Confused with SharePoint Sharing Permissions

Posted by denismcapple@reddit | sysadmin | View on Reddit | 3 comments

Hi, I wonder if anyone has seen this, or can explain what has happened in this scenario. We got a ticket to investigate someone losing of access to subfolder shared from a SharePoint site. This user is external, and has a Gmail account. The site itself is a "Classic" SharePoint Library (i.e. not a M365 Group) - In that site, there is a folder (lets call it "Folder A" Someone, Shared "Folder A", with an external Gmail Address, but I cannot find a Guest Account in Azure AD by this address. I cannot find any mention of the Gmail Address in the Azure AD Sign in Logs. Initially, I thought they were making this up, and that the Gmail Account in question never had access at all - but, after digging a bit deeper, I noticed this by clicking the "..." and choosing Share, then choosing "People with existing access" and lo and behold, the Gmail account was there. But, there is no Azure AD Guest Account. wtf? Is this some sort of wierdness to do with Classic SharePoint sites? In that it doesnt use Azure AD at all and has its own set of identities? Someone please unscramble my brain as its hurting quite alot right now. Thanks in advance for anyone who can advise.

[-]

ventcore@reddit

Likely not relevant, but worth noting, you can also have a modern site that's not connected to an M365 group, modern vs. classic is more about what template it was created with. For ad hoc external sharing (they get a numeric OTP instead of logging in), a guest user account isn't created in Azure AD (I think.) This isn't well documented that I can tell but [this thread](https://techcommunity.microsoft.com/t5/sharepoint/sharepoint-guests-vs-azure-ad-guests/m-p/338247) has some details (even if they have to drag it out of the MS person...) If I had to guess (without doing my own testing or being able to poke around directly), someone went into the SPO admin center -> Policies -> Sharing and pushed the sliders down to either "New and existing guests" or "Existing guests", preventing ad hoc sharing/forcing a guest user to either be provisioned automatically or by IT, but not removing the existing link. More probably not relevant "fun": individual SPO sites can be configured in the admin center with their own sharing settings, and Azure AD external collab settings will apply as well (i.e. domain allow list), and Teams has its own external sharing settings/policies.

[-]

denismcapple@reddit (OP)

Thanks for this, that link is very helpful, although it's not very clear even from reading that article. It sounds to me that if the user (email address) being invited is a within the Microsoft 365 Ecosystem (albeit on another Tenant) that it issues an invitation for a guest account - and maybe if the user being invited is not - then no guest account? And perhaps the above only applies to Classic SharePoint Libraries, and not the more modern Microsoft 365 group style of Site? Does that sound about right or am I picking this up wrong?

[-]

ventcore@reddit

As far as I know, modern vs. classic isn't relevant except in terms of what the default sharing settings are. I also don't think that whether they're on an M365 tenant matters (unless you get into federation/b2b stuff, which is a whole different thing) - when it says they're verifying access by signing in to M365, they're signing in with their guest account password on your tenant, not their own. That could be a gmail account or whatever. The key distinction is whether they're signing in with a regular password they know, or signing in with a numeric OTP emailed to them. Now what exactly determines that sounds like some mystical combo of your sharing settings and what is being shared - you can share files/folders with ad hoc access but not entire sites, for example. If you don't already have one, highly recommend signing up for an M365 developer tenant so you can fiddle with settings and try things out without impacting your prod tenant.

Confused with SharePoint Sharing Permissions

Reply to Post

3 Comments

ventcore@reddit

denismcapple@reddit (OP)

ventcore@reddit