Setting up Microsoft 365 for New Collaborate

1. Go to the Microsoft Entra Admin Centre https://entra.microsoft.com and log in as the Microsoft 365 Administrator.
    
2. From the menu on the left, click the External Identities dropdown and select External collaboration settings.
    
3. In the Guest user access section, ensure that, as a minimum, the following option has been selected:
   
   Guest user access is restricted to properties and memberships of their own directory objects (most restricted).
   
   This configuration restricts guest users to viewing only their personal information, preventing them from accessing or browsing the full list of members in groups such as "All Users".
    
4. In the Guest invite settings section, ensure that as a minimum, the following option has been selected:
   
   Member users and users assigned to specific admin roles can invite guest users including guests with member permissions. This is the default Microsoft setting.
   
   
   To restrict the ability for users to share directly from the SharePoint Collaborate site, we recommend updating this directly within the site once you have completed the New Collaborate configuration wizard. If also creating a Client Secured Collaborate site, this should be completed for each additional site. Refer to How to restrict the ability for internal users to invite guests to SharePoint.
    
5. Scroll down to the Collaboration restrictions section.
    
6. Select "Allow invitations to be sent to any domain (most inclusive)". This is the default Microsoft setting.
   

One-Time Passcode enables guest users to use a one-time passcode to authenticate their accounts.

If this option is not enabled, users will be required to create a Microsoft Account to access the New Collaborate site.

If your practice has additional Multi-Factor Authentication (MFA) settings in place, the client will be asked to keep their account secure by setting up an Authenticator app. If the client already uses MFA on their email account, they may be prompted to authenticate twice. Refer to Step 5 - Review the Multi-Factor Authentication (MFA) Setup below.

1. Open Microsoft Entra Admin Centre - https://entra.microsoft.com/ and log in as the Microsoft 365 Administrator. 
    
2. From the menu on the left-hand side, in the External Identities section, select All identity providers.
    
3. Select Email one-time passcode and change the toggle for Email one-time passcode for guests to Yes. This is the default Microsoft setting.

If this setting is not configured, New Collaborate will not be able to delete the guest user from Entra automatically when removing users from the Sharing Settings in FYI, or unsharing a document.

As an alternative, users can be removed manually and periodically by the Microsoft 365 Administrator.

Important Note: To rename or remove Display Names in Sharing settings, users must have the User Administrator Role assigned. Without this role, any attempt to update a Display Name will result in an error message "Failed to update display name" in Sharing Settings.

To assign the User Administrator role:

1. Open Microsoft Entra Admin Centre and log in as the Microsoft 365 Administrator.
    
2. From the menu on the left-hand side, in the Users section, select All Users.
    
3. Locate the Practice OneDrive Admin User Account and click the name to open the user properties. 
    
4. On the User menu on the left-hand side, in the Manage section, click Assigned roles.
   
5. Click + Add Assignments.
    
6. Tick the User Administrator role.
   
7. Click Add.
    
8. The next time you load the Assigned Roles page, the User Administrator role will be displayed for the user.

When clients are added to a New Collaborate site, they'll be prompted to accept the permissions requested by your practice.

If your practice has not added privacy information to Microsoft Entra, the permissions will display "(Practice) has not provided links to their terms for you to review."

To create a Privacy Policy, refer to the Microsoft article Add your organization's privacy information to Microsoft Entra

Some practices may choose to enable Multi-Factor Authentication (MFA) for clients/guest users. Enabling MFA adds an extra layer of security, helping protect sensitive client data from unauthorised access, even if a password gets compromised. MFA is enabled by default if the practice is using MFA for internal users. Refer to the Microsoft Tutorial Enforce multifactor authentication for B2B guest users.

By default, guests logging in to New Collaborate with a Microsoft email (like Hotmail or Outlook) will be prompted to authenticate twice: once for their email and once to meet the practice’s MFA requirements. To avoid this, practices can configure a Conditional Access Policy on Microsoft Entra to share MFA resources from the guest user's tenant, meaning they won't be prompted to sign in using MFA twice. For details on this process, refer to the Microsoft article Authentication and Conditional Access for External ID.

Note: If the one-time code with MFA has been enabled, users will still be required to complete the authentication process.

To disable MFA for guest users, while retaining MFA security for the practice, refer to How can I Disable Guest User Multi-Factor Authentication (MFA)?

1. Open Microsoft 365 Admin Center and log in as the Microsoft 365 Administrator.
    
2. From the menu on the left-hand side, locate the Admin Centers section and select SharePoint (you may need to first click Show All). 
    
3. From the menu on the left-hand side, select Policies, then select Sharing.
    
4. In the External Sharing section, configure the settings as follows:

Microsoft 365 offers the ability to expire guest user access after a specific period of time. This means the client or contact will be removed from the site, and not able to log in or access their documents.

This option is required to be disabled for New Collaborate. Otherwise, practices would need to regularly re-add clients and other contacts to the Sharing Settings in FYI, or re-share documents.

Guest User Expiry can be disabled at an organisation-level, and will be applied to all SharePoint sites for the practice, including any other sites not used for New Collaborate. 

If the practice requires Guest User Expiry, the option can be disabled for the New Collaborate site only, and the instructions below can be skipped. Proceed to the Microsoft Purview Portal section below. Once the New Collaborate site has been created, you will be prompted to disable Guest User Expiry if it has not been disabled at an organisation level.

To disable Guest User Expiry for the organisation:

1. Log in to the Microsoft 365 Admin Center as the OneDrive Admin.
    
2. On the menu on the left, click Show All.
    
3. From the menu on the left-hand side, locate the Admin Centers section and select SharePoint (you may need to first click Show All). 
    
4. From the menu on the left-hand side, select Policies, then select Sharing.
    
5. Click More external sharing settings.
    
6. Untick the option Guest access to a site or OneDrive will expire automatically after this many days.
    
7. Click Save. 
   

Enabling Audit Logging ensures practices can easily trace and understand important events, like guest user access, to support smooth collaboration.

By default, Microsoft Purview Audit (Standard) is enabled automatically for all Microsoft 365 Tenants created after January 2019. To ensure it has been enabled for your account:

1. Log in to the Microsoft Purview Portal.
   Note: You may encounter a message about the Compliance Portal being retired. Click "Continue" to be redirected to the new portal.
    
2. Click the Audit card on the home page. If not displayed, click View all solutions and click the Audit card.
   
3. If auditing has not been enabled, a banner will be displayed. Click Start recording user and admin activity. It may take up to 24 hours for audit logs to become available.

Refer to the Microsoft article Turn auditing on or off.

Note: During the setup of a New Collaborate site, either the Client Collaborate or Client Secured site, you will also be prompted to enable Audit Reporting directly on the site.