Office 365 recently introduced a feature that lets tenant administrators better control how external user invitations can be accepted for SharePoint Online.
When an external user invitation is set, the invitation can be claimed by any account. This can include someone who the original invitee forwards the e-mail to, or if somehow the e-mail is intercepted by another party.
Whoever accepts the invitation is then granted the permissions that were assigned with the original invitation. This can cause confusion for members of a SharePoint site, if someone other than the intended person accepts the invitation.
New “Account Match” Behavior
Microsoft introduced a setting which changes the behavior of external user invitations on a SharePoint Online tenant. More information can be found in the following Office 365 support article:
When enabled, the RequireAcceptingAccountMatchInvitedAccount parameter requires external users to accept invitations with the email account with which they originally received the invitation.
If the new value on the RequireAcceptingAccountMatchInvitedAccount setting within the tenant is set to “True”, the behavior can be changed. The new behavior requires that the account that accepts the invitation be the account that the invitation was originally sent to. If another account tries to claim the invitation, they receive an error from SharePoint Online.
This optional setting helps ensure the intended parties are accepting the invitations to the site, and reduces confusion if the original invitation is forwarded, and a secondary party unintentionally claims the invite.
Set The “Account Match” Behavior On Your Tenant
To change your SharePoint Online tenant to require the accounts match for external users across your site collections, follow the steps below:
- Install a recent version of the SharePoint Online Management Shell.
- Once installed, either open the SharePoint Online Management Shell, or my personal preference, use Windows PowerShell ISE. The ISE editor should load the SharePoint Online modules transparently. (If not, try either logging out of your Windows session, and logging back in, or restarting your computer.)
- Connect to your SharePoint Online tenant using the following PowerShell command. Replace the tenant and account placeholders with your tenant information.
Connect-SPOService -Url https://<tenant>-admin.sharepoint.com -credential <admin account>
- When prompted, log in to your Office 365 account using your normal credentials:
- (Optional) Check the current value for the RequireAcceptingAccountMatchInvitedAccount setting by using the following command:
- Update the value for the RequireAcceptingAccountMatchInvitedAccount setting to True:
Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $true
- (Optional) Check the updated value for the RequireAcceptingAccountMatchInvitedAccount setting by repeating the following command: