Guest Access & External User Support
When Sprocket 365 is deployed into the App Catalog of a tenant it will house the required javascript files in the App Catalog site collection. By default the permission for users to access these js files is "Everyone except external". The impact is that when you want to allow externals to SharePoint we need to change these permissions to "Everyone" so that everyone, including external users can access the js files.
To begin, the first step is to include the Everyone group in your App Catalog site. It is advisable to assign them reading permissions by adding them to the Visitor group.
By default, the Everyone group is deactivated, so you need to activate this group at the tenant level by running the below command. Note that you might need to wait for a few minutes after executing this command:
Connect-PnPOnline -URL https://[tenanturl]-admin.sharepoint.com
Set-PnPTenant -ShowEveryoneClaim $true
After you wait a few minutes and go to your Site Permissions of App Catalog, select the Visitors Group and add the Everyone group.
Now users will have access to the central javascript files within the App Catalog. The final step it to add the external group to the visitors group of your specific SharePoint sites too. This is required as Sprocket stores some configuration data within hidden lists within your SharePoint sites.
Below is a list of hidden lists that guest users will require permission to:
| Name | Path | Comment |
|---|---|---|
| Sprocket Settings | ../[site]/lists/sproket%20settings | Stores cache data and complex web part settings |
| Sprocket Knowledge Hub Settings | ../[site]/lists/sproket%20knowledge%20hub%20settings | Stores header & knowledge hub settings |
Making Changes to Everyone Except External Group Usage
Some clients may wish to create their own 'Everyone' group rather than use the default Everyone except external.
Basic process to follow can be as per below however if removing the default group make sure you are checking/updating the 'hidden' Sproket lists with new group and correct permissions.
Create a new 'Security Group' in the admin centre for All Staff
Populate this group with all relevant employees
Navigate to each 'Communication' site and replace the 'Everyone except external users' group with the new 'All Staff' group
Ensure all 'hidden' Sproket lists are also manually updated as we set this group to have access specifically
Ensure onboarding process is updated when the external IT company set up a new user account that they are added into this group
Also check if need to add the new permission group to clientsideassets library in appcatalogue
Azure External Identities changes
The Guest settings in Azure can cause issues for access to MS Graph. To resolve this issue, change the Azure External Identities setting to Guest users have the same access as members.
After making the change, allow some time (1-2 hours) for this to take place.
FAQs
Are guest users required to have a Sprocket license
No, guest users are not required to be licensed. More information is avaiable on our Licensing page.