Thursday, March 15, 2018

SharePoint Online: unable to share a site with external users

Problem

You are a farm administrator.  A site administrator reports that a new administrator to the site is unable to share the site with external users.  She indicates that she granted the new administrator full control to the site, but that the new administrator is still unable to share the site.  You begin troubleshooting.

Troubleshooting

  1. Request site collection administrator permission to the site.
    1. Administrator reports that "site collection administrator" could not be found but granted your account Full Control to site.
    2. Navigated to Settings > Site Settings.
    3. You note that Site collection administrator link is not shown, nor is Site Collection Administration link group presented.
    4. Navigate to Settings > Site Settings > Users and Permissions > Site permissions.
    5. You find three site groups and a number of user accounts granted permissions directly.
    6. You can view the members of the site's Owner group, but not the members of the site's Visitors or Members groups.
    7. When you click the Access Request Settings button, the Access Request Settings dialog appears and an error message is displayed: Members cannot share this site because this site is missing a default members group.
      .
    8. This findings suggests cause of issue is due to a default group not being set that external users are automatically added to,
  2. Search on error message.
    1. You find this reference, regarding setting default groups.
  3. Check site's default groups.
    1. Using "<siteURL>/_layouts/permsetup.aspx", you discover that none of the site's default groups have been set, even though the site does have the usual three user groups.
  4. Request the site collection administrator set the site's default groups.
    1. The site collection administrator sets the default groups.
    2. The site collection administrator reports that though the new site administrator cannot share the site with external users, the original site administrator still can add external users and has been doing so for years.  This finding suggests a different cause, possibly a permissions issue.
  5. Request detailed description plus screenshots.
    1. User provides additional description and also provides screen shot of the "Share [site name]" dialog.  On this dialog, the user entered the email address of an external user, a welcome text, and selected the site's Members group to add the external user's account to, below which is displayed the error message: You do not have permission to add users to the selected SharePoint group.
    2. Navigate to Settings > Site Settings > Users and Permissions > Site permissions and then click on the Members group, but are denied.  You click on the Visitors group and are denied.  You click on the Owners group and are able to view the members and you note your own account listed.
    3. Navigate to Settings > Site Settings > Users and Permissions > People and groups > [in Current navigation, click on More...].  You then try to click on the Edit icon for each of the site's groups, Visitors, Members and Owners, but are denied.
    4. This finding suggests the cause of the issue may be site user group configuration.
    5. You then contact the site collection administrator to request site collection administrator permission level.
  6. Request site collection administrator permission.
    1. The site collection administrator adds your account to the Site Collection Administrators group.
    2. Navigate to Settings > Site Settings > Users and Permissions > People and groups > [in Current navigation, click on More...].  You then try to click on the Edit icon for each of the site's groups, Visitors, Members and Owners and are now successful.
  7. Check configuration of each site group.
    1. The site collection administrator is the owner of all site groups.
    2. All groups are configured to allow only group members to be able to view the group's membership.
    3. The Owners group is configured to only allow the group's owner to be able to edit group membership.
    4. The Visitors and Members groups are configured to allow members of the group to edit group membership.
    5. These findings further indicate that the cause of the issue involves site group configuration.
  8. Check site administrator permissions and group memberships.
    1. Navigate to Settings > Site Settings > Users and Permissions > Site permissions.
    2. Using the Check Permission capability (button in the ribbon), you check the permissions for both the current and new site administrators.  While doing so, while you enter their names, you discover that the new site administrator has multiple different user accounts, including personal, customer and employer accounts.  You also find that the current site administrator also has multiple different user accounts, including customer and employer user accounts.
    3. You review the site collection's User Information List to positively identify all accounts for each user.  You then check the permissions for each of these accounts.  Reviewing the results, you find that the current site administrator's customer account has been added to the site's Members group, but that the new site administrator's customer account has not.  Both site administrators have been granted full control permission level directly.
    4. You add the new site administrator's customer account to the site's Members group and then request that the new site administrator try to share the site again.
  9. Request new site sharing attempt.
    1. You request the new site administrator to attempt to share the site with an external user.  The user then reports that this attempt was successful.

Solution

  • As site collection administrator, ensure that your site administrators are members of those site groups that they are authorized to add new users to when sharing the site with new users.
  • Use your site collection's User Information List and the Check Permissions capability to explore and troubleshoot user permissions and group memberships.

References

No comments: