New Collaborate has been designed around the use of Microsoft best practice recommendations for collaboration with external users.
Microsoft B2B Guest User Collaboration
New Collaborate requires Microsoft B2B Guest User Collaboration to be enabled, improving the way users access documents through the use of logins and identity authentication.
Previously, Legacy Collaborate used secure links and codes to access files. This same method was known to be used in phishing attacks. To protect users, ISPs and mail providers began inadvertently blocking legitimate links, making it harder for clients to be notified of documents shared with them.
Refer to Setting up and Enabling Azure AD B2B for New Collaborate.
Creating New Users
When a client is invited to use Collaborate via Sharing Settings, or by sharing a document, FYI will create the client as a Guest User in the practice's Microsoft tenant, providing greater control and visibility over your external guests.
Guest users are not granted access to any internal systems unless explicitly invited as per Microsoft's B2B Collaboration guidelines.
To remove a guest user's access, staff can delete the client from the Sharing Settings in FYI on the client's Collaborate tab. Alternatively, IT Admins can remove the guest user from the practice's Microsoft tenant. Refer to Removing Access to the Shared Folders.
Login Experience
With Guest Users enabled clients will be prompted to log in with an email and password of their choosing.
If the client has a Microsoft account (for example, an outlook.com email address, or an email account hosted on Microsoft servers) they can use the same details to log into the Collaborate site.
If the practice has enabled identity authentication using Google Federation or Facebook, the client will be able to log in using those account details.
Otherwise, clients will be prompted to create a password specific to that practice's Microsoft tenant.
Using these login methods also allows practices to enforce Multi-Factor Authentication, and provides a greater level of visibility and control over the guest user account.
Refer to Login Experience for Clients using New Collaborate.
SharePoint Configuration
FYI Access
New Collaborate sites utilise Microsoft SharePoint to offer an interactive client portal and document-sharing site.
To create and manage a new SharePoint site and guest users, FYI requires full access permissions.
Permissions
There are 2 key areas where we apply permissions on a SharePoint site.
SharePoint Home Page:
-
All guest users are allocated to the Visitors SharePoint group, providing them with read-only access to the Home page.
-
When configuring the Collaborate settings in FYI, the FYI Admin was prompted to select a Microsoft Security Group. This group is added as a Member with read permissions, allowing internal practice users who are members of that security group to view the home page but unable to make any changes.
-
The user in FYI set as the OneDrive admin will retain full access to the SharePoint site to make changes, for example, update the Home Page or make changes to the layout.
SharePoint Document Library:
-
When configuring the Collaborate settings in FYI, the FYI Admin was prompted to select a Microsoft Security Group. This group is set as a read-only group on the Document Library to allow internal staff to view all documents shared.
-
Read permissions are applied to each client folder for individual users that are added for that client via Sharing Settings in FYI. This prevents other clients from being able to see documents that they shouldn't have access to.
-
Edit permissions are applied to each client's Upload folder for the individual users added to that client via Sharing Settings in FYI. This allows those users to upload documents, automatically imported into FYI. Internal users in the Microsoft Group will only have read access to this folder.
Administrator Access
The ability to make changes directly to the SharePoint site is restricted to SharePoint Administrators. This is different to the method used previously with OneDrive and secure links, where users were able to create folders, share documents, and edit permissions.
Refer to Comparison between Legacy Collaborate and New Collaborate.
Sharing Documents without Share Folder Access
When a document is shared from FYI with a user that is not the primary contact for the client, and they haven't been added into Sharing Settings (to access the entire Share Folder access):
-
The user will have read access to that document only.
-
The user is not granted any access to the client folders. This means the user can only access the document by either the attachment link sent when the document was shared or by using the Recent Documents preview on the SharePoint home page.
Note: Users added in Sharing Settings in FYI can also access this document (in addition to all other files in the Share Folder).
