Individual authorized guests of non-whitelisted domains rightful denied access
SharePoint external sharing via Azure AD B2B adds an additional access-control layer. On top of the authorizations granted in the SharePoint site collection, you can explicitly control for guests whether their domain is allowed. Although I personally consider it a design flaw that business users can share their site with guests of non-whitelisted domains without warning that they are not actually allowed access, what eventually matters is that these invited guests will be blocked from accessing the site as long as it is not allowed on the higher authorisation-governance level of site collection sharing. The invited guests of non-whitelisted domains will get an Access Denied on trying to access the site for which they received a SharePoint invitation. Also when you as site owner check the permissions of such a guest, you will see both an allowed part for the authorizations granted via the site permissions, as well as a long list of 'Deny' due the lack of their guest domain within the list of whitelisted domains.
Domain of guest account not whitelisted in site collection sharing settings
Guest account can be invited to the site although its external domain not whitelisted
"Check Permissions" displays 'Deny'-permissions for guest accounts of non-whitelisted domain
"Check Permissions" displays for guest accounts of whitelisted domain only granted site-permissions
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2B756hLj095hcagRtBhXPA1uCdMf335U2x6otZGdwFo5fPjhN2DtTZTfFnwbcp4J1T5A9LYoQj_YVfpA9Ce4QF8QACWok0KWOp4wjPFE3DFPhPVhwR66pVyfJsmNq5EfoIHneqPF9Ih_V/s1600/Domain+of+invited+guest+whitelisted+in+site+sharing.png")
Noteworthy also is that the observed behavior is different depending on whether the guest invitation is redeemed or not. The above is for an invited Azure AD B2B guest account which has been activated already, and invited guest tries to access the SharePoint site. For non-redeemed guest account it is still possible to authorize to SharePoint site despite the domain not white-listed. But for non-redeemed, 'Check Permissions' displays "None", independent on whether the external domain is whitelisted.
Guest account can be invited to the site although its external domain not whitelisted
No comments:
Post a Comment