This article is intended for Microsoft 365 and SharePoint administrators on the client side. It explains how to grant a guest user access to SharePoint content (pages, news, documents) displayed in Jint Mobile.
📋 Prerequisite: the guest must already exist in Entra ID. If not, start with the article Create and Activate a Guest User in Entra ID.
In this article
- SharePoint Guest Access: Basic Principles
- Granularity Levels, from Broadest to Most Specific
- Level 1: Enable External Sharing for the Organization
- Level 2: Configure External Sharing for the Site
- Level 3: Assign Rights to the Guest
- Best Practices for a Jint Mobile Intranet
- Verification and Auditing
SharePoint Guest Access: Basic Principles
Creating a guest in Entra ID gives them an identity, not permissions. That’s why a properly created guest might encounter a blank page or an “access denied” message: their identity exists, but no resource has yet been shared with them.
For a guest to view SharePoint content, they must pass through two gates:
- Enable external sharing: this setting is applied at two levels, the organization (tenant) and then the site. It acts as the main switch.
- Assign permissions: then you grant the guest actual access, either at the site level or for a specific resource (library, folder, file).
Gate 1 alone is never enough: enabling external sharing opens nothing; it only makes permission assignment possible.
📖 Microsoft Learn: Overview of External Sharing
⚠️ Note (in progress in 2026). Microsoft is moving SharePoint external sharing to Entra B2B: guests are now created and managed as true guest accounts in the directory, and the old SharePoint code-based authentication (SPO OTP) is being retired (deployment starting May 2026, ending August 31, 2026). Practical consequence: ensure your guests have a Entra B2B guest account (see article #1); otherwise, they may face “access denied” on legacy shares. Microsoft FAQ · SharePoint / Entra B2B Integration
Granularity Levels, from Broadest to Most Specific
| Level | Where It’s Set | What It Controls |
|---|---|---|
| 1. Organization (tenant) | SharePoint Admin Center > Sharing | Is external sharing allowed, and to what extent? |
| 2. Site | Active Sites > the site > Sharing | External sharing for this site (never more permissive than the tenant) |
| 3a. Site (permissions) | The site > Permissions / Share site | Which guest can access the site and at what level (Read, Edit, Full Control) |
| 3b. Resource (permissions) | Library, folder, or file | Access to a specific item via a sharing link |
Golden rule: between two levels, the more restrictive one always prevails. A site can never be more open than the tenant. And if the Entra external collaboration settings are more restrictive, those take precedence.
Level 1: Enable External Sharing for the Organization
This is the main switch. As long as it is off, no site can share externally.
- Go to the SharePoint admin center > Sharing.
- Under External sharing, select the sharing level for SharePoint:
- Anyone: anonymous links, no sign-in required. To avoid for an intranet: no identity, no audit possible.
- New and existing guests (recommended as baseline): the guest must authenticate; if they don’t exist yet, they are automatically created as a guest.
- Existing guests: only guests already in Entra ID can be granted access (each new partner must first be created by an admin).
- People in your organization only: external sharing disabled.
- Save.
💡 The OneDrive setting can be more restrictive than SharePoint’s, never more permissive.
📖 Manage sharing settings (organization level)
To limit who internally can share externally, you can restrict by security group or domain: by security group · by domain
Level 2: Configure External Sharing for the Site
Once the tenant is open, each site has its own setting, which can only be more restrictive than the organization’s. Sharing must be enabled on the specific site hosting your intranet content.
- SharePoint admin center > Active sites > select the site.
- Tab Settings > More sharing settings.
- Choose the external sharing level for the site (available options depend on the organization’s setting).
- (optional) configure guest access expiration specific to this site, or restrict by domain.
- Save.
🔒 Best practice: store confidential content on a site with external sharing disabled, and reserve dedicated sites for what guests should see.
📖 Change site sharing settings
Level 3: Assign Rights to the Guest
Gates 1 and 2 have made sharing possible. Now you must grant actual access. Two approaches depending on the desired granularity.
3a. At the Site Level (recommended for an intranet)
For an intranet consumed in Jint Mobile, this is the preferred approach: the guest accesses the entire site at once, cleanly. Permissions are managed through the site’s permission groups:
| SharePoint Group | Permission Level | Typical Use |
|---|---|---|
| Visitors | Read | Standard case for field workers: view news, pages, documents |
| Members | Edit | The guest needs to contribute as well (rare for a guest) |
| Owners | Full Control | Should not be given to a guest |
In the vast majority of cases, a field collaborator only needs to read the intranet: add them to the Visitors group.
⚠️ Granting access to a site, group, or team gives access to all site content. For more targeted access, use the resource level (below).
3b. At the Specific Resource Level (library, folder, file)
To open only one item, share it directly via a sharing link. Three types of links exist:
- Specific people (recommended): works only for guests you explicitly designate. This is the safest and only finely auditable option.
- People in your organization: does not work for guests.
- Anyone: anonymous link, no sign-in required. Not recommended for an intranet (no identity, no audit).
Sharing a library or folder breaks the site’s permission inheritance and creates unique permissions for that item, which complicates tracking. Reserve this for cases where it’s truly necessary.
📖 Sharing and permissions in the modern experience (groups, link types, item-level)
Best Practices for a Jint Mobile Intranet
- Site → Visitors → Read is the default pattern for field workers. Simple, clean, sufficient.
- Avoid “Anyone” links: without identity or audit, they are incompatible with an intranet and with audience-targeted content in Jint Mobile.
- Prefer site-level over file-by-file: clearer and necessary for consistent access within the app.
- Set guest access expiration to avoid dormant access.
- Test on a single guest before mass deployment.
Verification and Auditing
- On an item or site, the Manage Access pane lists who has access and at what level.
- At the site level, the external sharing report lists guests and helps identify those who do not yet have an Entra B2B account.
- To remove access: delete the guest’s permissions on the resource or delete the guest from Entra ID. Access removal takes effect in about an hour.
Comments
0 comments
Please sign in to leave a comment.