Summary
The External Permissions feature allows the user to retain (migrate) permissions for external accounts between a SkySync-supported source platform and SharePoint Online (SPO).
Background
People who need to see or work with content but do not have user accounts for your SharePoint Online or Office 365 environment are invited external accounts called “external users". Sites and documents can be shared with external users either globally, that is, for all sites in the tenant, or for each site collection individually.
After sharing is enabled for the tenant and individual site collections, site collection admins can extend invitations to specific users.
SharePoint Online associates external accounts to either a personal or an organizational Microsoft account. This association is called a Guest Account. The association is made when an external account accepts a permission invitation for the first time. Once that association is made, external accounts are recognized as a Guest Account and all permissions are shown under “Shared With Me”.
How SkySync Handles Migration of External Permissions
When SkySync migrates external account permissions, if the association with a Guest Account is already in place, it will properly map the external account from source to the Guest Account on the destination. The permission will show under “Shared With me”.
If the association is not yet made, an invitation token will be generated. These invitations show up under “Site Settings → Access Requests and Invitations”. The user can then resend one to the external account to start the invite process. Once the invitation is accepted, they will all appear under “Shared With Me”.
User - Interface | Account Map Configuration
To enable external permissions in the UI, the configuration needs to be during user / account map creation.
| Option | Values | Required? | User-Interface Options | Descriptions |
|---|---|---|---|---|
| external_passthrough | true/false | Optional | Retain external users Enabling this feature will attempt to retain guest account permissions and ownership. Attempt to resolve first An attempt will be made to resolve external user accounts to a destination user. If no destination user is matched, the ownership and permissions will be retained utilizing an external user account. | Retain guest account permissions and ownership, but attempting to resolve the account against a destination account first before retaining the permissions and ownership utilizing an external user account. |
| passthrough | true/false | Optional | Retain external users Enabling this feature will attempt to retain guest account permissions and ownership. Do not attempt to resolve first The ownership and permissions will be retained utilizing an external user account without any attempt to resolve that account to a destination account. | Retain guest account permissions and ownership utilizing an external account without first attempting to resolve the account against a destination account. Note: External email already associated as a guest account in OfB/O365 will work regardless of whether external_passthrough is on Most commonly used for Network File Share (NFS) |
Feature Matrix
| Connector | External Permissions | ||||
|---|---|---|---|---|---|
| Supported with Batch Mode | Root Folder | Folder | Files | Must accept invite before permission is visible to SkySync | |
| OneDrive for Business | Supported | Supported | Supported | Supported | Yes |
| Office365 | Supported | Supported | Supported | Supported | Yes |
| Box | Supported | Supported | Supported | Not Supported | Yes |
| DropBox for Business | Supported | Not Supported | Supported | Not Supported | No |
| Syncplicity | Supported | Supported | Not Supported | Not Supported | No |
| GSuite | Supported | Not Supported | Supported | Supported | No |
Office 365 Configuration (Team)
- Gear Icon (top left) → Site Settings
- Users & Permissions → Site Permissions
- Access Request Settings
- Allow Access Requests
OneDrive for Business Configuration (Personal)
- Top Left → Stacked squares Icon → Admin
- Left Navigation Admin icon → SharePoint
- Check the Team Site you wish to configure → Select Sharing
- Default Settings → "Don't allow sharing outside your organization"
- Change Settings to → "Allow external users who accept sharing invitations and sign in as authenticated users"
Example Job JSON
"permissions": {
"policy": "add",
"failures": "{{value}}"
},
and
},
"account_map": {
"map_by": {
"external_passthrough": true
},
{
"name":"External Passthrough Sample Job",
"kind": "transfer",
"transfer": {
"transfer_type": "copy",
"batch_mode": "always",
"timestamps": "true",
"permissions": {
"policy": "add",
"failures": "none"
},
"empty_containers": "create",
"versioning": {
"preserve": "native",
"select": "all"
},
"account_map": {
"map_by": {
"external_passthrough": true
},
"exceptions": [{
"source": {
"email": "joe@smith.com",
"type": "account"
},
"destination": {
"email": "jane@smith.com",
"type": "account"
}
}]
},
"source": {
"connection": { "id": "{{cloud_connection_source}}" },
"target": {
"path": "/SourcePath"
}
},
"destination": {
"connection": { "id": "{{cloud_connection_destination}}" },
"target": {
"path": "/DestinationPath"
}
}
},
"schedule": {
"mode": "manual"
},
"stop_policy": {
"on_success": 3
},
"category": {
"name": "External Passthrough"
}
}
Important Notes
External Passthrough functionality will not be applied immediately until the external user is a registered Guest Account in SharePoint Online.
- All external permission requests will go to the Access Requests page in SPO
- Every guest account must be approved individually
- Once the invitation has been accepted by the external user, the guest is provisioned and access to shared content is available
- Subsequent content shared with external users will automatically passthrough since the guest account is now recognized
External Passthrough will invite external users as far back as the date it was originally shared on the source platform
- For example, content shared 5 years ago with external users will be sent an invite if approved on the guest access page in SharePoint Online.
Accounts suspended on the source platform by the Administrator will be flagged and ignored by SkySync; they will not be transferred as external users. However, any content shared to an external account such as a personal email will be transferred with the external passthrough feature.