+ Title: "Control unmanaged device access to SharePoint and OneDrive"

+# Control unmanaged device access to SharePoint and OneDrive

+ **Auditing and reporting**. Microsoft 365 B2B extranet offers visibility into the access of your content by external partner users. One of the key IT benefits is to be able to audit usage, including being able to see who is inviting whom and when a guest logs in to access the content. See [Search the audit log in the Security & Compliance Center](/microsoft-365/compliance/search-the-audit-log-in-security-and-compliance) for more information.

+|Firewall access required for guests |No |Yes |

+[Microsoft 365 guest sharing settings reference](/Office365/Enterprise/microsoft-365-guest-settings)

+| **Open** | When a SharePoint site doesn't have segments, the site's IB mode is automatically set as *Open*. See [this section](#view-and-manage-segments-as-an-administrator) for details on managing segments with the *Open* mode configuration. | A Team site created for picnic event for your organization. |

+| **Owner Moderated (preview)** | When a SharePoint site is created for collaboration between incompatible segments moderated by the site owner, the site's IB mode should be set as *Owner Moderated*. This mode is currently supported only for sites that aren't connected to a Microsoft 365 group. See [this section](#owner-moderated-mode-scenario-preview) for details on managing *Owner Moderated* site. | A site is created for collaboration between VP of Sales and Research in the presence of VP of HR (site owner). |

+| **Implicit** | When a site is provisioned by Microsoft Teams, the site's IB mode is set as *Implicit* by default. A SharePoint admin or global admin can't manage segments with the *Implicit* mode configuration. | A Team is created for all Sales segment users to collaborate with each other. |

+>[!NOTE]

+>Owner Moderated mode is supported for non-group connected sites only.

+### Implicit

+When a site's information barriers mode is set to *Implicit*:

+- The option to share with *Anyone with the link* is disabled.

+- The option to share with *Company-wide link* is disabled.

+- The site and its content can be shared with existing members via a sharing link.

+- New users can't be added to the site directly. The Team owner should add users to the Team's group using Microsoft Teams.

+>[!NOTE]

+>If you've enabled information barriers for SharePoint in your organization before March 15, 2022, see the **Enable SharePoint and OneDrive information barriers** section in this article.

+### Explicit

+When a site is associated with segment(s) and site's information barriers mode is set to *Explicit*:

+- The site and its content can be shared only with users whose segment matches that of the site. For example, if a site is associated with the HR segment, the site can be shared with just HR users (even though HR is compatible with both Sales and Research segments).

+- New users can be added as site members only if their segment matches the segment of the site.

+### Implicit mode

+For a user to access SharePoint sites that have information barriers mode set to *Implicit*:

+- The user must be a member of the Microsoft 365 group connected to the site

+- User who isn't a member of the Microsoft 365 group connected to the site won't have access to the site

+- The information barriers compliance assistant ensures the group membership is IB compliant.

+>[!NOTE]

+>If you've enabled information barriers for SharePoint in your organization before March 15, 2022, see the **Enable SharePoint and OneDrive information barriers** section in this article.

+### Explicit mode

+For a user to access SharePoint sites that have segments and site's information barriers mode is *Explicit*:

+Non-segment users can't access a site associated with segments. They'll see an error message.

+>[!NOTE]

+>If you have enabled information barriers for SharePoint in your organization before March 15, 2022, the default access and sharing control for Implicit mode for Microsoft Teams-connected sites are based on the segments associated with the site.

+To enable Microsoft 365 group-membership based access and sharing control for all Implicit mode Teams-connected sites in your tenant, run the following command:

+```powershell

+Set-SPOTenant - IBImplicitGroupBased $true

+```

+>[!NOTE]

+>If you have enabled information barriers for SharePoint in your organization before March 15, 2022, the default access and sharing control for Implicit mode for Microsoft Teams-connected sites are based on the segments associated with the site.

