Create an extranet site for users in your on-premises directory

There are three major scenarios in which you might want to set up an extranet site in SharePoint in Microsoft 365:

In this article, we look at how to create an extranet site in SharePoint for users who are already in your on-premises directory. The recommended approach is to put your partner users in a subdomain of your regular domain. (For example, if your regular domain is contoso.com, put your partner users in partners.contoso.com.) This allows you to manage these users in Microsoft 365 separately from your regular users.

Here are the basic steps we'll follow in this article:

  1. Register your subdomain in Microsoft 365.

  2. Set your partner users to use a UPN suffix that matches the subdomain that you're using.

  3. Place your partner users in a security group.

  4. Sync the users and security group to Microsoft 365.

  5. Configure your partner users as guests in Azure Active Directory.

  6. Create an extranet site in SharePoint.

  7. Share the extranet site with the security group containing your partner users.

Before beginning, make sure you've set up account synchronization between your on premises directory service and Office 365.

Prepare your partner users and subdomain

The first step is to register your subdomain in Microsoft 365.

To register a subdomain in Office 365

  1. In the Microsoft 365 admin center, choose Settings, and then chose Domains.

  2. In the domains section, click Add domain to start the wizard.

  3. Type the name of the subdomain that you want to use, and then follow the steps in the wizard.

For more detailed information about adding a domain to Microsoft 365, see Adding additional domains to Office 365.

The next step is to create an UPN suffix that matches the subdomain that you registered. You need to be a domain administrator in Active Directory Domain Services to do this.

To create a UPN suffix

  1. On the Active Directory Domain Services server, open Active Directory Domains and Trusts.

  2. In the left pane, right-click the top-level node, and then click Properties.

  3. In the UPN suffixes dialog box, enter the domain suffix in the Alternative UPN suffixes box that you want for your partner users.

  4. Click Add, and then click OK.

The next step is to assign this UPN to each of your partner users. Use the following procedure for each user account that you want to use with your extranet.

To manually assign a UPN domain suffix to a user

  1. In Active Directory Users and Computers, in the left pane, click the Users node.

  2. In the Name column, right-click the user account that you want to federate, and then click Properties.

  3. In the Properties dialog box, click the Account tab.

  4. Select the UPN domain suffix that you added in the previous procedure from the drop-down list.

  5. Click OK.

Once you've updated all of your partner users, we highly recommend placing them all in a security group for easiest administration.

At this point, your partner users are ready to be synchronized to Microsoft 365. Include them along with the security group that you created in your next user sync with Azure Active Directory Connect.

Once you see your partners in the users list in Microsoft 365, the next step is to flag them as guests in Azure Active Directory. This prevents them from having access to sites and documents that have not been explicitly shared with them (such as sites shared with Everyone).

To set users as guests

  1. Run the Windows Azure Active Directory Module for Windows PowerShell as Administrator. Set the userType attribute to "Guest" by following one of the examples below.

    • Example 1: This example demonstrates how to set the userType attribute to "Guest" for joe@partners.contoso.com.

      $user=Get-MsolUser –UserPrincipalName joe@partners.contoso.com

      Set-MsolUser -ObjectID <AAD ID of the user object, $user.objectid> -userType Guest

    • Example 2:This example demonstrates how to set the userType attribute to "Guest" for all users with the upn suffix "partners.contoso.com".

      $users = Get-MsolUser | where {$_.UserPrincipalName –match “partner.contoso.com”} Foreach ($user in $users)

      Foreach ($user in $users)

      { Set-MsolUser -ObjectID $user.objectid -userType Guest }

At this point, your partner users are all set, and you can share sites and documents with them. Next, we'll set up an extranet site for them.

Prepare your partner extranet site

A SharePoint extranet site is just a site collection that you've configured for external sharing. In this case, we'll set up a site collection for the partner users that you've added to Microsoft 365 in the subdomain.

The first step is to create a site collection.

Create a site collection for your extranet

  1. In the SharePoint admin center, on the site collections page, click New, and then click Private site collection.

  2. In the Title box, type a title for the site collection.

  3. In the Web Site Address box, type a site collection URL name.

  4. Choose the template that you want to use.

  5. In the Administrator box, type the administrator for this site collection.

  6. Click OK.

It will take a few moments for the site collection to be created. Once it's available in the site collections list, the next step is to configure external sharing. Be sure external sharing is turned on at the tenant level or the sharing options will be grayed out.

To configure external sharing for your extranet site collection

  1. In the SharePoint admin center, on the site collections page, select the check box for the site collection that you created for your extranet.

  2. Click Sharing.

  3. Choose the Allow sharing only with the external users that already exist in your organization's directory option.

  4. Click Save.

Your extranet site is now set up to allow for sharing with the partner users that you synchronized from Active Directory Domain Services.

Share your partner extranet site

Use the following procedure to share your extranet site with your partner users.

To share your extranet site with extranet users

  1. On the extranet site that you created, click Share.

  2. Enter the security group that you created and synchronized to Microsoft 365, and then click Share.

  3. Send your partner users a link to the site.

You can administer the users in this site through Active Directory Domain Services on-premises by maintaining the users themselves and the associated security group. Updates are synchronized to Microsoft 365 using Azure Active Directory Connect.

Be sure your administrative procedures include updating the UPN for any new partner users and converting them to guests once they're synced to Office 365.

See Also

Restricted Domains Sharing in SharePoint in Microsoft 365 and OneDrive for work or school

Expand your Office skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×