pnp / sp-dev-site-scripts

Repository for sample SharePoint site designs and site scripts
https://docs.microsoft.com/en-us/sharepoint/dev/declarative-customization/site-design-overview
MIT License
162 stars 68 forks source link

setSiteExternalSharingCapability doesn't work #12

Open sohailmerchant opened 6 years ago

sohailmerchant commented 6 years ago

Category

Expected or Desired Behavior

External Sharing for the newly provisioned group should get disabled

Observed Behavior

Not working as expected.

Steps to Reproduce

Applied this { "verb": "setSiteExternalSharingCapability", "capability": "Disabled"} as part of the site script but Get-SPOSITE command suggests that it didn't work (see screenshot)

.image

Thanks for your contribution! Sharing is caring.

sohailmerchant commented 6 years ago

Some other observations: By doing this SharePoint won't allow external sharing, users will receive an error but since these are modern sites, owner could go to conversation and add a guest users to the site which ultimately give access to the external user for the whole site.

vman commented 6 years ago

@sohailmerchant have you seen this thread? https://techcommunity.microsoft.com/t5/Office-365-Groups/Disable-external-sharing-on-all-O365-Groups-with-one-single/td-p/107316

It seems you are trying to disable external sharing on specific groups which does not seem possible right now. It's a tenant level setting which needs to be set for all groups.

Presently, the setSiteExternalSharingCapability only seems to be valid for Communication sites for which it is working as expected. Perhaps this needs to clarified in the docs.

LauraKokkarinen commented 6 years ago

Hi guys!

I blogged about this topic a few months ago. For modern team sites, you need to disable external sharing for the group and its SharePoint site separately. You can read the instructions here: https://laurakokkarinen.com/how-to-completely-disable-external-sharing-for-a-single-office-365-group/

The thread @vman referenced talks about doing it the other way around: having the tenant setting as disabled by default and enabling external sharing for a single group/site.

The site script posted by @sohailmerchant looks valid to me. I haven't had any problems disabling external sharing for SharePoint sites using site designs. Perhaps there was a little delay and the setting hadn't updated yet when you checked it via PowerShell? Did you look at it again later?

Laura

vman commented 6 years ago

Hi @LauraKokkarinen, that's an excellent blog! I was able to disable adding guests on the group with AllowToAddGuests=false using the Graph API even if external sharing was enabled at the tenant level.

But it still doesn't work for me if I try to do the same using SiteDesigns on an Office 365 Group connected site (with the setSiteExternalSharingCapability action: https://github.com/vman/Site-Designs/blob/master/Office365.SiteDesigns.Deployment/SiteScripts/site-script-externalSharing.json) I am still able to go to outlook (Group conversations) and add guests to the group. This doesn't happen when I disable guests from the Graph API.

The action works perfectly for a Communication site though.

LauraKokkarinen commented 6 years ago

Hi @vman!

setSiteExternalSharingCapability only disables external sharing for the SharePoint site. It doesn't disable external sharing for the Office 365 group. Those are two separate things and that is why you need to do both of those actions if you want to completely disable external sharing for a modern team site: set AllowToAddGuests to false for the underlying group via Microsoft Graph AND set the site SharingCapability to disabled for the SharePoint site using a site design. If you only disable external sharing for the group, users can still be given access to the SharePoint site (e.g. via the site permissions page) even though you can't add them to the group (e.g. via Outlook), and vica versa.

setSiteExternalSharingCapability alone is enough for a communication site because it doesn't have an Office 365 group attached to it.

Laura

vman commented 6 years ago

Yup that makes sense. So from a pure Site Designs point of view, the setSiteExternalSharingCapability action is not enough to completely disable external sharing for group (including the SP site behind it)

So we just need better documentation around this or the setSiteExternalSharingCapability action's implementation needs to be changed so that it disables external sharing on the group as well as on the site behind it.

It doesn't make much sense to have to extend the site design and call a Flow/Azure Function just to disable external sharing on the SP site.