I have to say that Partner Access is probably one of the best kept secrets for SharePoint Online in Office 365. Additionally for customers who have SharePoint and want to extend it to people outside of their organization, SharePoint Online provides a unique solution for partner access which is different that on-premise. I can honestly see scenarios, with financial justification, where organizations may keep portions of SharePoint implementation on-premise while moving completely over to SharePoint Online just to support extranets. I still believe that a majority of SharePoint workloads can be moved to the cloud (as I captured in this blog) but partner access is something that many organizations what to do.
Some of the most common reasons why I have seen requests for Extranets/Partner Portals with SharePoint are:
- Support Business-to-Business and/or Business-to-Customer initiatives
- Personnel who travel or are in the field
- Geographically dispersed teams
- Employees/Partners Teleworking both connected and disconnected
- Support real time unified communications
- Secure and centralized communications with external entities
- Extranet Site for Partner Organization - Dedicate site with features driven specifically to facilitate better coordination with partners.
- Tactical Partner Site - There is an immediate need for collaboration area to support a business activity with external people to the organization.
- Community of Interest - There is a need to provide focused support, collaboration and knowledge sharing for a target group of organizations and individuals.
- Partner/Customer Support - Need the ability to interact with partners, customers or constituents in a secure environment.
First I want to say that deployment of SharePoint Extranets solutions can be implemented very efficiently and securely, however there are a lot of hurdles that organizations must overcome. In many cases, they are not even technical. Here are some of the most common:
- Infrastructure and Deployment - Managing an extranet environment requires a lot of security and configuration management best practices. This is mostly because you are now deploying SharePoint into the DMZ so it can be accessible from the outside. I have seen organizations punch holes through the firewalls which again require new security configurations and controls.
- Ease of Management - Organizations are challenged to have an environment that they can quickly use with a partner in time of need.
- Agility, Scalability and Service Level Agreements - The deploying organization is responsible for building an environment that scales to changing business requirements. Provisioning and maintaining an environment that is highly available can be expensive. Additionally providing an environment that needs to potentially be globally available.
- Access and Security Management - Managing access control of individuals to only have access to the extranet is important. In some cases, organizations use Active Directory to give external users access which can create a lot of new security controls to be put in place. None of these controls have anything to do with SharePoint. For instance, new security policies need to be put in place to ensure that external partners have their accounts removed when they no longer need access.
There are some very common solution architectures for implementing SharePoint Extranets on-premise. Here is a great reference that you should read – http://technet.microsoft.com/en-us/library/hh204611.aspx. I highly recommend reading the topologies diagram. I am not going to go into the pros/cons of each ones of these architectures as they have been pretty well documented.
Below is what is referred to as an Edge Firewall where direct access is provided from the Internet.
This is what is called a Back to Back Perimeter which basically standing up the entire SharePoint Farm in the DMZ.
Finally another popular called a Split Back to Back where some servers are deployed in the DMZ while other server roles remain inside the internal network. This is commonplace when SQL is not deployed in the DMZ.
Benefits of the SharePoint Online Partner Sites
This approach literally changes the way we implement a solution to work with Partner Sites. The benefits of using SharePoint Online for Partner Sites are immense.
- Highly available, scalable and accessible architecture – No more having to build and manage highly available SharePoint environments as you can rely on the cloud to provide it to you and your partners.
- No more AD Accounts for Partner Users – I know perfectly well that SharePoint support Forms Based Authentication (FBA), LDAP directories, etc. but all too often I have seen organizations just use their AD which get the security team nervous when there is no plan in place to manage these accounts. With SharePoint Online we have the ability to use Partner Accounts (to be explained in next section).
- Immediately provision new secure sites – It is really quick and easy to set up a partner site as I am about to show you. Instead of spending weeks standing up a new SharePoint Extranet farm, an Office 365 tenant can be purchased and Partner Sites can be stood up in minutes.
- No software and hardware in the DMZ – This is a huge plus for the security team as you just made their lives easier. Plus external users never come into the organization, they always go to Office 365.
You may be wondering what are SharePoint Online Partner Accounts. A SharePoint Online Partner Account is a solution for Office 365 whereby a user can use Windows Live ID to authenticate themself to your SharePoint Online tenant. For example, if they person email address is firstname.lastname@example.org, all they need to do is register that email with Windows Live and they will create a password that they know. Then all you need to do is invite email@example.com to a SharePoint site and they will use their own email address and password to authenticate to SharePoint Online.
No more managing external accounts in any type of directory services solution (AD, FBA, etc.). All you do is control what the user is authorized to do with SharePoint permissions.
Steps for Creating a Partner Site in Three Steps
The steps for creating a partner site are extremely simple.
Step 1 - Allow external users
First we need to go into the SharePoint Online administration center and allow SharePoint Online to have external users. You do this by going to the ribbon and selecting Manage External Users.
Then in the prompt, change the selection value to Allow.
Step 2 – Create a New Site Collection
Next we need to create a site collection for our partners.
Then once the new site collection has been created, I select it and in the Ribbon I select “Add Support Partners”.
Then in the prompt I selected the company site administrator.
Step 3 – Activate External User Invitation Feature
This is one step which could use some automation as this is a common step that people miss. If you think you are ready to start adding partner accounts, hold up. To add an external user you will use the Share Site button in the Site Actions Menu.
However when you go here, and try to add an external user by typing in an email address that is not in your domain, you will receive an error.
To resolve this, you must go to Site Collection Administration, go to Site Collection Features and activate the External User Initiations feature.
Now when you go Site Actions >> Share Site you will notice that this screen has changed. You will now be able to type in email address from another domain and invite that user to the SharePoint Site.
Steps for Inviting a User
The steps for inviting a user are extremely simple.
Step 1 – The Invitation
First, in the Share Site prompt, type in an email address of someone you like to invite.
You will receive a confirmation that it has been sent.
Step 2 – Confirm the Invitation
Note – if you are doing this for internal testing, close all browsers before continuing and you may need to delete your internet cache because you will be logging in with a different account.
The invitee will receive an email like the following. In this case it went to my Yahoo email address. The invitee will need just press the accept button.
The invitee will be taken to this screen where they will need to log in. The invitee will need to click on the Windows Live Hotmail link on the left. This will take them to a page to sign in with their Windows Live ID, which is tied to the email address I invited.
Note – if the user accidently clicked on the Microsoft Online Services ID link, they will be redirected to the correct Windows Live ID login screen they can click on a link that will take them to the appropriate sign in page.
On this screen the invitee must enter their email address. This should be the email address that was invited.
Now the user will be brought into SharePoint Partner site using their Windows Live ID.
Step 3 – Administration (Optional)
To administer this external user, you just go to the SharePoint group that was assigned to the user when they were invited.
Note - that the user will not appear in the group until they accept the invitation.
Here is the profile of the invitee. As you can see it is tied to the Yahoo email address that was used.
If you are an experience SharePoint professional you will know this is a game changer; and if you are not, you should see how easy this is to implement.