this functionality. As Office 365 Global Administrators we essentially have 2 options to deal with this change: Run some PowerShell to keep things the way they are in your tenant or create an Azure AD group. The PowerShell method is outlined in the support article which you can link to from the “Additional Information” link in the Office 365 Message center but it seems like creating an Azure AD group is the best way to go. Oddly enough, the rollout date indicated for this update in the article is March 1, 2018 but I would hope we can expect the Office 365 Message Center to be the “source of truth”.
We recommend creating an Azure AD Group to handle this versus the PowerShell method because it’s just too easy to forget about the setting as it’s not something you see via the user interface and it’s obvious this is where Microsoft would like us to go as they are rolling out this update. If you would like to create an Azure AD Group for your tenant’s external users the process is straightforward provided you have Office 365 Global Administration rights.
- Navigate to the Office 365 Admin center and select Azure Active Directory under the Admin centers heading
- Click on Azure Active Directory in the Left Navigation
- Click on Groups under the Manage heading
- Click on New Group and fill in the details
- Group type
- Group name
- Give your group a meaningful name
- Group description
- Give you group a meaningful description
- Membership type
- Dynamic User
- Add dynamic query
- Add users where
- Add users where
- Group type
- Wait about 5 minutes then
- Verify that your group has Members by clicking on the newly created Azure AD Group
- Navigate to a SharePoint site and verify you can add your newly created Azure AD Group to SharePoint
- Anywhere you are currently using one of the 3 groups listed in the update to share content with external users add your newly created Azure AD Group
Provided everything goes to plan you are now setup to manage external users via Azure AD Group membership vs. the Everyone, All Authenticated Users and All Forms Users groups in SharePoint Online. Nothing terribly time consuming but if you’re not paying attention to those weekly updates from Microsoft you could end up scrambling in a few weeks to get this setup😊.