Recently, I was asked how to automate a process to request and approve external users having access to content inside an Office 365 Group. I am documenting an approach to solving this scenario using Microsoft's Cloud services in a series of blog posts. Each post will address part of the scenario from a different perspective and will discuss different technologies. The series contains the following posts:
- Overview of scenario and technologies
- Administrator - Configure tenant policies for groups and sharing
- End User - Make requests to add external users and monitor status (this post)
- Manager - Review and process requests
- Developer - Fill gaps in process via custom web service
Inviting External Users
In the default configuration of Office 365, inviting external users is the same process as inviting an internal user. A group owner can provide an email address and the service does the rest. However, our scenario as described in part 2, requires the approval of invitations for external users.
Approval of items in SharePoint is a well-understood task. SharePoint Online still has the built-in approval fields on lists as well as the legacy SharePoint 2010 approval workflow. But, we are going to use a more modern approach using Flow. More about that later. First, we need a list to manage the process.
Managing Requests in SharePoint
Using a SharePoint list to manage and approve requests is not a new idea. There are as many different solutions are there are SharePoint power users! For our scenario, we are going to keep it simple. We will use a SharePoint list and the out-of-the-box forms. (For a customized form, Microsoft provides the PowerApps solution. Or, leverage the free Stratus Forms solution from my buddy Mark Rackley!)
A custom list in a site that is accessible to all group owners is required. If your organization follows Microsoft's thinking in regards to groups, the list of group owners will include all users in the organization.
This list requires two columns -- the email address of the invited external user and a status display to provide feedback on the request. It would seem that the requester should provide the group to which the external users should access. But the services do not work that way. Remember, we configured our SharePoint Online service (and thus the group files) to allow sharing with users already in the organization's directory. Even if the same user (email address) is invited to multiple groups, it is still only one user. And one entry in the directory. The decision to add a member to a group is still the responsibility of the group owner. So our process will not modify group memberships.
Once the list is created, a Flow can be attached. (For information about Flow limits and pricing, refer to the official Microsoft documentation). We are going to use create a flow that will email the requester's manager for approval for the external user. Upon approval, the external user will be invited to the organization as a guest. The invitation process will handle the policy page. As each step of the process happens, the request list will be updated with a status message.
The approval flow is not very complicated. It has pieces from several Flow templates:
- SharePoint Item Approval with a more information option
- Flag all emails from your manager (Shows the Get manager action)
The flow is not 100% complete, but it contains all the steps that use out-of-the-box services, triggers and actions. The missing piece is the integration with Azure Active Directory B2B, which is covered in part 5. Figure 2 shows our approval flow.
We are half-way to our solution! Our organization is protected against unauthorized external access, and we have a SharePoint list for requesting and tracking authorized external users. So far, we have not been too technical but that will change. We will dig further into the specifics of Flow in our discussion of the Manager's approval of requests.