Moving on to the fourth item I outlined in my series on Identity in Office 365, let’s talk about something that Microsoft calls “External Access.” Office 365’s External Access feature provides organizations with the ability to allow users external to the organization access to your SharePoint Online site collections without having to provision a User Subscription License (USL, a purchased “seat” that you pay for each month per user) for that external user. Instead, you can provision these external users with one of 50 free Partner Access Licenses (PAL) that Microsoft makes available for a subscription. This is nice for two reasons: 1) because its free(!), and 2) because you don’t have to worry about an external user accidentally being provisioned an Exchange Online inbox when all you want them to do is access SharePoint sites.
There’s a few different things I want to cover with External Access, so let’s start with this: while External Access is very similar to a type of on-premise SharePoint configuration known as an Extranet, it’s important to understand that it is not intended to serve as a full-fledged Extranet. An Extranet is a private platform designed to allow both internal and external users collaborate on shared projects, tasks, documents, and information, which does sound quite a bit like External Access in SharePoint Online. External Access is great because it provides a lot of the things that are hard to implement and configure in an on-premises SharePoint Extranet such as account provisioning and password resets, but Microsoft is smart in not calling it true Extranet-level functionality. (Another reason they do this is that External Access is considered to be a “Feature Preview” right now, which I cover below)
With Extranets you also have the ability to segment your external collaborators out and very tightly control what aspects of your environment they can access; doing things like preventing them from seeing what other users from other organizations you’re collaborating with. You can implement technology that may force them to use certain operating systems or antivirus software in order to connect to your sites, or you can configure specific log in procedures such as two-factor authentication. With SharePoint Online and External Access, none of those things are possible. Those differences are important to keep in mind when considering External Access, it’s a great option for sure but you need to remember that you’re not getting a top to bottom Extranet solution with it.
Another tricky thing with External Access is the kind of account that an external user needs in order to be able to join a SharePoint Online site as an external user. This is one of those areas where Microsoft has made it a bit confusing because of the distinctions they’ve made around account types, but it’s also been confusing because Microsoft has been changing the parameters pretty frequently. In the Office 365 Beta you could join as an external user if you had one of the following types of accounts:
- A Managed ID (see my post on Account Management for more info)
- A Live ID from Live.com, Hotmail.com, MSN.com, or another Microsoft website where you can create accounts with Live IDs based in the same domain
- An EASI ID (a Live ID you create with your own email address, see my post on EASI IDs for more info)
But when Office 365 hit its production release known as General Availability in the Summer of 2011, you could only grant PALs to other Managed IDs, which was a big drawback given what people had seen in the Beta. Then in the Fall of 2011 Microsoft added support for external users with Live IDs, but not EASI IDs, which was even more confusing (and one of the reasons why I wrote my post on that type of Live ID). Well, as of pretty much today, we’re back to where we started in the Beta and you can now invite external users who have EASI IDs in addition to Managed IDs and Live IDs. This is a big improvement, because it allows your external users to have a familiar, and hopefully consistent, email address that they can use to log in with, reducing confusing and frustration for your users.
Something to keep in mind when planning out how you want to allocate your PALs to external users is that there is a finite amount of them you can use, somewhat… By default each Office 365 subscription comes with the ability to grant up to 50 PALs, which would lead you to believe that’s the maximum you can allocate. But if you read the latest Service Description for SharePoint Online (I recommend that you do that if you want to get an exact picture of how Microsoft defines a given service within SharePoint Online), you’ll find an interesting passage:
“50 PALs are included per tenant. Current “Feature Preview” allows for usage rights of up to 1000 external users without requiring additional PALs. Microsoft reserves the right to charge for additional PALs beyond 50 at the time the next major Office 365 update.”
Pretty encouraging, isn’t it, if you want to have more than 50 users because it’s saying that you can have up to 1,000! But also notice, Microsoft is defining External Access as a “Feature Preview”, which means that they’re still trying to lock in exactly how they want to provide this feature to their users and are essentially turning everyone who takes advantage of it right now into their Beta Testers! And, if you decide to go above that 50 user threshold, there’s a definite chance that they’re going to decide to charge you for those extra users down the road, probably when it exits from the “Feature Preview” stage. Oh, and there’s one other thing, as my friend Dan Usher has found, Office 365 Support doesn’t always know how to increase the number of PALs allocated to your account, so you may have issues trying to add those extra accounts depending on who you talk to in Support.
One final thing, then I’ll wrap this up as its gone far longer than I intended it to. As with everything in Office 365, External Access can tend to differ a bit between the Professional and Small Business SKUs (the “P” class) and the Enterprise SKUs (the “E” class), so you need to watch out for that. So far the biggest difference I’ve seen is in how you enable the feature and provision accounts but there may be other areas to watch out for as well. There are a couple of good walkthroughs online about how to enable External Access, but they all tend to cover how to do it for the E SKUs (Office.com’s Help Site and SharePoint MVP Corey Roth both have good posts on it). This is fine, but it references how you go about accessing Office 365’s version of the SharePoint Central Admin site, which isn’t available for P SKU subscriptions (since they only come with one SharePoint site collection).
