Learn how to keep your Office 365 data secure with our webinar “Protecting Sensitive Data in Office 365 at the Team and Data Levels” today!
With so many companies migrating their legacy collaboration platforms to Office 365, preserving important characteristics such as metadata, version history, and permissions is a fundamental requirement for every project….Or is it? In this blog post we’ll dissect the nuances of external sharing, including how to navigate some of the trickier parts of the process during a typical migration project.
First, it’s important to define some of the base terminologies that we’ll use throughout this blog post. We’ll use Box as a source platform and Office 365 as a destination platform, although the external sharing use case applies to other source platforms as well. Permission describes who has access to what content and can take the form of corporate, guest, or anonymous users; access rights are used to describe the level of access a user has to a given piece of content (e.g. read, write, upload, and so on). Lastly, a #$)(#$ defines whether a guest user is a Microsoft account holder or not.
Next, let’s go over an abridged process for handling guest permissions during a migration process:
Configure the Guest Sharing Settings
The Guest sharing setting must be configured by the Office 365 tenant administrator if the corporate security policies allow for such collaboration. Many companies aren’t permitting external collaboration via Office 365, so be sure to check what your company’s policy is for guest sharing.
Identify & Add Guest Users to Azure AD
Guest users and their account information (minimum name, email) must be identified and added to Azure Active Directory (AD) prior to the start of any migration activities. We typically find thousands of guest users that have connections to documents or folders. Having an automated scripting mechanism to extract guest user credentials (from the source platform) and load them into Azure AD will be required here. The guest user will also be required to complete the prerequisite registration process handled via Microsoft, and in some instances corporate policies will require Multi-Factor Authentication (MFA) for access data outside of corporate networks.
Convert the Source Content into the Proper Format
The source content, along with permission and access level, must be converted into a format that is appropriate for OneDrive for Business or a suitable endpoint in Office 365.
It’s important to note that certain access rights such as “uploader” do not exist in OneDrive for Business and an alternate mapping must either be considered or, in certain use cases, guest users with certain access rights that don’t have parity in Office 365 must be excluded. Data from a pre-scan access level analysis will help you determine whether this is a factor or not.
Notify Guest Users
Guest users who have been granted access to source files in the source environment should be notified of the upcoming migration and—depending on guest user type—will be expected to link their information from either Microsoft or the party handling the migration. In certain cases, without such a link to the new document, a guest user will not be able to access the content.
3 Questions to Ask Before Enabling External Sharing
With those steps out of the way, here are key questions worth discussing with your project team before deciding on how to execute guest access permissions during a migration.
1. Date Criteria – Do you want to preserve a permission that was granted to an external guest user one year ago? How about 10 years ago? Do you have tools to help you determine the distribution of external guest share invitations to make an informed decision?
Remember, the external user must first be created in Azure and in certain cases notified of the new link. Preparing for and designing a clear communication strategy will be critical.
Often times, we find that establishing a cutoff line for guest user permissions of six to nine months is appropriate. If a decision is made to maintain guest sharing based on the date of the invitation request, does your migration process and tool support this functionality?
2. Invalid Guest Sharing Accounts – In certain instances, guest account holders who have document access may no longer be valid (due to termination, for instance). Do you have any of these?
Since there’s no way to validate the integrity of an email, expect certain permission failures to occur when user credentials are found to be inactive and cannot be processed during the Azure AD registration.
3. Microsoft has a location where account holders can see documents they have access to. In OneDrive for Business, this area is called “Shared with me.” External users today do not have this capability. So while we can preserve the permission, how will guest users be notified of the new location to access the file?
AvePoint recommends—for certain types of account holders—that an email should be generated with a new email link to the document.
Without context, some guest users may interpret this as junk mail or phishing mail and may delete this. Make sure that you have an automated or batch process that can generate link emails for guest users immediately following the migration.
Closing Thoughts
Though there’s plenty to consider when planning to enable external sharing in Office 365, it can be incredibly useful if done correctly. Hopefully these tips and considerations bring your team that much closer to a successful implementation. Have any questions we didn’t cover here? Go ahead and leave them in the comments!
