Recently a request came in to create a new extranet site for an internal business unit for the purpose of collaborating with external people. I figured this would be a great opportunity to evaluate using SharePoint Online on Office 365 instead of my usual task of adding a site to an existing on-premises SharePoint. Starting with one site on SharePoint online is what I wanted to do because this allows for troubleshooting and identifying training needs at a smaller scale.
The main objective was to build out a portal-like experience for guests (extranet users) similar to how our on-premises SharePoint is configured by having one site collection with a search core results web part on the home page to roll up extranet site collections using the Content Class STS_Site. Keeping this one point of entry structure is important because some external users may be members of several extranet sites. Additionally, if they are not already on Office 365 through their organization, it would mean that they would not have the ability to pin their site to favorites and would have to remember the links to all of the sites of which they are members.
As for keeping our existing governance structure in place, an additional requirement was to make sure internal staff could still manage permissions for internal and external users within their respective extranet sites as site owners. This was achieved on-premises using Forms-Based Authentication (FBA). I also wanted to make sure only site owners could share the site or any content. To achieve this, I needed to disallow anyone not in the owners group from sharing (shown in the sharing settings image below).
Here were the steps taken that satisfied the above requirements:
Created a new private site collection within the SharePoint Admin Center on Office 365.
Ensured that the sharing was configured with “Allow external users who accept sharing invitations and sign in as authenticated users” and “Turn off sharing for non-owners on all sites in this site collection” (shown in the sharing settings image below).
Shared the portal top level site with “Everyone”. Entering “Everyone” in the sharing box means that the site will be shared with all authenticated users. This meets the security requirement because the portal top level site will simply serve as a way to get to subsites with unique permissions.
Created the new extranet subsite with unique permissions because we do not want “Everyone” to access it.
Because I enabled SharePoint Server Publishing Infrastructure, we were able to use the security trimmed Table of Contents web part on the home page to roll up the sites to which extranet users have access. Another option is the Search Content web part. There are good tutorials online for using the Search Content to roll up subsites.
Now after sharing the subsite with external users, our internal staff site owners can give their collaborators the one portal link to login and they will be able to see the extranet site link on the home page and will not see any other sites for which they do not have permission.