According to official documentation from Microsoft, external users in Office365 tenants are not supposed to be able to edit their own profiles (and pictures). With just a flip of a few administrative levers however, you can enable profiles for your external users.
Overview
In Office365/SharePoint Online, you can use the External Sharing feature to invite external users to access your SharePoint Online sites and collaborate. If you don’t know what an external user is, or what differences exist between external and normal fully licensed users, the official documentation can be found here on the Office365 site. From the documentation, the following paragraph describes what external users are not allowed to do:
What can’t an external user do?
- External users cannot create their own personal sites (what used to be referred to as My Sites). This means that they do not have their own SkyDrive Pro document library.
- External users cannot see the company-wide newsfeed. They also cannot edit their own profile, change their photo, or see aggregated tasks.
- External users do not add quota to the overall tenant storage pool (this is determined by licensed users only).
- External users cannot be an administrator for a site collection. However, you can designate an external user as a designer for your Public Website. This restriction also does not apply to scenarios where you have hired a partner to help you manage Office 365.
- By default, external users cannot access the Search Center and will not be able to execute searches against “everything.”
I’ve highlighted the line that talks about User Profile support, and the inability to edit profiles or change profile pictures. This post will explain a simple way to make that possible.
Whether this is supported by Microsoft or in violation of their licensing remains to be seen, so if you try this on your own tenant, you do so at your own risk.
The External User Series:
- Profile and Pictures for External Users (this post)
- Audiences for External Users
- Adding Social capabilities for external users
Benefits of Profiles for External Users
Why would you want to have User Profiles for external users anyway? Well, there are several places where having a fully filled-out profile would be beneficial. For example, if an external user is part of a Team Site, and that site uses the Site Feed (microblog), then posts from that user will not show up with a profile picture.
Notice that external users (top post) will not have profile pictures, while others will.
A similar experience with pictures exists for Discussion Boards on Community Sites, or in People Search results (external users do show up in People Search). No problem, because an admin can set a user’s profile picture, right? Sadly, no.
Without a fully filled-out User Profile, People Search results for external users are also pretty lame.
What is the Default Profile Experience for External Users?
When external users log in, they do not see the About Me option in the Welcome menu like a normal user, instead they see the My Settings menu item.
External users see My Settings instead of About Me.
When clicked, this takes the external user to a simplified profile, where they can view the profile details (and are also mistakenly mislead to believe they can edit them too).
The Simple Profile for external users.
So… what the heck is this other profile? It’s a legacy from SharePoint Foundation/Windows SharePoint Services. On those simplified, free SharePoint versions, there isn’t access to the User Profile Store, which is a database that stores rich information for users, often synced from Active Directory, and accessed across all site collections in a farm. That is only available in the SharePoint Server versions of the on-premises products. In order to still have a way to manage user details and pictures, SharePoint Foundation has a list at the root web of every Site Collection called the User Information List to store a limited set of information about users. This has been written about since early versions of SharePoint. When a user first visits a site collection, a record is automatically created for the user in the User Information List for that site collection. You can probably see that this might lead to inconsistent user information across different site collections. This also has some side effects of tanking performance when doing a large initial rollout, since all those first-time users need to be added to this list. Todd Carter has covered some strategies for dealing with this scenario.
In SharePoint Server versions (and in Office365 which is based on that), while this list is still used, access to this list and to these basic profiles is restricted, and instead users are typically redirected to the MySite Host to view and edit profiles from the User Profile Store. When you click on About Me from the Welcome menu, you don’t go to the simple profile, you go to the MySite Host and view the full profile. It’s also interesting to note that on SharePoint Server and Office365, a timer job exists that synchronizes some of the information from the User Profile Store down into the User Information List at each site collection.
When an external user first goes to your site after getting an invitation, a record in the User Information List is created for the user, and sparsely populated with a few fields of information that it gets from Windows Live (aka Microsoft Account) information, such as email address and Name. In the previous picture above, notice things like First name, Last name, Title, etc. are not filled out.
