File Collaboration

By Ronnie Quan

Overview

We will utilize sharepoint online to share files with external users, we will focus on verification code (SharePoint One Time Passcode), Microsoft identity platform AAD, AAD B2B integration and MFA to secure access.

On Boarding Office 365

We need development environment, let’s sign up o365 developer sandbox subscription, https://developer.microsoft.com/microsoft-365/dev-program. If you already have github account, you may use federation to sign up.

Once you signed up, you may lookup your profile here https://developer.microsoft.com/en-us/microsoft-365/profile. You have a domain and admin user.

To logon to the subscription, open https://www.office.com/login and sign in user your admin user (<admin>@<value>.onmicrosoft.com).

This is the page you see after you logon to the o365 subscription. Click Admin to go to admin center.

This is admin page, to got to sharepoint admin site, select sharepoint.

Couple of sample sites were already created as part of onboarding.

Let’s take a look at one site, upload a file and share with one member “Adele Vance” from the organization.

Use another browser and logon to sharepoint site https://<value>.sharepoint.com/sites/U.S.Sales/SitePages/Home.aspx using “Adele Vance” account. From the main page, select conversation and check outlook inbox, there is one email showing a document is shared.

You may click open to open the shared document directly, if you want to download directly, from sharepoint online, select document.

We are done the office 365 on boarding, next step is to explore more sharing with external user and automation.

Create Site

From https://<value>.sharepoint.com/ site, click “Create site”, then select “team site” template.

You may customize page look, for example change the site logo and thumbnail.

To create your own page, select “Add a page” from Settings.

Here is my new page.

External Sharing Security Configuration

AAD Most Restrictive Settings

Logon to AAD through Azure portal https://portal.azure.com using admin account <admin>@<value>.onmicrosoft.com, in AAD blade, select “External Identities” -> “External collaboration setttings”.

Sharepoint Organization Level Settings

Login to sharepoint online admin center https://<value>-admin.sharepoint.com/ and configure external sharing.

Site-Level Sharing Settings

From sharepoint admin center https://<value>-admin.sharepoint.com/, configure site level share settings.

Share a File Using Verification Code

Share a file with an external user by sending link to user’s email, this user does not have any entries in my organization’s AAD.

When try to logon to my SharePoint site, this user is not able to come through.

Now let’s share a file by sending a link.

From different browser or private browsing, logon to this user’s email, click the link, system prompts “request verification code”, click “Send Code” button.

Check again your email inbox, there is a new email from sharepoint online with a verification code, copy the code from email, input the code and click “Verify”.

Now you may download the file which is shared with you.

Enable SharePoint Online Integration With AAD B2B

Configure email one-time passcode from AAD tenant for guest user. (https://portal.azure.com AAD blade) This is perquisite to enable SharePoint Online integration with AAD B2B, since the feature does not even require a work/school account or MS account.

Open your powershell ISE from your windows environment, install module and enable integration.

Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser
Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version

Connect-SPOService -Url "https://$env:o365value-admin.sharepoint.com"

Set-SPOTenant -EnableAzureADB2BIntegration $true
Set-SPOTenant -SyncAadB2BManagementPolicy $true

Validate SharePoint and AAD B2B Integration

Initiate Share from SharePoint

Let’s share a file with Microsoft account <myemail>@hotmail.com.

  • Logon to SharePoint site https://<value>.sharepoint.com/sites/FileCollaboration/Shared%20Documents/Forms/AllItems.aspx using admin account
  • Select a file and share
Note: if you got blocked, ensure to allow hotmail.com domain.

Respond to the Share

Log on to mailbox <myemail>@hotmail.com, you see an invitation email, click open.

This time, you are prompted to logon or authenticate through your MS account.

This is because AAD B2B integration created a guest account, so the file share access is through your MS account authentication.

Once you click next, you will be redirected to consent page, click “Accept”.

Now you are able to download the file which is shared with you.

Enable Guest User MFA

To further secure file sharing, let’s mandate MFA. You must disable security default before creating AAD conditional access policy.

You may select specific guest user and specific cloud app to enable MFA.

Now let’s validate MFA by sharing another file with the guest user, meanwhile you logoff your hotmail.com account and login back.

This time when you open the shared link from your email, it requires to setup MFA.

You may install and use Microsoft Authenticator app from your smart phone, or you may choose to use different method.

In this example screenshot, you choose phone method and complete MFA configuration, receive SMS code and present the code, then you are successfully authenticated.

You may download the file now.

Conclusion

Without code development we are able to securely share file with external users utilizing MS office 365 SaaS offering and AAD B2B.

In next blog, we will explore more on writing code to share file with external users.

References

https://docs.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration

https://docs.microsoft.com/en-us/powershell/sharepoint/sharepoint-online/connect-sharepoint-online

https://docs.microsoft.com/en-us/azure/active-directory/authentication/tutorial-enable-azure-mfa
Why sharepoint online: https://medium.com/gitbit/10-reasons-sharepoint-online-destroys-file-shares-7c2c2680f1e9

O365 Sharepoint — https://docs.microsoft.com/en-us/microsoft-365/solutions/collaborate-on-documents?view=o365-worldwide

Authentication — https://docs.microsoft.com/en-us/sharepoint/deploy-file-collaboration#securing-your-data

- https://docs.microsoft.com/en-us/sharepoint/sharepoint-azureb2b-integration

Integration — https://docs.microsoft.com/en-us/power-apps/maker/canvas-apps/sharepoint-scenario-intro

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Cloud Journey

All blogs are strictly personal and do not reflect the views of my employer, focus on cloud networking, cloud security, web and API security.