Plan: Not Available: Intermediate Available: Pro or Elite
Users: Not Available: All users Available: FYI Admins or User Group permissions
Practice Management Source: Available: All sources
New Collaborate has been designed around the use of Microsoft's best practice recommendations for collaboration with external users.
Microsoft B2B Guest User Collaboration
New Collaborate requires Microsoft B2B Guest User Collaboration to be enabled, improving the way users access documents through the use of logins and identity authentication.
Previously, Legacy Collaborate used secure links and codes to access files. This same method was known to be used in phishing attacks. To protect users, ISPs and mail providers began inadvertently blocking legitimate links, making it harder for clients to be notified of documents shared with them.
Refer to Setting up Microsoft 365 for New Collaborate.
Creating New Users
Guest User
When a client is invited to use Collaborate via Sharing Settings, or by sharing a document, FYI will create the client as a Guest User in Microsoft 365, providing greater control and visibility over your external guests.
Guest users are not granted access to any internal systems unless explicitly invited as per Microsoft's B2B Collaboration guidelines.
To remove a guest user's access, staff can delete the client from the Sharing Settings in FYI on the client's Collaborate tab. Alternatively, IT Admins can remove the guest user from the practice's Microsoft 365. Refer to Removing Access to the Shared Folders.
Internal Users
For practices using the default Client Collaborate site, FYI will determine whether a user is an internal user by performing the following checks:
-
Whether the user's email address matches the domain for the OneDrive Admin account. For example, if the OneDrive Admin email address is "admin@mypractice.com", any user with the email domain "mypractice.com" added to New Collaborate would be considered an internal user.
- The user's Type on Microsoft Entra. Users with the Type of "Member" within the practice's Microsoft tenant will be considered internal users.
Internal User access to New Collaborate is controlled through the selected Microsoft Group in the New Collaborate App settings in FYI, and not through the Sharing Settings on the client.
When creating a Client Secured Collaborate site, the option "Users with secure client permission" is selected by default as the Microsoft Group. This is not a Microsoft Group, but rather enables the Client Security function in FYI to manage which internal users are added and removed as a site member. Only users added to the Security tab in the Client workspace will have access to the Client Secured Collaborate site.
If a different Microsoft Group is selected, the practice will need to manage which members are added and removed from the group in SharePoint. Client Security cannot be used to manage users for groups other than "Users with secure client permission".
Login Experience
With Guest Users enabled, clients will be prompted to log in with an email and password of their choosing.
If the client has a Microsoft account (for example, an outlook.com email address, or an email account hosted on Microsoft servers), they can use the same details to log into the Collaborate site.
If the practice has enabled identity authentication using Google Federation or Facebook, the client will be able to log in using those account details.
Otherwise, clients will be prompted to create a password specific to that practice's Microsoft 365.
Using these login methods also allows practices to enforce Multi-Factor Authentication, and provides a greater level of visibility and control over the guest user account.
Refer to Login Experience for Clients using New Collaborate.
SharePoint Configuration
FYI Access
New Collaborate sites utilise Microsoft SharePoint to offer an interactive client portal and document-sharing site.
To create and manage a new SharePoint site and guest users, FYI requires full access permissions. Refer to New Collaborate Technical Integration Overview.
SharePoint Site
When configuring the Collaborate Settings, the FYI Admin will be prompted to create or select a SharePoint site. Refer to the articles in the section Setting up New Collaborate.
For practices with an existing SharePoint site used for external purposes, we strongly recommend creating a new SharePoint site exclusively for New Collaborate. Using an existing site may prevent core New Collaborate functionality from working. Where an existing SharePoint site is selected, the configuration of the site and multiple document libraries may result in other folders being inadvertently exposed to guest users.
These settings are controlled by Microsoft and are outside FYI's control. Creating a new site ensures the site is configured to match FYI's security requirements and that the correct documents are available.
When multiple Document Libraries are detected, a warning will be displayed to the user within the FYI New Collaborate settings.
Permissions
There are 2 key areas where we apply permissions on a SharePoint site.
SharePoint Home Page:
All guest users are allocated to the Visitors SharePoint group, providing them with read-only access to the Home page.
When configuring the Collaborate settings in FYI, the FYI Admin was prompted to select a Microsoft Security Group. This group is added as a Member with read permissions, allowing internal practice users who are members of that security group to view the home page but unable to make any changes.
The user in FYI set as the OneDrive admin will retain full access to the SharePoint site to make changes, for example, update the Home Page or make changes to the layout.
SharePoint Document Library:
When configuring the Collaborate settings in FYI for a Client Collaborate site, the FYI Admin is prompted to select a Microsoft Security Group. This group is set as a read-only group on the Document Library to allow internal staff to view all documents shared.
Read permissions are applied to each client folder for individual users who are added for that client via Sharing Settings in FYI. This prevents other clients from being able to see documents that they shouldn't have access to.
Edit permissions are applied to each client's Upload folder for the individual users added to that client via Sharing Settings in FYI. This allows those users to upload documents, automatically imported into FYI. Internal users in the Microsoft Group will only have read access to this folder.
The New Collaborate Status Check will review the permissions on the Document Library. If the Document Library is inheriting permissions from a parent, New Collaborate will update the Document Library to maintain unique permissions.
Administrator Access
The ability to make changes directly to the SharePoint site is restricted to SharePoint Administrators. This is different to the method used previously with OneDrive and secure links, where users were able to create folders, share documents, and edit permissions.
Refer to Comparison between Legacy Collaborate and New Collaborate.
Sharing Documents without Client Folder Access
When a document is shared from FYI with a user who is not the primary contact for the client, and they haven't been added to Sharing Settings (to access the entire Client Folder on the Collaborate site):
The user will have read access to that document only.
The user is not granted any access to the client folders. This means the user can only access the document by either the attachment link sent when the document was shared or by using the Recent Documents preview on the SharePoint home page.
Note: Users added in Sharing Settings in FYI can also access this document (in addition to all other files in the Share Folder).