Presented at O365 Saturday in Perth, Sydney and Brisbane.
Extranet without any overheads? How is that possible? Is it secure?
In this session we shall see how you can leverage on SharePoint B2B Collaboration for providing extranet capabilities for partners with minimum overheads! We shall look at the various security controls available at various levels so the business can effectively and securely do business with its partners. The demo will show you a real world scenario involving multi domain scenario and how B2B capabilities can be leveraged to have an extranet for partners up and running with minimum overheads
3. Extranet for Partners – Office 365 / SPO
Extranet for Partners – Azure B2B
Security Controls in Office 365 and SharePoint Online
Challenges with Extranet Implementation
Demos
4. Network
Operational Overheads
Identity Management
Security
Infrastructure
Challenges with External Sharing
Implementation
Firewall
Extranet Network
Extranet Farm in Azure (IaaS)
InternetPartner User CORP User
Virtual Network
Extranet SharePoint 2013 Farm
Active Directory
Domain
Controller
DNS
Virtual Network
Microsoft Azure
Data Center
(Australia)
5. Federation = Domains that have established a federation trust
Authorization = Access
Guest = External User Access
B2B = Business to Business
Authentication = Identity
6. Google Account
Microsoft Account
Corporate Identity with no Azure Active Directory ‘presence’
Corporate Identity with Azure Active Directory ‘presence’
Cloud Identity
Azure B2B – Identity Types
10. Configuration Result Notes
Don’t allow sharing outside
your organization
Users will not be able to share sites or content in this site collection with users who do not have licenses to your
Office 365 subscription.
Default – External
Sharing not
enabled
Allow sharing only with the
external users that already
exist in your organization’s
directory
Users will not be able to share sites or content in this site collection with external users who do not already exist in
your organization's directory
External User must
be ‘part of the
organisation’ , i.e.
accepted the
invite and
completed the
sign-in
Allow external users who
accept sharing invitations
and sign in as authenticated
users
Site owners or others with full control permissions on a site can share documents with external users by requiring
sign-in. All external users will be required to sign in before they can view content.
Invitations to view content can be redeemed only once. After an invitation has been accepted, it cannot be shared or
used by others to gain access.
User must accept
the invite, sign-in.
After the sign-in
process is
completed, user is
added to
organisation’s
Azure AD
Allow sharing to authenticated
external users and using
anonymous access.
Optionally, you can set links
to expire in a specific number
of days.
Site owners or others with full control permissions can also share documents externally opt to require sign-in, or
send an anonymous guest link for documents.
When users share a document, they can grant external users either view or edit permissions to the
document.External users who receive anonymous guest links can view or edit that content without signing in.
Anonymous guest links could potentially be forwarded or shared with other people, who might also be able to view
or edit the content without signing in.
Not
recommended
11. Configuration Result Notes
Don’t allow sharing outside
your organization
Users will not be able to share sites or content in this site collection with users who do not have licenses to your
Office 365 subscription.
Default – External
Sharing not
enabled
Allow sharing only with the
external users that already
exist in your organization’s
directory
Users will not be able to share sites or content in this site collection with external users who do not already exist in
your organization's directory
External User must
be ‘part of the
organisation’ , i.e.
accepted the
invite and
completed the
sign-in
Allow external users who
accept sharing invitations
and sign in as authenticated
users
Site owners or others with full control permissions on a site can share documents with external users by requiring
sign-in. All external users will be required to sign in before they can view content.
Invitations to view content can be redeemed only once. After an invitation has been accepted, it cannot be shared or
used by others to gain access.
User must accept
the invite, sign-in.
After the sign-in
process is
completed, user is
added to
organisation’s
Azure AD
Allow both external users who
accept sharing invitations and
guest links
Site owners or others with full control permissions can share sites with external users. All external users will be
required to sign in before they can view content on a site that has been shared.
Site owners or others with full control permissions can also share documents externally opt to require sign-in, or
send an anonymous guest link for documents. External users who receive anonymous guest links can view or edit
that content without signing in. Anonymous guest links could potentially be forwarded or shared with other people,
who might also be able to view or edit the content without signing in.
When users share a document, they can grant external users either view or edit permissions to the document.
Not
recommended
13. External users can use Office Web Apps to view and edit
External users can use Office Web Apps to edit if they have
permissions
External users can use Office Client edit – login required to
edit
Inherit use rights of the user who invites external user.
An external user can perform tasks on a site consistent with
the permission level that they are assigned.
External users will be able to see other types of content on
sites.
14. External users cannot create their own personal sites (My Sites). This means that
they do not have their own One Drive for Business.
External users cannot Delve. They also cannot edit their own profile, change their
photo, or see aggregated tasks.
External users do not add quota to the overall tenant storage pool (this is
determined by licensed users only).
External users cannot be an administrator for a site collection.
By default, external users cannot access the Search Center and will not be able to
execute searches against “everything” (cross site collection search)
As external users are cannot be licensed as an enterprise user, they will not have
access to any of the licensed components such as Exchange Online, Skype for
Business, etc.
Azure AD B2B allows partner managed identities to access your corporate applications like SharePoint online without having to manage the identity itself.
Azure AD provides a single point for federation where each user has a single Azure AD account.
Azure AD also allows non federated business partners to sign up for Azure AD accounts
Add an AAD user, an MSA user and a gmail user as a B2B guest
End user experience redeeming the invitation
Viral Tenancy
Add a non-consumer domain user, not yet in AAD as a B2B guest
End user experience redeeming the invitation and creating a viral tenancy creation
Add an AAD user, an MSA user and a gmail user as a B2B guest
End user experience redeeming the invitation
Viral Tenancy
Add a non-consumer domain user, not yet in AAD as a B2B guest
End user experience redeeming the invitation and creating a viral tenancy creation