Getting Sharepoint List Permissions For Users Outside Your Tenant

ByThe SharePoint FAQs Team

Granting SharePoint List Access to External Users

SharePoint lists and libraries have permissions settings that restrict access by default only to authenticated users within your tenant. Unauthenticated external users outside your tenant don’t have permissions to access content in SharePoint, even if that content is anonymously shared with anyone that has the link.

This presents a problem for organizations that want to securely share documents, data, and other SharePoint-hosted content with partners, vendors, clients, or stakeholders that exist outside of their Office 365 or SharePoint Online tenant. While anonymous guest access can provide a way for these external entities to access shared content without needing to authenticate, by default they are still blocked due to lack of permissions at the list or library level.

Fortunately SharePoint provides mechanisms for granting external guest users appropriate permissions to lists and libraries in order to facilitate secure collaboration across tenant boundaries. This allows organizations to share content as needed with users outside their tenant while still maintaining control over what those external entities can access.

Checking Current Permissions

Before modifying list permissions to allow external access, it can be useful to first check what the current permissions settings are. This allows you to understand who currently has access, what permission levels exist, and validate that external users cannot yet access content.

Permissions for SharePoint lists and libraries can be checked using either the SharePoint user interface or via PowerShell. For example, to check the permissions on a list named “Documents” using PowerShell:

Get-PnPListPermissions -List "Documents" -Identity "ExtranetVisibleContent"

Running this PowerShell command would display the existing permissions settings on the “Documents” list, including individual users and groups that have access. The output would confirm that by default, only internal users and groups have access while external guest users do not.

Allowing Anonymous Access

Before granting customized list permissions to specific external users, an organization may first want to enable anonymous guest access to that content. This allows anyone with a link to the document or folder to access it without needing to authenticate.

Anonymous access can be enabled on a SharePoint list or library using either the user interface or with PowerShell. For example, to enable anonymous link sharing for a list named “Documents” via PowerShell:

Set-PnPList -Identity "Documents" -EnableAnonymousLinkAccess

After running this command, anyone with the anonymous link URL would be able to access the “Documents” library without needing to log in. This allows external users to access the content, but they still may have restrictions if they lack permissions to take actions like editing documents without authentication.

Setting External User Permissions

To allow external guest users to collaborate on SharePoint content across tenants, permissions need to be explicitly granted to those users at the list or library level.

SharePoint has the concept of permission levels that define what actions a user can take. Common permission levels include Read, Edit, and Custom. The Read permission level allows a user to view and download content. The Edit permission allows a user to view, download, edit, add, and delete items in a SharePoint list or library. The Custom permission level allows administrators to specify unique access levels to precisely control what external users can and cannot do.

These permission levels can be assigned to guest users from outside the tenant using PowerShell. For example, to grant an external user with email [email protected] the Read permission level on a list named “Documents”:

Grant-PnPListPermissions -List "Documents" -User "[email protected]" -AddRole "Read"

This PowerShell command would grant the external user Read-only access to the contents of the “Documents” library. Other permission levels like Edit and Custom could also be specified to provide additional access if needed.

Verifying External Access Works

After enabling anonymous guest access and assigning customized list permissions to individual external users, verification testing should be performed to validate that the proper access levels have been granted.

Using the anonymous link URL, confirm that external guest users can now access the SharePoint list or library without needing to authenticate. Then validate that the specific external user accounts have the right permissions configured by checking their access using PowerShell:

Get-PnPListPermissions -List "Documents" -Identity "[email protected]"

This command will display what permission levels the external guest user has. Administrators should verify that is matches the access configuration originally provisioned.

Testing and validation ensures that external sharing and guest user list permissions are working as expected. This allows organizations to securely collaborate with external partners through SharePoint while still maintaining control over access.

Leave a Reply

Your email address will not be published. Required fields are marked *