Also notice the Edit Item link. Remember when I said that users are mistakenly informed that they can edit their details? Well that button is it. It says Edit, but when clicked on, users can’t edit anything at all. Pretty bad UX to show something to a user that they can’t actually use.
No controls to edit the simple profile.
The reason that external users can’t edit their simple profile details is not really a function of them being some weird class of citizen, it is merely the fact that on SharePoint Server (which SharePoint Online is based on), the product prevents you from editing the data in the User Information List in the UI, since it wants (forces) you to work in the User Profile Store instead.
Setting Permissions to Edit Profiles
The behavior you see for external users is the same behavior you see in on-premises deployments of SharePoint Server, for users that are not granted rights in the User Profile Service Application to use profiles or social features. From Central Admin normally you see All Authenticated Users with the rights to Create Personal Sites and Edit Profiles.
In Office365 SharePoint Online, the default uses the Everyone except for external users identity to apply profile and social permissions to. Any tenant administrator, however, can change it to what you normally see in on-premises deployments. By adding back the All Authenticated User identity (or in the People Picker it’s called “Everyone”), and checking the middle box, you can grant the ability to view and edit User Profile information for everyone, including external users.
Granting permissions to Edit Profiles.
Once you enable this, you’ll see your external user’s Welcome menu change and show an About Me link instead (you might have to clear browser cache to see the changes).
My Settings changed to About Me.
If an external user clicks this link, he/she will be navigated to the MySite Host instead of the simple profile. Great huh?
Still need to enable sharing on the MySite Host.
Well, oops. The MySite Host Site Collection isn’t configured for External Sharing yet, so we need to enable that first in the Portal Admin.
Enable Sharing on the MySite Host.
Once you do that, external users can access their profiles!
An external user viewing his user profile.
Editing the profile.
Experiences and Side Effects
Ok, so we’ve enabled profiles, and now our external users can edit their details and upload pictures. Awesome! Now we should see updated profile information in Search (after the crawler has updated):
Updated People Search
Site Feeds should show profile pictures:
Profile pictures in a Site Feed.
And other users should be able to view the profiles for external users:
Viewing an external user’s profile.
So, what things don’t work with profiles and external users? From what I’ve been able to gather, here is a list of things to watch out for (if you find more, please leave a comment):
- Using the Search box for Everything, People, or Conversation scopes – That is easily fixed by enabling external sharing on the Search site collection, and adding the external users or the All Authenticated Users identity to the Search site collection’s Viewers group.
- External users viewing other people’s profiles – If an external user tries to view another user’s profile in the MySite Host (for example by clicking on a user’s name in a Site Feed post), the external user will receive a 403 forbidden error.
- Mentioning an External User – If someone @mentions an external user in a Personal Newsfeed, the external user will receive an email about the mention, with a link to the conversation. If the external user clicks on the username of the mentioner, they will receive a 403 forbidden error (see #2 above). If they click on the link to view the conversation, they will receive an odd message that the conversation may have been deleted. Note that if you mention an external user from a Site Feed (not the personal Newsfeed), the link to the conversation will work just fine.
The mention email
- Error with conversation view.
- Following an External User – If someone Follows an external user, the external user will receive an email about the follow. If the external user clicks the link to Follow that person back, he/she will receive a 403 forbidden error.
The Follow Email.
Conclusion
With a few simple administrative changes, you can enable profiles and profile picture editing for external users in Office365/SharePoint Online. This can more closely integrate your external users with your sites. Whether this is supported by Microsoft, or in direct violation of any licensing is completely unclear at this point. And it is something that I hope Microsoft can provide some clarification on (or decide to support and fix some of the UX side effects and quirks!).
Hi, Adam. Thank you for posting this. I have followed all of the steps, made sure to clear my cache, and have tried various permission levels but am not having any luck getting my test external user account to have the “About Me” option become available. Do you have any troubleshooting suggestions? Could you provide the specific, minimum permissions required for this to work? Thank you.
