New Collaborate has been designed around the use of Microsoft best practice recommendations for collaboration with external users.
Client Security to restrict staff from viewing specific client folders is not currently available with New Collaborate. Refer to Comparison between Legacy Collaborate and New Collaborate
Microsoft B2B Guest User Collaboration
New Collaborate requires Microsoft B2B Guest User Collaboration to be enabled, improving the way users access documents through the use of logins and identity authentication.
Previously, Legacy Collaborate used secure links and codes to access files. This same method was known to be used in phishing attacks. To protect users, ISPs and mail providers began inadvertently blocking legitimate links, making it harder for clients to be notified of documents shared with them.
Refer to Setting up Microsoft 365 for New Collaborate.
Creating New Users
When a client is invited to use Collaborate via Sharing Settings, or by sharing a document, FYI will create the client as a Guest User in Microsoft 365, providing greater control and visibility over your external guests.
Guest users are not granted access to any internal systems unless explicitly invited as per Microsoft's B2B Collaboration guidelines.
To remove a guest user's access, staff can delete the client from the Sharing Settings in FYI on the client's Collaborate tab. Alternatively, IT Admins can remove the guest user from the practice's Microsoft 365. Refer to Removing Access to the Shared Folders.
Login Experience
With Guest Users enabled clients will be prompted to log in with an email and password of their choosing.
If the client has a Microsoft account (for example, an outlook.com email address, or an email account hosted on Microsoft servers) they can use the same details to log into the Collaborate site.
If the practice has enabled identity authentication using Google Federation or Facebook, the client will be able to log in using those account details.
Otherwise, clients will be prompted to create a password specific to that practice's Microsoft 365.
Using these login methods also allows practices to enforce Multi-Factor Authentication, and provides a greater level of visibility and control over the guest user account.
Refer to Login Experience for Clients using New Collaborate.
SharePoint Configuration
FYI Access
New Collaborate sites utilise Microsoft SharePoint to offer an interactive client portal and document-sharing site.
To create and manage a new SharePoint site and guest users, FYI requires full access permissions.
SharePoint Site
When configuring the Collaborate Settings, the FYI Admin will be prompted to create or select a SharePoint site, as per these instructions - Set up and Create a New Collaborate Site (New Sites only) or Set up and Create a New Collaborate Site (Upgrade from Legacy Collaborate)
For practices with an existing SharePoint site used for external purposes, we strongly recommend creating a new SharePoint site exclusively for New Collaborate. Using an existing site that was not created specifically for New Collaborate may prevent core New Collaborate functionality from working. Where an existing SharePoint site is selected, the configuration of the site and multiple document libraries may result in other folders being inadvertently exposed to guest users.
These settings are controlled by Microsoft and are outside FYI's control. Creating a new site ensures the site is configured to match FYI's security requirements and the correct documents being available.
When multiple Document Libraries are detected, a warning will be displayed to the user within the FYI New Collaborate settings.
Permissions
There are 2 key areas where we apply permissions on a SharePoint site.
SharePoint Home Page:
-
All guest users are allocated to the Visitors SharePoint group, providing them with read-only access to the Home page.
-
When configuring the Collaborate settings in FYI, the FYI Admin was prompted to select a Microsoft Security Group. This group is added as a Member with read permissions, allowing internal practice users who are members of that security group to view the home page but unable to make any changes.
-
The user in FYI set as the OneDrive admin will retain full access to the SharePoint site to make changes, for example, update the Home Page or make changes to the layout.
SharePoint Document Library:
-
When configuring the Collaborate settings in FYI, the FYI Admin is prompted to select a Microsoft Security Group. This group is set as a read-only group on the Document Library to allow internal staff to view all documents shared.
-
Read permissions are applied to each client folder for individual users that are added for that client via Sharing Settings in FYI. This prevents other clients from being able to see documents that they shouldn't have access to.
-
Edit permissions are applied to each client's Upload folder for the individual users added to that client via Sharing Settings in FYI. This allows those users to upload documents, automatically imported into FYI. Internal users in the Microsoft Group will only have read access to this folder.
Administrator Access
The ability to make changes directly to the SharePoint site is restricted to SharePoint Administrators. This is different to the method used previously with OneDrive and secure links, where users were able to create folders, share documents, and edit permissions.
Refer to Comparison between Legacy Collaborate and New Collaborate.
Sharing Documents without Share Folder Access
When a document is shared from FYI with a user that is not the primary contact for the client, and they haven't been added into Sharing Settings (to access the entire Share Folder access):
-
The user will have read access to that document only.
-
The user is not granted any access to the client folders. This means the user can only access the document by either the attachment link sent when the document was shared or by using the Recent Documents preview on the SharePoint home page.
Note: Users added in Sharing Settings in FYI can also access this document (in addition to all other files in the Share Folder).