Moving on to the fourth item I outlined in my series on Identity in Office 365, let’s talk about something that Microsoft calls “External Access.” Office 365′s External Access feature provides organizations with the ability to allow users external to the organization access to your SharePoint Online site collections without having to provision a User Subscription License (USL, a purchased “seat” that you pay for each month per user) for that external user. Instead, you can provision these external users with one of 50 free Partner Access Licenses (PAL) that Microsoft makes available for a subscription. This is nice for two reasons: 1) because its free(!), and 2) because you don’t have to worry about an external user accidentally being provisioned an Exchange Online inbox when all you want them to do is access SharePoint sites.
There’s a few different things I want to cover with External Access, so let’s start with this: while External Access is very similar to a type of on-premise SharePoint configuration known as an Extranet, it’s important to understand that it is not intended to serve as a full-fledged Extranet. An Extranet is a private platform designed to allow both internal and external users collaborate on shared projects, tasks, documents, and information, which does sound quite a bit like External Access in SharePoint Online. External Access is great because it provides a lot of the things that are hard to implement and configure in an on-premises SharePoint Extranet such as account provisioning and password resets, but Microsoft is smart in not calling it true Extranet-level functionality. (Another reason they do this is that External Access is considered to be a “Feature Preview” right now, which I cover below)
With Extranets you also have the ability to segment your external collaborators out and very tightly control what aspects of your environment they can access; doing things like preventing them from seeing what other users from other organizations you’re collaborating with. You can implement technology that may force them to use certain operating systems or antivirus software in order to connect to your sites, or you can configure specific log in procedures such as two-factor authentication. With SharePoint Online and External Access, none of those things are possible. Those differences are important to keep in mind when considering External Access, it’s a great option for sure but you need to remember that you’re not getting a top to bottom Extranet solution with it.
Another tricky thing with External Access is the kind of account that an external user needs in order to be able to join a SharePoint Online site as an external user. This is one of those areas where Microsoft has made it a bit confusing because of the distinctions they’ve made around account types, but it’s also been confusing because Microsoft has been changing the parameters pretty frequently. In the Office 365 Beta you could join as an external user if you had one of the following types of accounts:
- A Managed ID (see my post on Account Management for more info)
- A Live ID from Live.com, Hotmail.com, MSN.com, or another Microsoft website where you can create accounts with Live IDs based in the same domain
- An EASI ID (a Live ID you create with your own email address, see my post on EASI IDs for more info)
But when Office 365 hit its production release known as General Availability in the Summer of 2011, you could only grant PALs to other Managed IDs, which was a big drawback given what people had seen in the Beta. Then in the Fall of 2011 Microsoft added support for external users with Live IDs, but not EASI IDs, which was even more confusing (and one of the reasons why I wrote my post on that type of Live ID). Well, as of pretty much today, we’re back to where we started in the Beta and you can now invite external users who have EASI IDs in addition to Managed IDs and Live IDs. This is a big improvement, because it allows your external users to have a familiar, and hopefully consistent, email address that they can use to log in with, reducing confusing and frustration for your users.
Something to keep in mind when planning out how you want to allocate your PALs to external users is that there is a finite amount of them you can use, somewhat… By default each Office 365 subscription comes with the ability to grant up to 50 PALs, which would lead you to believe that’s the maximum you can allocate. But if you read the latest Service Description for SharePoint Online (I recommend that you do that if you want to get an exact picture of how Microsoft defines a given service within SharePoint Online), you’ll find an interesting passage:
“50 PALs are included per tenant. Current “Feature Preview” allows for usage rights of up to 1000 external users without requiring additional PALs. Microsoft reserves the right to charge for additional PALs beyond 50 at the time the next major Office 365 update.”
Pretty encouraging, isn’t it, if you want to have more than 50 users because it’s saying that you can have up to 1,000! But also notice, Microsoft is defining External Access as a “Feature Preview”, which means that they’re still trying to lock in exactly how they want to provide this feature to their users and are essentially turning everyone who takes advantage of it right now into their Beta Testers! And, if you decide to go above that 50 user threshold, there’s a definite chance that they’re going to decide to charge you for those extra users down the road, probably when it exits from the “Feature Preview” stage. Oh, and there’s one other thing, as my friend Dan Usher has found, Office 365 Support doesn’t always know how to increase the number of PALs allocated to your account, so you may have issues trying to add those extra accounts depending on who you talk to in Support.
One final thing, then I’ll wrap this up as its gone far longer than I intended it to. As with everything in Office 365, External Access can tend to differ a bit between the Professional and Small Business SKUs (the “P” class) and the Enterprise SKUs (the “E” class), so you need to watch out for that. So far the biggest difference I’ve seen is in how you enable the feature and provision accounts but there may be other areas to watch out for as well. There are a couple of good walkthroughs online about how to enable External Access, but they all tend to cover how to do it for the E SKUs (Office.com’s Help Site and SharePoint MVP Corey Roth both have good posts on it). This is fine, but it references how you go about accessing Office 365′s version of the SharePoint Central Admin site, which isn’t available for P SKU subscriptions (since they only come with one SharePoint site collection).
In a P SKU subscription for Office 365, External Access is enabled by default, so you can skip over the configuration instructions in those posts and go straight to your SharePoint Team Site. Once in the Team site, click the Site Actions menu and select the Share Site option from the bottom of the menu. From that point on your experience should match what Office.com and Corey instruct you to do, but it can be a bit confusing if you’re trying to get around your Admin site and find the top level sites they talk about since you don’t have them in the P SKUs.
Ok, that’s a wrap. If you’ve got any questions about External Access or want me to cover something in this post a little more closely, just let me know in the comments below. Otherwise, I’m going to work on wrapping up my last post in this series on Identity in Office 365, which will be on Lync Federation. Until then, feel free to try and catch me on Twitter!