Some users are confused about the difference between SharePoint’s external sharing and Azure AD B2B collaboration. When the SharePoint Online external sharing came into being, there were additional features introduced.
Which is better of the two? Which is easier to use?
To cut this long story short, it’s becoming apparent that using SharePoint’s external sharing is a bit more confusing to most users.
Let’s explore these two and see how they differ from each other.
What is external sharing in SharePoint?
Basically, external sharing makes your content available to others outside of your organization.
With it, you can share your files, folders, libraries, lists, and even your entire complete sites in SharePoint Online.
External sharing has never been easier since the new SharePoint experience was applied. All the more reason to modernize your classic SharePoint sites.
How does it work?
First off, there are two types of external sharing — the organization level and the site level. To be able to externally share a site, you must allow it at the organization level.
In case there’s a mismatch on the external sharing option between the organization level and site level, it’s always the most restrictive value that’s applied.
Take note that by default, external sharing is enabled on the entire SharePoint environment (including the sites). That’s why you might want to turn the option off globally until your teammates know how to use the feature.
You can change the sharing settings on the new SharePoint admin center.
On the other hand, not all types of sites allow external sharing by default. The default setting for communication sites and classic sites is more restrictive — “only people in your organization”. On the contrary, watch out for the team sites.
That’s why if you have any confidential information that you don’t want others outside your organization to know, make sure to store the information on a site type where the external sharing is disabled by default.
In case you need to share other information, don’t turn on the external sharing for that site. Instead, create a new one.
How does the invited user experience feel like?
This is where it gets a little bit confusing. The experience varies depending on how the invited user understands different Microsoft account levels (Microsoft account vs organization account).
In case you’re not familiar with the difference between the two types of accounts, here’s a clear answer from an MSDN article:
Organizational account [now work or school account] is an account created by an organization’s administrator to enable a member of the organization access to all Microsoft cloud services such as Microsoft Azure, Windows Intune, or Office 365…
Microsoft account, created by the user for personal use, is the new name for what used to be called ‘Windows Live ID’.
But the start is usually the same. When you share something with someone outside the organization, they will receive an email that has the link to the shared asset.
When you share a site with someone who’s not part of your organization, he or she will need to sign in with either a Microsoft account or an organization account. You can’t share a site with someone that doesn’t have a Microsoft account or organization account.
You can send the invitation to anyone. But without a Microsoft account or an organization account, they will see this message right after they click the link on the email:
When you share files and folders, that someone only has to sign in with a Microsoft account. If they have an organization account or an email address that’s not a Microsoft account, they will need to provide a verification code that’s also sent at the email address you sent the invitation to.
The problem here is that if the computer you’re using has logged into another Microsoft or organization account, you could accept the external sharing link as another account (not yours) — and this could become quite problematic.
But there’s a solution to this. All you need to do is to enable the setting (off by default) in the SharePoint admin center where the guest must sign in using the same account to which the invitation was sent to.
On the other hand, you can also pass around a link to anybody and they will not need to authenticate their identities to access files and folders. But as you can imagine, this is a security threat.
What is Azure AD B2B collaboration?
In simple words, Azure Active Directory B2B collaboration enables you to invite guests and share your company’s applications and services with them for collaboration.
The difference between Azure AD B2B collaboration and SharePoint’s external sharing is that the collaboration feature from Azure is easier to comprehend and use.
How does it work?
In comparison, anyone you invited for collaboration using Azure AD B2B can use their own identities. They can sign in to your invitation using their own work, school, and even social identities (Facebook). Meaning, an Azure AD account isn’t required.
Take note that you need to enable guest self-service sign up via user flows first and add Facebook and Google as social identity providers.
What’s awesome here is that with Azure AD B2B, there’s no external admin overhead for your organization. There’s no need to manage external accounts, account lifecycles, and even syncing accounts.
How does the invited user experience feel like?
If you’re an administrator, you can easily invite others to your organization by creating a new guest user in Azure AD. Then, you simply assign them to apps or groups.
After that, similar to SharePoint external sharing, those you invited will receive an invitation email with a redemption link (or a direct link to an app you want to share).
The redemption stage is less of a hassle since they can practically use any of their email addresses to act upon your invitation.
In the rare case that the guest doesn’t have an account that he or she can use, that guest will be prompted to create a personal Microsoft account or an Azure AD self-service account.
What are the differences between SharePoint’s external sharing and Azure AD B2B collaboration?
After having a run over about the two sharing options, here are three key differences between them:
1. The redemption experience
As you may have noticed, the redemption process of Azure AD B2B is painless. Those you invited can practically respond to your invitation by using any email address (or even Facebook).
On the other hand, before your guest can take advantage of these painless guest sign up features, you need to set it up first. Unfortunately, it’s not as easy as clicking a few buttons as you need to create an app in the Facebook developers console and configure it.
As for SharePoint external sharing, there are a few hoops that your guest has to go through before they can redeem your invitation. But if your guests already have Microsoft accounts, the process is smooth and simple.
But you should know that once your guest redeems the invitation, the user experience practically looks the same whether in SharePoint Online or in Azure AD B2B.
2. User directory
In SharePoint external sharing, you will not see any of the guests you invited on the user directory until they redeem the invitation. Once they accept the invitation, you will also see their names in Azure AD.
In cases where another site invites a user, another invitation is generated.
On the other hand, guests invited through Azure AD B2B collaboration will be shown in the directory right away even before they see the invitation.
In addition, when you invite a guest via Azure B2B, you can immediately invite their account to a SharePoint resource.
If you want an easier time sharing your documents, share it with a guest first using Azure AD B2B collaboration. Then, add the user in SharePoint since the account will be shown there in the people picker.
When doing this, you will be able to turn off the email invite when sharing with a certain guest. The need to send an email via SharePoint with external invites is mandatory only the first time you share with an external user (since the user isn’t recognized as a guest in Azure AD yet).
By using this cadence, the user experience can be much better than by using just SharePoint external invites alone.
3. Licensing requirements
The licensing needs are different for both platforms.
Essentially, for Azure AD, you are entitled to five guest users for every paid license. These users can access the paid Azure Active Directory. If you want to read more about it, here’s the billing model for Azure AD External Identities.
As for SharePoint external sharing, guests are limited to basic collaboration tasks since they don’t have a license in your organization.
They can only do tasks on a site based on the level of permission that you give them. They may also see other types of content on your sites depending on their permission level.
If your SharePoint external sharing guests need more power, you must assign them the correct license. This will give them access to advanced collaboration features.
At this moment, Azure AD B2B collaboration wins
From the information above, you can see that there are more benefits to using Azure AD B2B collaboration than SharePoint’s external sharing feature.
For one, you can collaborate pretty much with anyone without the need for complicated setups. They can also redeem your invitations quite easily. In addition, the collaboration is easier since you can give them access to any data or application especially when you still have an available slot for your paid license.
There is also no administrative overhead, which practically saves your organization resources. There’s also no need for any external account management and syncing.
In addition, you can immediately invite the external users you invited via Azure AD B2B collaboration to a SharePoint asset.
However, you can certainly see how much SharePoint’s external sharing feature has progressed since the new user interface was applied. In the future, there may be changes that will enable SharePoint external sharing feature to be as simple or better than Azure AD B2B collaboration.