In a P SKU subscription for Office 365, External Access is enabled by default, so you can skip over the configuration instructions in those posts and go straight to your SharePoint Team Site. Once in the Team site, click the Site Actions menu and select the Share Site option from the bottom of the menu. From that point on your experience should match what Office.com and Corey instruct you to do, but it can be a bit confusing if you’re trying to get around your Admin site and find the top level sites they talk about since you don’t have them in the P SKUs.
Ok, that’s a wrap. If you’ve got any questions about External Access or want me to cover something in this post a little more closely, just let me know in the comments below. Otherwise, I’m going to work on wrapping up my last post in this series on Identity in Office 365, which will be on Lync Federation. Until then, feel free to try and catch me on Twitter!
My Central Admin 
One caveat, your PALs don’t get profiles – no MySites for them.
By: grayghost79 on April 24, 2012
at 8:55 AM
Great point Dan, I knew I was forgetting something when I was thinking that through. I would think though that in most external collaboration scenarios there isn’t a compelling reason as to why you’d want them to have a MySite, is there?
By: John Ferringer on April 24, 2012
at 9:28 AM
What about anonymous users – are they possible?
This blog item of course deals with specific users but I was wondering whether I could sign up for SharePoint Online as a (cheap) way to have a web site for anyone to look at.
Mike
By: MikeW on April 25, 2012
at 5:17 AM
That’s a great question Mike. The answer to your question is Yes, but probably not in the way that you mean.
It is not possible to grant anonymous users to a specific SharePoint Online site collection or subsite like you can in SharePoint Foundation or SharePoint Server on premises. Office 365 does differ from BPOS in that it does provide subscribers with a public facing website, but its not really SharePoint. It’s a very lightweight site that has some similarities to SharePoint, but it definitely does not offer the full set of features that SharePoint’s Web Content Management functionality offers or even much of SharePoint’s standard design surface. I think its descended from the public facing website that was available through the old Office Live service, rather than SharePoint itself.
How those public sites are structured within the environment differs a bit between the P SKUs and E SKUs, a situation I’m planning on covering in a future blog post. I’ll try to get that out sooner rather than later, given this discussion 🙂
By: John Ferringer on April 25, 2012
at 9:01 AM
Thanks, John. That clears that up nicely. It seems odd to offer SharePoint but not offer SharePoint if you see what I mean. “Derived from Office Live” is really odd.
I look forward to your article which I hope – apart from clearing up the difference between P and E SKUs – also goes a bit into the limits of what you can do in a public site.
(Can you for instance put a standard SP List there is a question that I would hope will be be included there).
Mike
By: MikeW on April 25, 2012
at 12:43 PM
Thrilled to help Mike! I agree what you mean about not delivering SharePoint’s WCM capabilities with the public site, but I do somewhat see MS’s perspective on it… To the best of my knowledge there’s really not an SLA around that public site, so they don’t want them to turn into something that is going to get crazy high traffic in a shared environment.
The interesting thing is that when it all boils down to it under the covers, it’s running on SharePoint. There’s quite a few blogs out there that talk about how you can go in and enable the Publishing Feature for that top level site, apply a Minimal Master Page, and use the WCM functionality in your public O365 site. But, and to me this is a big “but”, it’s not at all supported by Microsoft. So if anything goes wrong, you’re not going to get any help. Or, if they decide to lock that down at some point, you’re going to be out of luck. I suppose that if you do enable all that you may be able to leverage a SharePoint list in your site and display it but I’m not sure, nor have I tried to do that in the stock public site.
Here’s a few different posts that talk about what you can do with the site as well as how you can go about enabling the SharePoint WCM stack if you want it. I’ve moved this topic up to the top of my Blog Post To Do list; my plan is to compare the O365 public site with SharePoint’s customization abilities and explain the differences, rather than just a run down of what you can do with the public site. (And I’ll break that all out from the P to E comparison post, I suspect they may both get lengthy)
By: John Ferringer on April 25, 2012
at 2:53 PM
Hi John,
Do you know of any restrictions in the Product Use Rights for Sharepoint Online Partner Access Licenses in regard to the relationship of the external user the the company holding the Office365 plan?
As I learned with Sharepoint Server External Site connector, External users per definition of Microsoft must not work as external agents for the company or e.g. be freelancers doing a similar job as the employees.
Thanks for your valuable article!
By: Dan on September 25, 2012
at 4:50 PM
Dan —
I did some checking through the Enterprise SharePoint Online and Identity Service Descriptions for Office 365, and I don’t see anything stated in there that restricts how the external user is associated with the company. I suspect that its a different situation than with an on-premise deployment of SharePoint Server 2010 because of differences between how the two products are licensed. It may be worth a call to Office 365 Support or a post on the Office 365 Community forums to confirm, but from what I’m seeing there isn’t that same kind of a restriction in Office 365.
