Understanding External Account Permissions for Microsoft
Learn how to retain external account permissions when migrating to Microsoft SharePoint Online.
Written by Andrea Harvey
Updated at May 13th, 2025
Table of Contents
Overview
The External Permissions feature allows users to retain (migrate) permissions for external accounts between a DryvIQ-supported source platform and Microsoft SharePoint Online (SPO). People who need to see or work with content but do not have user accounts for your Microsoft SharePoint Online or Microsoft Office 365 environment are invited as external accounts called “external users." Sites and documents can be shared with external users globally (for all sites in the tenant) or for each site collection individually. After sharing is enabled for the tenant and individual site collections, site collection admins can extend invitations to specific users.
Microsoft SharePoint Online associates external accounts with a personal or an organizational Microsoft account. This association is called a Guest Account. The association is made when an external account accepts a permission invitation for the first time. Once that association is made, external accounts are recognized as guest accounts, and all permissions are shown under “Shared With Me.” Refer to Microsoft’s documentation for more information about guest accounts.
How DryvIQ Handles Migration of External Permissions
If the association with a Guest Account is already in place when DryvIQ migrates external account permissions, DryvIQ will properly map the external account from the source to the Guest Account on the destination. The permission will show under “Shared With me.”
If the association has not yet been made, an invitation token will be generated. These invitations show up in the Access Requests and Invitations section of the Site Settings. The user can then resend an invitation to the external account to start the invite process. Once the invitation is accepted, it will all appear under “Shared With Me.”
DryvIQ only captures the external account and passes it through to the destination. The invitation is generated on SharePoint Online. The Microsoft SharePoint Online Administrator must review and resend invites. Once the invitation has been accepted by the external user, the guest is provisioned and access to shared content is available. Subsequent content shared with external users will automatically passthrough since the guest account is now recognized.
Account Map Configuration
External permissions are configured when creating the user/account map.
| Option | Description |
|---|---|
|
Retain external users Enabling this feature will attempt to retain guest account permissions and ownership.
and
Attempt to resolve first An attempt will be made to resolve external user accounts to a destination user. If no destination user is matched, the ownership and permissions will be retained utilizing an external user account. |
These settings retain guest account permissions and ownership but attempt to resolve the account against a destination account first before retaining the permissions and ownership utilizing an external user account. |
|
Retain external users Enabling this feature will attempt to retain guest account permissions and ownership.
and
Do not attempt to resolve first The ownership and permissions will be retained utilizing an external user account without any attempt to resolve that account to a destination account. |
These settings retain guest account permissions and ownership utilizing an external account without first attempting to resolve the account against a destination account.
The External email already associated as a guest account in Microsoft OneDrive for Business/Microsoft Office 365 will work regardless of whether this option is selected.
This is most commonly used for Network File Share (NFS). |
Feature Matrix
| Connector | External Permissions | ||||
|---|---|---|---|---|---|
| Supported with Batch Mode | Root Folder | Folder | Files | Must Accept invite before permission is visible to DryvIQ | |
| Microsoft OneDrive for Business | Supported | Supported | Supported | Supported | Yes |
| Microsoft Office 365 | Supported | Supported | Supported | Supported | Yes |
| Box | Supported | Supported | Supported | Unsupported | Yes |
| Dropbox for Business | Supported | Unsupported | Supported | Unsupported | No |
| Syncplicity | Supported | Supported | Unsupported | Unsupported | No |
| Google Workspace | Supported | Unsupported | Supported | Supported | No |
Refer to Microsoft’s documentation for information on how to set up and manage access requests.
Important Notes
- External permissions are not applied until the external user is a registered Guest Account in Microsoft SharePoint Online. All external permission requests will go to the Access Requests page in Microsoft SharePoint Online, and every guest account must be approved individually. Once the invitation has been accepted by the external user, the guest is provisioned, and access to shared content is available. Subsequent content shared with external users will automatically pass through since the guest account is now recognized.
- Invitations to external users will be sent as far back as the original shared date on the source platform. For example, if approved on the guest access page in Microsoft SharePoint Online, content shared five years ago with external users will be sent an invite.
- Accounts suspended on the source platform by the Administrator will be flagged and ignored by DryvIQ; they will not be transferred as external users. However, any content shared to an external account (such as a personal email) will be transferred with the external passthrough feature.