+To enable Microsoft 365 group-membership based access and sharing control for all Implicit mode sites in your organization, run the following command:

+```powershell

+Set-SPOTenant - IBImplicitGroupBased $true

+```

+Owner Moderated IB mode can't be set on a site with segments. Remove the segments first before setting IB mode as Owner Moderated. Access to an Owner Moderated site is allowed to users who have site access permissions. Sharing of an Owner Moderated site and its contents is only allowed by the site owner per their IB policy.

+In addition, the site owners have the capability to add more segments to a SharePoint site that already has segments with site's mode set as *Explicit*. Site owners can't remove added segments from sites. SharePoint admins will have to remove added segments in your organization if needed.

+When a non-segmented user creates a SharePoint site, the site isn't associated with any segment and site's information barriers mode is automatically set to *Open*.

+Teams-connected sites with the information barrier mode as Implicit have site access based on Microsoft 365 group membership.

+For example, users have access to the Teams-connected site if they're members of the Microsoft 365 group connected to the site. The Microsoft 365 group connected to the Team is IB compliant.

+If you have enabled information barriers for SharePoint in your organization before March 15, 2022, the Teams-connected site's access and sharing is based on the segments of the site. For example:

+- The site and its content can be shared with user whose segment matches that of the site.

+- The site and its content can be accessed by a user if they have same segment as that of the site and have site access permissions.

+To enable Microsoft 365 group membership-based access and sharing control for all Implicit mode sites in your organization, run the following command as a SharePoint Administrator:

+```powershell

+Set-SPOTenant - IBImplicitGroupBased $true

+```

+>[!NOTE]

+>When you create a new team or private channel in Microsoft Teams, a team site in SharePoint is automatically created. To edit the site description or classification for this team site, go to the channel settings in Microsoft Teams..

+If a SharePoint site owner or site member's segment changes, they'll continue to have access to the site or content per the site's IB mode:

+- **Owner Moderated**: User can access the site if they have existing site access permissions.

+- **Implicit Mode**: If the user is a member of the Microsoft 365 group, they'll continue to have access to the site.

+- **Explicit Mode**: If the user's new segment matches the site's segment and user has site access permissions, they'll continue to have access to the site.

+- In *Implicit* mode, a SharePoint admin can't manage segments directly. We recommend the Teams admin to manage the Team's membership to bring the Teams membership roster and segments in to IB compliance.

+## How to suspend SharePoint and OneDrive information barriers in your organization

+ Title: "Set up a site template for your hub site"

+# Set up a site template for your hub site

+A site template is one or more site scripts that Microsoft SharePoint runs when a site is associated with a hub site. Actions describe changes to apply to the new site, such as creating a new list or adding nodes to the site navigation. Site templates provide reusable lists and custom actions so your users can quickly get started with the features they need.

+> For organizations using Multi-Geo Capabilities in Microsoft 365, hub site templates work only when sites are in the same geo location as the hub site.

+## 1. Create a JSON script, add it, and create the site template

+Follow the steps in [Get started creating site templates and site scripts](/sharepoint/dev/declarative-customization/get-started-create-site-design/). For the full list of supported actions, see [Site template JSON schema](/sharepoint/dev/declarative-customization/site-design-json-schema/). Note that when you create the site template, the site template you provide ("64" for team site or "68" for communication site) doesn't matter.

+## 2. Scope access to the hub site template

+When a site template is first created, it is available to everyone. You can grant View rights to the site template. After rights are granted, only the users or groups (principals) specified have access. We recommend granting access to the same principal used to scope the hub site.

+## 3. Set your site template for the hub site

+You can set the hub site template in two ways. You can do it using the following PowerShell command:

+You can also let hub site owners set the hub site template by using a new option available in the UI. For info about the hub site settings available to site owners, see [Set up your SharePoint hub site](https://support.office.com/article/e2daed64-658c-4462-aeaf-7d1a92eba098).

+ > When the integration is enabled, people outside the organization will be invited via the Azure B2B platform when sharing from SharePoint. When the Azure B2B One Time Passcode option is enabled, recipients that don't have password-backed accounts will get a sign-in experience through Azure AD that uses One Time Passcodes. Otherwise, they will authenticate via their own Azure AD account or via an MSA account.