One challenge to many organizations that are moving to the cloud -- how to put all the pieces together. Recently, I was asked how to automate a process to request and approve external users having access to content inside an Office 365 Group. At first glance, this is not a terribly complicated request. But for an organization that is all-in with the cloud it can be a bit intimidating.
I am documenting an approach to solving this scenario using Microsoft's Cloud services in a series of blog posts. Each post will address part of the scenario from a different perspective and will discuss different technologies. The series will contain the following posts:
- Overview of scenario and technologies (this post)
- Administrator - Configure tenant policies for groups and sharing
- End User - Make requests to add external users and monitor status
- Manager - Review and process requests
- Developer - Fill gaps in process via custom web service
Office 365 Groups and External Users
Adding an external user to a group is quite simple. In the web interface for Groups, when viewing the list of Group member, the context menu has an option to "Invite others." This option will initiate the Invitation flow for adding External Users to the directory and the group.
However, inviting external users to share content is not a simple process in some organizations. Since these users are not employees, their computers and email accounts are not under control of the organization. This means typical corporate solutions such as anti-virus and encryption may not be present. Any content in the group can be copied to a location beyond the control of records management and data loss protection. These issues are big stumbling blocks.
In some cases, these issues can be mitigated by applying policies and procedures to control the sharing process. Approving requests following some known criteria is common:
- Is the external account part of an organization with an existing business relationship?
- Is the account a corporate account, or a consumer email service?
- Can I get the external user to click on a policy acknowledgement page?
Working within these constraints is possible, and some Office 365 configuration will help enforce policy settings. Those configuration settings are discussed in Part 2 of this series.
Data capture and storage via SharePoint lists
Processes in companies across the globe always start with a form. SharePoint supports form capabilities of varying sophistication and provides storage via its lists/content type infrastructure. I will not be discussing custom form approaches as part of this series. Part 3 of the series reviews the list setup to capture the necessary information from the Group members who want to share information.
Process automation with Flow
Putting together a solution to automate this process within the Office 365 Suite means using Flow. Microsoft Flow is the successor to workflow in the SharePoint environment. (SharePoint Workflows are not going away, and they still run. But they are not getting any further investment by Microsoft. Combined with the fact that you cannot load custom actions (activities) in the cloud service, that means SharePoint workflows can only use built-in actions and are thus quite limited.) Flow leverages "connections" to systems to invoke actions provided via those connections. As you might expect, typical actions for Microsoft-provided services (Outlook, Wunderlist, Dynamics, etc.) are already connected. A full list of the services is on the Flow website. The specific actions that drive the external user scenario are discussed in Part 4 of this series.
Azure Active Directory and User accounts
All of the Microsoft services that we are discussing are secured by Azure Active Directory (Azure AD). This directory handles the authentication and authorization tasks involved. As you expect of a directory service, it also maintains the list of users, groups and applications available to the organization and the access control lists for those objects.
The Azure AD B2B offering provides the mechanism for adding external users to a directory. Once the directory has an object representing the external (guest) user, then it can be used for authentication and authorization restrictions on resources in the tenancy. This Invitation process is not provided via built-in connections in Flow. However, Flow allows for Custom APIs and that is covered in Part 5.
Accessing group resources as an External User
At the time of this post, external users cannot access all of the group resources. Undoubtedly, this will change over time. Since it can be difficult to understand what is different without seeing the external point-of-view, and since most Office 365 users have only a single tenant, Part 6 reviews the differences in the experience for external users.
Summary
I enjoyed building the solution described here. It required a lot of new tricks for this old dog. But many of the concepts that applied to SharePoint on-premise still apply. I hope you find the journey worth following.