According to official documentation from Microsoft, external users in Office365 tenants are not supposed to be able to edit their own profiles (and pictures). With just a flip of a few administrative levers however, you can enable profiles for your external users.
In Office365/SharePoint Online, you can use the External Sharing feature to invite external users to access your SharePoint Online sites and collaborate. If you don’t know what an external user is, or what differences exist between external and normal fully licensed users, the official documentation can be found here on the Office365 site. From the documentation, the following paragraph describes what external users are not allowed to do:
What can’t an external user do?
- External users cannot create their own personal sites (what used to be referred to as My Sites). This means that they do not have their own SkyDrive Pro document library.
- External users cannot see the company-wide newsfeed. They also cannot edit their own profile, change their photo, or see aggregated tasks.
- External users do not add quota to the overall tenant storage pool (this is determined by licensed users only).
- External users cannot be an administrator for a site collection. However, you can designate an external user as a designer for your Public Website. This restriction also does not apply to scenarios where you have hired a partner to help you manage Office 365.
- By default, external users cannot access the Search Center and will not be able to execute searches against “everything.”
I’ve highlighted the line that talks about User Profile support, and the inability to edit profiles or change profile pictures. This post will explain a simple way to make that possible.
Whether this is supported by Microsoft or in violation of their licensing remains to be seen, so if you try this on your own tenant, you do so at your own risk.
The External User Series:
- Profile and Pictures for External Users (this post)
- Audiences for External Users
- Adding Social capabilities for external users
Benefits of Profiles for External Users
Why would you want to have User Profiles for external users anyway? Well, there are several places where having a fully filled-out profile would be beneficial. For example, if an external user is part of a Team Site, and that site uses the Site Feed (microblog), then posts from that user will not show up with a profile picture.
A similar experience with pictures exists for Discussion Boards on Community Sites, or in People Search results (external users do show up in People Search). No problem, because an admin can set a user’s profile picture, right? Sadly, no.
Without a fully filled-out User Profile, People Search results for external users are also pretty lame.
What is the Default Profile Experience for External Users?
When external users log in, they do not see the About Me option in the Welcome menu like a normal user, instead they see the My Settings menu item.
When clicked, this takes the external user to a simplified profile, where they can view the profile details (and are also mistakenly mislead to believe they can edit them too).
So… what the heck is this other profile? It’s a legacy from SharePoint Foundation/Windows SharePoint Services. On those simplified, free SharePoint versions, there isn’t access to the User Profile Store, which is a database that stores rich information for users, often synced from Active Directory, and accessed across all site collections in a farm. That is only available in the SharePoint Server versions of the on-premises products. In order to still have a way to manage user details and pictures, SharePoint Foundation has a list at the root web of every Site Collection called the User Information List to store a limited set of information about users. This has been written about since early versions of SharePoint. When a user first visits a site collection, a record is automatically created for the user in the User Information List for that site collection. You can probably see that this might lead to inconsistent user information across different site collections. This also has some side effects of tanking performance when doing a large initial rollout, since all those first-time users need to be added to this list. Todd Carter has covered some strategies for dealing with this scenario.
In SharePoint Server versions (and in Office365 which is based on that), while this list is still used, access to this list and to these basic profiles is restricted, and instead users are typically redirected to the MySite Host to view and edit profiles from the User Profile Store. When you click on About Me from the Welcome menu, you don’t go to the simple profile, you go to the MySite Host and view the full profile. It’s also interesting to note that on SharePoint Server and Office365, a timer job exists that synchronizes some of the information from the User Profile Store down into the User Information List at each site collection.
When an external user first goes to your site after getting an invitation, a record in the User Information List is created for the user, and sparsely populated with a few fields of information that it gets from Windows Live (aka Microsoft Account) information, such as email address and Name. In the previous picture above, notice things like First name, Last name, Title, etc. are not filled out.
Also notice the Edit Item link. Remember when I said that users are mistakenly informed that they can edit their details? Well that button is it. It says Edit, but when clicked on, users can’t edit anything at all. Pretty bad UX to show something to a user that they can’t actually use.
The reason that external users can’t edit their simple profile details is not really a function of them being some weird class of citizen, it is merely the fact that on SharePoint Server (which SharePoint Online is based on), the product prevents you from editing the data in the User Information List in the UI, since it wants (forces) you to work in the User Profile Store instead.
Setting Permissions to Edit Profiles
The behavior you see for external users is the same behavior you see in on-premises deployments of SharePoint Server, for users that are not granted rights in the User Profile Service Application to use profiles or social features. From Central Admin normally you see All Authenticated Users with the rights to Create Personal Sites and Edit Profiles.
In Office365 SharePoint Online, the default uses the Everyone except for external users identity to apply profile and social permissions to. Any tenant administrator, however, can change it to what you normally see in on-premises deployments. By adding back the All Authenticated User identity (or in the People Picker it’s called “Everyone”), and checking the middle box, you can grant the ability to view and edit User Profile information for everyone, including external users.
Once you enable this, you’ll see your external user’s Welcome menu change and show an About Me link instead (you might have to clear browser cache to see the changes).
If an external user clicks this link, he/she will be navigated to the MySite Host instead of the simple profile. Great huh?
Well, oops. The MySite Host Site Collection isn’t configured for External Sharing yet, so we need to enable that first in the Portal Admin.
Once you do that, external users can access their profiles!
Experiences and Side Effects
Ok, so we’ve enabled profiles, and now our external users can edit their details and upload pictures. Awesome! Now we should see updated profile information in Search (after the crawler has updated):
Site Feeds should show profile pictures:
And other users should be able to view the profiles for external users:
So, what things don’t work with profiles and external users? From what I’ve been able to gather, here is a list of things to watch out for (if you find more, please leave a comment):
- Using the Search box for Everything, People, or Conversation scopes – That is easily fixed by enabling external sharing on the Search site collection, and adding the external users or the All Authenticated Users identity to the Search site collection’s Viewers group.
- External users viewing other people’s profiles – If an external user tries to view another user’s profile in the MySite Host (for example by clicking on a user’s name in a Site Feed post), the external user will receive a 403 forbidden error.
- Mentioning an External User – If someone @mentions an external user in a Personal Newsfeed, the external user will receive an email about the mention, with a link to the conversation. If the external user clicks on the username of the mentioner, they will receive a 403 forbidden error (see #2 above). If they click on the link to view the conversation, they will receive an odd message that the conversation may have been deleted. Note that if you mention an external user from a Site Feed (not the personal Newsfeed), the link to the conversation will work just fine.
- Following an External User – If someone Follows an external user, the external user will receive an email about the follow. If the external user clicks the link to Follow that person back, he/she will receive a 403 forbidden error.
With a few simple administrative changes, you can enable profiles and profile picture editing for external users in Office365/SharePoint Online. This can more closely integrate your external users with your sites. Whether this is supported by Microsoft, or in direct violation of any licensing is completely unclear at this point. And it is something that I hope Microsoft can provide some clarification on (or decide to support and fix some of the UX side effects and quirks!).