Hi Amin,
What type of subscription do you have? O365 E1?
If you go to the User Profile Application in Tenant Administration, and search profiles for “live.com”, does your external user have a User Profile?
What level of permissions does your external user have to the site collection you are trying this from? read only?
Hi Adam,
Q1: What type of subscription do you have? O365 E1?
A1: O365E1 and O365E3. What version were you using for the steps above?
Q2: If you go to the User Profile Application in Tenant Administration, and search profiles for “live.com”, does your external user have a User Profile?
A2: Yes.
Q3: What level of permissions does your external user have to the site collection you are trying this from? read only?
A3: I tried various permission levels. Currently the test user account has contributor, limited access as the primary permission for the sub-site and then I am using page/app restrictions to further limit unwanted activity.
Hi Amin, have you tried checking the permission for Tags and Notes in the User Profile Application? I’ve found that sometimes that is required to get the About Me link to show up.
Hi Adam,
Has Microsoft provided any info about this with regards to support/licensing for these kinds of changes?
Thanks!
Hi Jim,
No. Obviously Microsoft has holes they haven’t filled yet with SharePoint Online, but for them to leave those gaping holes and then tell us we are unsupported when making simple changes in Tenant Administration would be rather ridiculous.
If you leave it open and accessible, then you should support it IMO.
The ability to activate the publishing features (via the OM) on the public facing SPO site is one example of the chaos that ensues when Microsoft doesn’t fill these holes. Remember that whole discussion that needed clarification?
http://community.office365.com/en-us/forums/154/t/8015.aspx
I’m hoping by putting these approaches out there that we will all get some clarification regarding external users and how far you can take them.
Adam, good stuff. Thx. Is there a way to see last time external user accessed the environment? I see these external profiles laying around and hard to manage over time. When you delete the external users, do the profiles eventually go away in a clean up process?
Also, what code did you use to overlay the “EXT” on the user profile pic? that is slick too!
I know this is an old thread but I’m hoping you can still help? The steps above aren’t working for me and I think it might have something to do with the fact that no user profiles are being created not even for internal members? If i try to add an internal users it gives me an error saying it already exists but when I try to add an external one it says the name can’t be found.
I’m using an E1 subscription. The site collection itself as everyone at Contribution but the Page itself is Read Only.
Terrific! Keep it up. 😀
Hello! I just would like to give a huge thumbs up for the nice information you
‘ Sun shades are an complete must on the seashore because they assist to shield the eye from physical hazards like sand grains, dirt, or bugs.
Acquiring a design and style thats right for you is dependent
on what action you will be performing when putting on the sunglasses.
com promo codes to take pleasure in further bargains on prime of the
terrific costs Sunglass Hut currently has online. Name-manufacturer sun shades
are more possible to be at ease as very well.
The identical classy men and women also has to be capable of seeing.
Review my site women sunglasses; briefingwire.com,
My spouse and I absolutely love your blog aand
find the majority of your post’s to be exactly I’m looking for.
Does one offver guest writers to write content in your
case? I wouldn’t mind ceating a post or elaborating on a number of the subjects you write with regards to here.
Again, awesome site!
Thanks for the good writeup. It if truth be told was once a leisure account it.
Look advanced to more added agreeable from you! However, how can we
keep up a correspondence?
Hi there! I’m at work surfing round your blog from my new
iphone 3gs! Just wanted to say I love reading your
blog and look forward to all your posts! Carry on the outstanding work!
my bkog – melhores perfumes femininos [Malissa]
Here is a list of dog friendly restauhrants in sunny
San Diego and iits surrounding areas, keep in mind that dogs should always be
leashed, well mannered, andd under the control of their owner at all times.
Moreover, good boarding kennels in Manitoba are run by people
who are passionate about animals and treat thbem
with kindness, compassion and love. ve got for a loing walk in a country par on a sunny summer afternoon, get
back to the car and can.
Thanks for sharing your thoughts oon SharePoint.
Regards