Account and Group Maps: External Account Permissions
- Lindsey Byers (Deactivated)
- Andrea Harvey
On This Page
Overview
The External Permissions feature allows the user to retain (migrate) permissions for external accounts between a DryvIQ-supported source platform and SharePoint Online (SPO). People who need to see or work with content but do not have user accounts for your SharePoint Online or Office 365 environment are invited external accounts called “external users". Sites and documents can be shared with external users either globally, that is, for all sites in the tenant, or for each site collection individually.
After sharing is enabled for the tenant and individual site collections, site collection admins can extend invitations to specific users.
SharePoint Online associates external accounts to either a personal or an organizational Microsoft account. This association is called a Guest Account. The association is made when an external account accepts a permission invitation for the first time. Once that association is made, external accounts are recognized as a Guest Account and all permissions are shown under “Shared With Me.” Refer to Microsoft’s documentation for more information about guest accounts.
How DryvIQ Handles Migration of External Permissions
When DryvIQ migrates external account permissions, if the association with a Guest Account is already in place, it will properly map the external account from source to the Guest Account on the destination. The permission will show under “Shared With me”.
If the association is not yet made, an invitation token will be generated. These invitations show up under “Site Settings → Access Requests and Invitations”. The user can then resend one to the external account to start the invite process. Once the invitation is accepted, they will all appear under “Shared With Me.”
DryvIQ only captures the external account and passes it through to the destination. The invitation is generated on SharePoint Online. The SPO Administrator must review and resend invites. Once the invitation has been accepted by the external user, the guest is provisioned and access to shared content is available. Subsequent content shared with external users will automatically passthrough since the guest account is now recognized.
Account Map Configuration
External permissions are configured when creating the user/account map.
User Interface Options | Description | REST API Option | Values | Required |
|---|---|---|---|---|
Retain external users and Attempt to resolve first | These settings retain guest account permissions and ownership but attempt to resolve the account against a destination account first before retaining the permissions and ownership utilizing an external user account. | external_passthrough | true/false | Optional |
Retain external users and Do not attempt to resolve first | These settings retain guest account permissions and ownership utilizing an external account without first attempting to resolve the account against a destination account. The External email already associated as a guest account in OneDrive for Business/Office 365 will work regardless of whether external_passthrough is set. This is most commonly used for Network File Share (NFS). | passthrough | true/false | Optional |
Feature Matrix
Connector | External Permissions | ||||
|---|---|---|---|---|---|
Supported with Batch Mode | Root Folder | Folder | Files | Must accept invite before permission is visible to DryvIQ | |
OneDrive for Business | Supported | Supported | Supported | Supported | Yes |
Office365 | Supported | Supported | Supported | Supported | Yes |
Box | Supported | Supported | Supported | Not Supported | Yes |
Dropbox for Business | Supported | Not Supported | Supported | Not Supported | No |
Syncplicity | Supported | Supported | Not Supported | Not Supported | No |
Google Workspace | Supported | Not Supported | Supported | Supported | No |
Refer to Microsoft’s documentation for information on how to set up and manage access requests.
Example Job JSON
Required Configuration
"permissions": {
"policy": "add",
"failures": "{{value}}"
},and
},
"account_map": {
"map_by": {
"external_passthrough": true
},
Example Job with External Permissions
{
"name":"External Passthrough Sample Job",
"kind": "transfer",
"transfer": {
"transfer_type": "copy",
"batch_mode": "always",
"timestamps": "true",
"permissions": {
"policy": "add",
"failures": "none"
},
"empty_containers": "create",
"versioning": {
"preserve": "native",
"select": "all"
},
"account_map": {
"map_by": {
"external_passthrough": true
},
"exceptions": [{
"source": {
"email": "joe@smith.com",
"type": "account"
},
"destination": {
"email": "jane@smith.com",
"type": "account"
}
}]
},
"source": {
"connection": { "id": "{{cloud_connection_source}}" },
"target": {
"path": "/SourcePath"
}
},
"destination": {
"connection": { "id": "{{cloud_connection_destination}}" },
"target": {
"path": "/DestinationPath"
}
}
},
"schedule": {
"mode": "manual"
},
"stop_policy": {
"on_success": 3
},
"category": {
"name": "External Passthrough"
}
}
Important Notes
External Passthrough functionality will not be applied until the external user is a registered Guest Account in SharePoint Online. All external permission requests will go to the Access Requests page in SharePoint Online, and every guest account must be approved individually. Once the invitation has been accepted by the external user, the guest is provisioned and access to shared content is available. Subsequent content shared with external users will automatically pass through since the guest account is now recognized.
External Passthrough will invite external users as far back as the date it was originally shared on the source platform. For example, content shared 5 years ago with external users will be sent an invite if approved on the guest access page in SharePoint Online.
Accounts suspended on the source platform by the Administrator will be flagged and ignored by DryvIQ; they will not be transferred as external users. However, any content shared to an external account such as a personal email will be transferred with the external passthrough feature.