Open sohailmerchant opened 6 years ago
sohailmerchant
commented
6 years ago Some other observations: By doing this SharePoint won't allow external sharing, users will receive an error but since these are modern sites, owner could go to conversation and add a guest users to the site which ultimately give access to the external user for the whole site.
vman
commented
6 years ago @sohailmerchant have you seen this thread? https://techcommunity.microsoft.com/t5/Office-365-Groups/Disable-external-sharing-on-all-O365-Groups-with-one-single/td-p/107316
It seems you are trying to disable external sharing on specific groups which does not seem possible right now. It's a tenant level setting which needs to be set for all groups.
Presently, the setSiteExternalSharingCapability only seems to be valid for Communication sites for which it is working as expected. Perhaps this needs to clarified in the docs.
LauraKokkarinen
commented
6 years ago Hi guys!
I blogged about this topic a few months ago. For modern team sites, you need to disable external sharing for the group and its SharePoint site separately. You can read the instructions here: https://laurakokkarinen.com/how-to-completely-disable-external-sharing-for-a-single-office-365-group/
The thread @vman referenced talks about doing it the other way around: having the tenant setting as disabled by default and enabling external sharing for a single group/site.
The site script posted by @sohailmerchant looks valid to me. I haven't had any problems disabling external sharing for SharePoint sites using site designs. Perhaps there was a little delay and the setting hadn't updated yet when you checked it via PowerShell? Did you look at it again later?
Laura
vman
commented
6 years ago Hi @LauraKokkarinen, that's an excellent blog! I was able to disable adding guests on the group with AllowToAddGuests=false using the Graph API even if external sharing was enabled at the tenant level.
But it still doesn't work for me if I try to do the same using SiteDesigns on an Office 365 Group connected site (with the setSiteExternalSharingCapability action: https://github.com/vman/Site-Designs/blob/master/Office365.SiteDesigns.Deployment/SiteScripts/site-script-externalSharing.json)
I am still able to go to outlook (Group conversations) and add guests to the group. This doesn't happen when I disable guests from the Graph API.
The action works perfectly for a Communication site though.
LauraKokkarinen
commented
6 years ago Hi @vman!
setSiteExternalSharingCapability only disables external sharing for the SharePoint site. It doesn't disable external sharing for the Office 365 group. Those are two separate things and that is why you need to do both of those actions if you want to completely disable external sharing for a modern team site: set AllowToAddGuests to false for the underlying group via Microsoft Graph AND set the site SharingCapability to disabled for the SharePoint site using a site design. If you only disable external sharing for the group, users can still be given access to the SharePoint site (e.g. via the site permissions page) even though you can't add them to the group (e.g. via Outlook), and vica versa.
setSiteExternalSharingCapability alone is enough for a communication site because it doesn't have an Office 365 group attached to it.
Laura
vman
commented
6 years ago Yup that makes sense. So from a pure Site Designs point of view, the setSiteExternalSharingCapability action is not enough to completely disable external sharing for group (including the SP site behind it)
So we just need better documentation around this or the setSiteExternalSharingCapability action's implementation needs to be changed so that it disables external sharing on the group as well as on the site behind it.
It doesn't make much sense to have to extend the site design and call a Flow/Azure Function just to disable external sharing on the SP site.
Category
Expected or Desired Behavior
External Sharing for the newly provisioned group should get disabled
Observed Behavior
Not working as expected.
Steps to Reproduce
Applied this { "verb": "setSiteExternalSharingCapability", "capability": "Disabled"} as part of the site script but Get-SPOSITE command suggests that it didn't work (see screenshot)
.
Thanks for your contribution! Sharing is caring.