If you want to be able to give external (guest) users access to Atlas workspaces you will first need to complete the following configuration steps which will allow external users added to workspaces to interact with Atlas and its features.
Completing these steps does not give automatic access to any workspaces for external users, so after completing the steps in this article you will need to give an external user access to the specific Atlas workspaces you want them to access. This can be done in the same way you would add internal users.
In this article:
- Create an "All External Users" group in Entra ID
- Give permissions to the App Catalog site
-
Give permissions to the Atlas Configuration site
Create an "All External Users" group in Entra ID
In order to complete this step you will need an account with access to Entra ID and the ability to create groups. If you have the right permissions you can access this portal by going to https://portal.azure.com and signing in with your Microsoft 365 account.
Go to the Entra ID portal and open the Groups section. Create a new group with the following settings:
- Group Type: Security
- Group Name (suggested): All External Users
- Group Description is not required
- Azure AD roles can be assigned to the group: No
- Membership Type: Dynamic User
After selecting the correct Membership Type, the Add members link will change to Add dynamic query:
Click the link and configure the dynamic rule with the following:
- Property: userType
- Operator: Equals
- Value: Guest
To finish creating the group, click Save to save the dynamic query, then finally Create the group. The membership will be updated on a regular basis, but you may need to wait 30 minutes or so for a brand new external user to get synchronised into the group.
If you need to troubleshoot access for new external users you can see the time the dynamic group was last updated by looking at the Group information in Entra ID.
Give permissions to the App Catalog site
In order to complete this step you will need an account with access to manage permissions on the App Catalog site, or a an account with the SharePoint Administrator role in Microsoft 365.
Now that you have created the required Entra ID group, you can give the group permissions on the App Catalog site which is required for Atlas to function correctly. This is a site which exists by default in every tenant and can be found at https://TENANTNAME.sharepoint.com/sites/AppCatalog where TENANTNAME is replaced with your actual tenant name.
Go to Site settings then Site permissions and click Grant Permissions in the ribbon, then apply Read permissions as per the following screenshot:
- Choose the All External Users group you created
- Uncheck Send an email invitation
- Select the Read permission level - do not select the App Catalog Visitors group
- Click Share
It is important to add the group at this level rather than within the App Catalog Visitors so that there is a distinction between the Internal users in the Visitors group and the External users.
Issues sharing the App Catalog
If you are not able to share with your external users it is probably due to the Security policy applied to the App Catalog site. To fix this, go to the SharePoint Admin Centre and click Active sites on the left, find the App Catalog site, click on it and then choose Settings in the panel.
You can now modify the External file sharing setting. Choosing anything other than "Only people in your organisation" will suffice - usually we recommend "Existing guests" as it ensures you have chosen to add these external users to your Active Directory before they get access:
Give permissions to the Atlas Configuration site
In order to complete this step you will need an account with access to manage permissions on the Atlas Configuration site, or a an account with the SharePoint Administrator role in Microsoft 365.
Finally you need to give the new group permissions to the Atlas Configuration site. In almost all cases this can be found at https://TENANTNAME.sharepoint.com/sites/AtlasConfiguration where TENANTNAME is replaced with your actual tenant name.
Go to Site settings then Site permissions and click Grant Permissions in the ribbon, then apply Read permissions as per the following screenshot:
- Choose the All External Users group you created
- Uncheck Send an email invitation
- Select the Read permission level - do not select the Atlas Configuration Visitors group
- Click Share
It is important to add the group at this level rather than within the Atlas Configuration Visitors so that there is a distinction between the Internal users in the Visitors group and the External users.
Comments
0 comments
Please sign in to leave a comment.