Update 9-secure-access-teams-sharepoint.md

v-edmckillop · web-flow · commit deb9e6ed5ae9 · 2023-02-02T14:02:58.000-08:00
diff --git a/articles/active-directory/fundamentals/9-secure-access-teams-sharepoint.md b/articles/active-directory/fundamentals/9-secure-access-teams-sharepoint.md
@@ -8,7 +8,7 @@ ms.service: active-directory
 ms.workload: identity
 ms.subservice: fundamentals
 ms.topic: conceptual
-ms.date: 08/20/2022
+ms.date: 02/02/2023
 ms.author: jricketts
 ms.reviewer: ajburnle
 ms.custom: "it-pro, seodec18"
@@ -17,96 +17,104 @@ ms.collection: M365-identity-device-management
 
 # Secure external access to Microsoft Teams, SharePoint, and OneDrive with Azure Active Directory 
 
-Microsoft Teams, SharePoint, and OneDrive for Business are three of the most used ways to collaborate and share content with external users. If the “approved” methods are too restrictive, users will go outside of approved methods by emailing content or setting up insecure external processes and applications, such as a personal DropBox or OneDrive. Your goal is to balance your security needs with ease of collaboration.
+Use this article to determine and configure your organization's external collaboration using Microsoft Teams, OneDrive for Business, and SharePoint. A common challenge is balancing security and ease of collaboration for end users and external users. If an approved collaboration method is perceieved as restrictive and onerous, end user evade the approved method. End users might email unsecured content, or set up external processes and applications, such as a personal DropBox or OneDrive. 
 
-This article guides you to determine and configure external collaboration to meet your business goals using Microsoft Teams and SharePoint.
+## External Identities settings and Azure Active Directory
 
-## Governance begins in Azure Active Directory
+Sharing in Microsoft 365 is partially governed by the **Exernal Identities, External collaboration** settings in Azure Active Directory (Azure AD). If external sharing is disabled or restricted in Azure AD, it overrides sharing settings configured in Microsoft 365. An exception is if Azure AD B2B integration isn't enabled. You can configure SharePoint and OneDrive to support ad-hoc sharing via one-time password (OTP). The following screenshot shows the External Identities, External collaboration settings dialog. 
 
-Sharing in Microsoft 365 is in part governed by the [External Identities | External collaboration settings](https://aad.portal.azure.com/) in Azure Active Directory (Azure AD). If external sharing is disabled or restricted in Azure AD, it overrides any sharing settings configured in Microsoft 365. An exception to this is that if Azure AD B2B integration isn't enabled, SharePoint and OneDrive can be configured to support ad-hoc sharing via one-time passcodes (OTP).
+   ![Screenshot of options and entries under External Identities, External collaboration settings.](media/secure-external-access/9-external-collaboration-settings.png)
 
-![Screenshot of External collaboration settings](media/secure-external-access/9-external-collaboration-settings.png)
+Learn more:
 
-### Guest user access
-
-There are three choices for guest user access, which controls what guest users can see after being invited. 
-
-To prevent guest users from seeing details of other guest users, and being able to enumerate group membership, choose Guest users have limited access to properties and memberships of directory objects.
-
-### Guest invite settings
-
-These settings determine who can invite guests and how those guests can be invited. These settings are only enabled if the integration with B2B is enabled.
-
-We recommend enabling administrators and users in the guest inviter role can invite. This setting allows controlled collaboration processes to be set up, as in the following example.
-
-* Team owner submits a ticket to be assigned the Guest inviter role, and
+* [Azure Active Directory admin center](https://aad.portal.azure.com/)
+* [External Identities in Azure AD](../external-identities/external-identities-overview.md)
 
-   * Becomes responsible for all guest invitations.
+### Guest user access
 
-   * Agrees not to directly add users to the underlying SharePoint
+Guest users are invited to have access to resources. 
 
-   * Is accountable to perform regular access reviews, and revoke access as appropriate.
+1. Go to the Azure Active Directory admin center.
+2. Select **All Services**.
+3. Under **Categories**, select **Identity**.
+4. From the list, select **External Identities**.
+5. Select **External collaboration settings**.
+6. Find the **Guest user access** option. 
 
