Accept external SharePont Online sharing invitations with an account matching the invited email address

Dec 27

Written by:
Sunday, December 27, 2015 10:40 AM  RssIcon

By default on the Sharepoint Online Tenant the following property values are active:

image

With the property   “RequireAcceptingAccountMatchInvitedAccount”  you can control, how external users accept invitations.
When enabled (not default!), this parameter requires external users to accept invitations with the email account with which they originally received the invitation.

 

If this parameter is $false / not set

When a user shares a document with an external user, they enter an e-mail like susi@gmx.com, and an email is sent to Stephen at susi@gmx.com.

When he attempts to accept the invitation (by clicking the link in the email), he can log in with ANY account HE WANTS to use. For example, he could use susi@gmail.com, stephen@live.com, or even susi_privat@outlook.com.  The sharing email can be forwarded and accepted by anyone.  This system ensures that external users who use email aliases or who do not have a Microsoft account or organization account are able to accept the invitation.

 

If this parameter is set to $true  

The "RequireAcceptingAccountMatchInvitedAccount" parameter ensures that the user who receives the invitation is also the user who accepts it. If an invitation is sent to susi@gmx.com, only a user who can log into susi@gmx.com is able to accept the invitation.

Any other email account displays an error page that directs to user to use the appropriate account. Notes that this does not apply to invitations that have previously been accepted in SharePoint Online and it only affects external sharing invitations that are generated after the parameter has been set. It will also not affect external users who have previously accepted an invitation.
They will be able to log-in and use the system as normal.

 

Here you can find the full syntax for the Set-SPOTenant cmdlet, which is used to change the “RequireAcceptingAccountMatchInvitedAccount” property value.

image

 

In this post I show you the behavior of sharing   the document “TestShareDoc” from the “test share” – folder in the Documents library.

image

 

The rest of this post is divided in the following parts:

Part 1:  RequireAcceptingAccountMatchInvitedAccount = $false (Default)

Part 2: How to change this parameter by Powershell

Part 3: RequireAcceptingAccountMatchInvitedAccount = $true

 

Part 1:

Invite one external person (gibel.andre@gmx.ch)  and by pressing <Share> send the email-invitation

image

Login to your gmx Mailbox (as gibel.andre@gmx.ch) open the Sharing-Invitation mail an klick on the link to open the document

image

Select the “Microsoft account”

image

 

Use an other account than the one of the invitation.  I use the @gmail instead of the @gmx

image

 

You are able to access the (empty) word document by word online

image

 

Part 2

Connect to the Office 365 Sharepoint Tenant by Powershell and change the property

image

Here you can find the code to import the right module, connect to the tenant and change the property-value:

 

Import-Module Microsoft.Online.SharePoint.PowerShell

$o365cred = Get-Credential -Message "Enter your Credentials" -UserName xxx@gibel.net 
Connect-SPOService -Url https://gibel-admin.sharepoint.com -credential $o365cred
# to display all properties
# Get-SPOTenant

(Get-SPOTenant).RequireAcceptingAccountmatchInvitedAccount # value before
# change value
Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $true
(Get-SPOTenant).RequireAcceptingAccountmatchInvitedAccount # value after

 

Part 3

Create the same invitation (as in part 1) again open gmx-Mailbox and open Sharing-Mail and klick on the link in the e-mail

image

The invitation was intended for “gibel.andre@gmx.ch” and now I try to login with the  “giband@gmail.com” – Microsoft Account (=> different Mailaddress!)

image

You get the following “That didn’t work” warning that the accounts don’t match – that’s what we want! –> so changing the property-value of “RequireAcceptingAccountMatchInvitedAccount” works!

image