Accept external SharePont Online sharing invitations with an account matching the invited email address
Sunday, December 27, 2015 10:40 AM
By default on the Sharepoint Online Tenant the following property values are active:
With the property “RequireAcceptingAccountMatchInvitedAccount” you can control, how external users accept invitations.
When enabled (not default!), this parameter requires external users to accept invitations with the email account with which they originally received the invitation.
If this parameter is $false / not set
When a user shares a document with an external user, they enter an e-mail like email@example.com, and an email is sent to Stephen at firstname.lastname@example.org.
When he attempts to accept the invitation (by clicking the link in the email), he can log in with ANY account HE WANTS to use. For example, he could use email@example.com, firstname.lastname@example.org, or even email@example.com. The sharing email can be forwarded and accepted by anyone. This system ensures that external users who use email aliases or who do not have a Microsoft account or organization account are able to accept the invitation.
If this parameter is set to $true
The "RequireAcceptingAccountMatchInvitedAccount" parameter ensures that the user who receives the invitation is also the user who accepts it. If an invitation is sent to firstname.lastname@example.org, only a user who can log into email@example.com is able to accept the invitation.
Any other email account displays an error page that directs to user to use the appropriate account. Notes that this does not apply to invitations that have previously been accepted in SharePoint Online and it only affects external sharing invitations that are generated after the parameter has been set. It will also not affect external users who have previously accepted an invitation.
They will be able to log-in and use the system as normal.
Here you can find the full syntax for the Set-SPOTenant cmdlet, which is used to change the “RequireAcceptingAccountMatchInvitedAccount” property value.
In this post I show you the behavior of sharing the document “TestShareDoc” from the “test share” – folder in the Documents library.
The rest of this post is divided in the following parts:
Part 1: RequireAcceptingAccountMatchInvitedAccount = $false (Default)
Part 2: How to change this parameter by Powershell
Part 3: RequireAcceptingAccountMatchInvitedAccount = $true
Invite one external person (firstname.lastname@example.org) and by pressing <Share> send the email-invitation
Login to your gmx Mailbox (as email@example.com) open the Sharing-Invitation mail an klick on the link to open the document
Select the “Microsoft account”
Use an other account than the one of the invitation. I use the @gmail instead of the @gmx
You are able to access the (empty) word document by word online
Connect to the Office 365 Sharepoint Tenant by Powershell and change the property
Here you can find the code to import the right module, connect to the tenant and change the property-value:
$o365cred = Get-Credential -Message "Enter your Credentials" -UserName firstname.lastname@example.org
Connect-SPOService -Url https://gibel-admin.sharepoint.com -credential $o365cred
# to display all properties
(Get-SPOTenant).RequireAcceptingAccountmatchInvitedAccount # value before
# change value
Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $true
(Get-SPOTenant).RequireAcceptingAccountmatchInvitedAccount # value after
Create the same invitation (as in part 1) again open gmx-Mailbox and open Sharing-Mail and klick on the link in the e-mail
The invitation was intended for “email@example.com” and now I try to login with the “firstname.lastname@example.org” – Microsoft Account (=> different Mailaddress!)
You get the following “That didn’t work” warning that the accounts don’t match – that’s what we want! –> so changing the property-value of “RequireAcceptingAccountMatchInvitedAccount” works!