-* Central IT does the following
+To prevent guest-user access to other guest-user details, and to prevent enumeration of group membership, select **Guest users have limited access to properties and memberships of directory objects**.
 
-   * Enables external sharing by granting the requested role upon training completion.
+### Guest invite settings
 
-   * Assigns Azure AD P2 license to the Microsoft 365 group owner to enable access reviews.
-   * Creates a Microsoft 365 group access review.
+Guest invite settings determine who invites guests and how guests are invited. The settings are enabled if the B2B integration is enabled. It's recommended that administrators and users, in the Guest Inviter role, can invite. This setting allows setup of controlled collaboration processes. For example:
 
-   * Confirms that access reviews are occurring.
+* Team owner submits a ticket requesting assignment to the Guest Inviter role:
+  * Responsible for guest invitations
+  * Agrees to not add users to SharePoint
+  * Performs regular access reviews
+  * Revokes access as needed
 
-   * Removes users directly added to the underlying SharePoint.
+* The IT team:
+  * After training is complete, grants the Guest Inviter role
+  * To enable access reviews, assigns Azure AD P2 license to the Microsoft 365 group owner
+  * Creates a Microsoft 365 group access review
+  * Confirms access reviews occur
+  * Removes users added to SharePoint
 
- Set **Enable Email One-time Passcodes for guests (Preview) and Enable up guest self-service sign via user flows** to **yes**. This setting takes advantage of the integration with Azure AD External collaboration settings.
+1. Select **Email one-time passcodes for guests**. 
+2. For **Enable guest self-service sign up via user flows**, select **Yes**. 
 
 ### Collaboration restrictions
 
-There are three choices under collaboration restrictions. Your business requirements dictate which you will choose.
+For Collaboration restrictions, business requirements dictate the choice of invitation in relation to domains.
 
-* **Allow invitations to be sent to any domain** means any user can be invited to collaborate.
+* **Allow invitations to be sent to any domain** - any user can be invited
+* **Deny invitations to the specified domains** - any user outside those domains can be invited
+* **Allow invitations only to the specified domains** - any user outside those domains cannot be invited 
 
-* **Deny invitations to the specified domains** means any user outside of those can be invited to collaborate.
+## External users and guest users in Teams
 
-* **Allow invitations only to the specified domains** means that any user outside of those specified domains cannot be invited. 
+Teams differentiates between external users (outside your organization) and guest users (guest accounts). You can manage collaboration setting in the [Teams Admin portal](https://admin.teams.microsoft.com/company-wide-settings/external-communications) under Org-wide settings. Authorized account credentials are required to sign in to the Teams Admin portal.
 
-## Govern access in Teams
+* **External Access** - Teams allows external access by default: the organization can communicate with all external domains 
+  * Use External Access setting to restrict or allow domains
+* **Guest Access** - manage guest acess in Teams
 
-[Teams differentiates between external users (anyone outside your organization) and guest users (those with guest accounts)](/microsoftteams/communicate-with-users-from-other-organizations?WT.mc_id=TeamsAdminCenterCSH%e2%80%8b)). You manage collaboration setting in the [Teams Admin portal](https://admin.teams.microsoft.com/company-wide-settings/external-communications) under Org-wide settings. 
+Learn more: [Use guest access and external access to collaborate with people outside your organization](/microsoftteams/communicate-with-users-from-other-organizations). 
 
 > [!NOTE]
-> External identities collaboration settings in Azure Active Directory control the effective permissions. You can increase restrictions in Teams, but not decrease them from what is set in Azure AD.
-
-* **External Access settings**. By default, Teams allows external access, which means that organization can communicate with all external domains. If you want to restrict or allow specific domains just for Teams, you can do so here.
-
-* **Guest Access**. Guest access controls what guest users can do in teams.
+> The External Identities collaboration feaure in Azure AD controls permissions. You can increase restrictions in Teams, but restrictions can't be lower than Azure AD settings.
 
