Allowing access to your SharePoint – how should it be done?
There’s a variety of reasons you might need to extend the access of your SharePoint. What’s important, is ensuring that you extend the right access; meaning your SharePoint guest access is configured in a way which only allows external users to view (and in some cases edit) certain data. You’ll need to consider things like lists, folder structure, permissions and the secuirty of your data, so things such as multifactor authentication and account disabling after a period of time.
You’ll require support from The HBP Group as your IT partner, unless you access and make changes to your own tenancy and SharePoint security settings.
The steps for granting external access to your companies SharePoint
First, you’ll submit a form request to The HBP Group, with details of the external user. We can then grant them access to your tenancy using any email address, it doesn’t need to be Microsoft, or a business email. We can then action the invitation, which they will receive.
Accepting the invitation
The external user will receive their invitation and can begin the sign in process.
The external user shouldn’t be able to gain access to your SharePoint unless they a) meet specific requirements and b) agree to any of your system policies.
We advise that specific requirements for guest users, which should be set as a minimum, include:
- An anti-virus system in place on system device, which limits the likelihoold of a malicious attack
- BitLocker must be enabled on the external users device, which is Microsoft’s encryption service to protect data
- A firewall must be in place, which helps defend your SharePoint from cyber criminals
- Any latest Windows updates must be applied on system device, so any oustanding bug fixes or other security updates are in place
Multifactor authentication is just as important for your external users, as it is your internal users and it works in exactly the same way. Your external user will be requested to sign in using multifactor authentication, which they can set up and use from their mobile devices.
Whilst there are dedicated rules for external users, their experience is the same as an internal users and they’ll receive the same prompts each time they sign in. Multifactor authentication greatly reduces the chances of an account being compromised. Since guests may be using personal email accounts that don’t adhere to any governance policies or best practices, it’s especially important to require multifactor authentication for guests. If a guest’s username and password is stolen, requiring a second factor of authentication greatly reduces the chances of unknown parties gaining access to your sites and files.
Once you’ve determined the policies for keeping your SharePoint safe from an account perspective, such as policies and multi-factor authentication, the most important thing you should be thinking about now is your data. It’s unlikely you’re going to want to allow access to all of your business’ data; which is where SharePoint Lists and folder structure come in very handy. They allow you to create structures and document libraries that allow access to information, whilst maintaining the rest of your system and data is locked down.
How do document libraries work?
Your document libraries work largely the same as most file or folder structures; you create a hierarchy of data that makes the most sense, for example, splitting them out by teams for example, then having working document (for WIP files) and resources (for final documents). These folders can then have applied settings for users, as either write, read or no access permissions.
To make things simple, our best practice advice is to apply the right security settings to one document library, which has all of the data and information that your guest user needs. The alternative would be to apply security settings to specific files, in specific folders – which can get messy when you consider that you’ll likely have folders for various teams, with further folders within.
By creating a specific document library (where relevant and applicable) that hosts the data which needs to be accessible, one for payroll, another for sales and so on, it is much simpler to manage and is a far more effective way to apply the correct security settings.
It’s unlikely that your guest user is going to need an unlimited timeframe to access the data they require on your SharePoint. To simplify the management of access, or revoking it when it is no longer needed, we recommend applying expiry notices to your SharePoint guest access settings. Our recommendation is to set an expiry notice on the access to the document library which was created, using a range of 90-120 days.
We also recommend setting up quarterly guest access reviews to periodically validate whether guests continue to need permissions to teams and sites.