John
By: John Ferringer on September 28, 2012
at 8:35 AM
Can we upload our infopath form template content type in to office 365 sharepoint site
By: udaya on September 28, 2012
at 5:57 AM
I believe you can. I haven’t tried it myself (I’m not terribly familiar with InfoPath, sorry), but I’m not aware of any specific limitations with its normal functionality in SharePoint Online beyond some of the general sandbox solution constraints. If you can deploy it with a Sandbox Solution, I think it would work but I can’t say that definitively.
John
By: John Ferringer on September 28, 2012
at 8:38 AM
When I test this procedure for my P1 account, the EASI ID users can’t sign in. I’ve even created new gmail-based Live IDs to test it. When I accept the invitation in gmail, it goes to an Office 365 page(http://www.URL.com/TeamSite/_layouts/acceptinvite.aspx?invitation=2e58121bc9134f01ba13f55a13ce12ae) that offers Hotmail or MS Online Services ID check in only. Neither work. I get:
“Microsoft Online Services is unavailable from this site for one of the following reasons:
This site may be experiencing a problem
The site may not be a member of the Windows Live Network”
Please advise.
By: Halligan Projects on April 30, 2012
at 12:32 PM
Hmmm… I just got back from vacation, so I haven’t had a chance to take a look this but I will try to tackle it next week when I get a chance. Off the top of my head I’m wondering if this is an issue with differences between the P SKUs and the E SKUs, but I’m not sure.
John
By: John Ferringer on May 4, 2012
at 2:28 PM
Thanks. I’m thinking it’s a sessions or cookies issue. I plan to re-test, start over, re-invite, and have external user sign in on a dif computer or re-boot before signing in.
By: Halligan Projects on May 4, 2012
at 2:50 PM
External users was the reason I signed up for Office365, but I was dissapointed to learn how it was implemented. As an attorney, my clients are usually only active for several months. The prospect of paying for a user seat to get them into the system without jumping through hoops (Hotmail, LiveID, etc.) countermands my practice of offering lower legal fees to clients (if they are on for 6 months, do I really want to shell out $48 for the User Seat without raising my already low fees?).
However, given the clunkiness of having to use Hotmail or Live ID (try explaining that to clients), I see no other alternative. I get that MS doesn’t want huge traffic to clog the system with free external access. This is a situation I think where O365 users like me would be more than willing to pay a few extra bucks a month to get a set number of PALs, and then pay more if I exceed the limit. I’d even be willing to pay additional for extra bandwith. Paying $24 for an E3 is great (I do it too primarily for the Office 2010 licenses on up to 5 machines), and I can see paying $30 or $35 for E3 with the PAL usage/bandwith usage. All of this just so that I can have a simple login screen that the client can enter “Login: client’s own email, Password: whatever they choose”.
This would be so much better than the current system of BRANCH A: go to Hotmail, sign up, or BRANCH B: Associate LiveID with their e-mail. These extra steps, I am afraid, will deter clients, appear clunky, and/or cause me (a solo attorney) to spend precious time on customer support (“How do I log into your site?”) – this despite even posting the most detailed explanation of how to do it under the current system.
Sorry for the rant. Great post!
By: Robert on July 4, 2012
at 11:56 AM
Robert —
I completely understand your frustration, and I think the challenge of explaining a Live ID to external partners is definitely a valid issue. One thing I would encourage you to consider is that, as I understand it at least, it is possible to have many different Office 365 license types active in a single account as long as they all belong to the same plan family (you can’t mix P licenses with E licenses). That means that if you have E3 licenses for you and your staff, you can still purchase cheaper licenses for your partners if you don’t want to go the PAL route with a Live ID, which can come with a much smaller price tag than the full E3 license. If you only want to give them access to SharePoint, you could buy a SharePoint Online (Plan 1) license for $4 a month that provides all the SharePoint functionality available in the E1 license (). Or if you want to give them a mailbox as well, you could purchase a Kiosk worker license () for $4 a month that also provides access to SharePoint Online sites. I think the big difference is that with the Kiosk SKU you get a 1 GB mailbox accessible via the browser-based Outlook Web App, POP, or ActiveSync (mobile) but you don’t get any additional storage for SharePoint as you would with the standalone SharePoint license.
So that’s a much lower cost option you could consider. I do honestly hope that things like this will get simpler as Microsoft continues to build out Office 365, but at the same time this is a pretty complex situation that can be hard to handle regardless. Live ID does come with challenges in both implementation and education, but right now users have to have an account one way or another, which means they can be confused by an Office 365 account just as easily. And I do agree, training on this stuff is really hard no matter how you slice it.
Finally, please don’t worry about the rant. As a fellow ranter, I say rant away! 😀 This stuff is definitely tough, I know it all too well. I hope that this is somewhat helpful for you, and really do appreciate the interaction and feedback! Keep it coming!
John
By: John Ferringer on July 5, 2012
at 5:10 PM