-To learn more about managing external access in Teams, see the following resources.
+Learn more:
 
-* [Manage external access in Microsoft Teams](/microsoftteams/manage-external-access)
-
-* [Microsoft 365 identity models and Azure Active Directory](/microsoft-365/enterprise/about-microsoft-365-identity)
-
-* [Identity models and authentication for Microsoft Teams](/MicrosoftTeams/identify-models-authentication)
-
-* [Sensitivity labels for Microsoft Teams](/MicrosoftTeams/sensitivity-labels)
+* [Manage external meetings and chat in Microsoft Teams](/microsoftteams/manage-external-access)
+* [Microsoft 365 identity models and Azure AD](/microsoft-365/enterprise/about-microsoft-365-identity)
+* [Identity models and authentication for Microsoft Teams](/microsoftteams/identify-models-authentication)
+* [Sensitivity labels for Microsoft Teams](/microsoftteams/sensitivity-labels)
 
 ## Govern access in SharePoint and OneDrive
 
-SharePoint administrators have many settings available for collaboration. Organization-wide settings are managed from the SharePoint admin center. Settings can be adjusted for each SharePoint site. We recommend that your organization-wide settings be at your minimum necessary security levels, and that you increase security on specific sites as needed. For example, for a high-risk project, you may want to restrict users to certain domains, and disable the ability of members to invite guests.
+SharePoint administrators can find organization-wide settings in the SharePoint admin center. It's recommended that your organization-wide settings are the minimum security levels. Increase security on some sites, as needed. For example, for a high-risk project, restrict users to certain domains, and disable members from inviting guests.
+
+Learn more: 
+* [SharePoint admin center](https://microsoft-admin.sharepoint.com) - Access permissions are required
+* [Get started with the SharePoint admin center](/sharepoint/get-started-new-admin-center)
+* [External sharing overview](/sharepoint/external-sharing-overview)
 
-### Integrating SharePoint and One-drive with Azure AD B2B
+### Integrating SharePoint and OneDrive with Azure AD B2B
 
-As a part of your overall strategy for governing external collaboration, we recommend that you [enable the Preview of SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration-preview) .
+As a part of your strategy to govern external collaboration, it's recommended you enable SharePoint and OneDrive integration with Azure AD B2B. Azure AD B2B has guest-user authentication and management. With SharePoint and OneDrive integration, use one-time passcodes for external sharing of files, folders, list items, document libraries, and sites. 
 
-Azure AD B2B provides authentication and management of guest users. With SharePoint and OneDrive integration, [Azure AD B2B one-time passcodes](../external-identities/one-time-passcode.md) are used for external sharing of files, folders, list items, document libraries, and sites. This feature provides an upgraded experience from the existing [secure external sharing recipient experience](/sharepoint/what-s-new-in-sharing-in-targeted-release).
+Learn more: 
+* [Email one-time passcode authentication](../external-identities/one-time-passcode.md)
+* [SharePoint and OneDrive integration with Azure AD B2B](/sharepoint/sharepoint-azureb2b-integration)
+* [B2B collaboration overview](../external-identities/what-is-b2b.md)
 
 > [!NOTE]
-> If you enable the preview for Azure AD B2B integration, then SharePoint and OneDrive sharing is subject to the Azure AD organizational relationships settings, such as **Members can invite** and **Guests can invite**.
+> If you enable Azure AD B2B integration, then SharePoint and OneDrive sharing is subject to the Azure AD organizational relationships settings, such as **Members can invite** and **Guests can invite**.
 
-### Sharing policies
+### Sharing policies in SharePoint and OneDrive
 
-*External Sharing* can be set for both SharePoint and OneDrive. OneDrive restrictions can't be more permissive than the SharePoint settings.
+External Sharing can be set for both SharePoint and OneDrive. OneDrive restrictions can't be more permissive than the SharePoint settings.
 
  ![Screenshot of external sharing settings in SharePoint and OneDrive](media/secure-external-access/9-sharepoint-settings.png)
 
