Building a SharePoint Extranet is a common requirement for organizations that need to collaborate with external partners, vendors, or customers. However, the architectural decisions you make at the beginning of the project will determine whether your environment is a secure, scalable success or a data-leak nightmare.

When designing an extranet, the primary concern is almost always isolation. You must ensure that Customer A cannot see the data, the site structure, or even the existence of Customer B. In this guide, we will explore the best practices for architecting a secure SharePoint Extranet, focusing on the debate between site collections and sub-sites, and how to handle content rollups without compromising security.

The Architecture Debate: Site Collections vs. Sub-sites

One of the most frequent questions developers face is whether to host multiple customers within a single site collection using sub-sites or to give each customer their own dedicated site collection. While using sub-sites might seem easier for navigation and content roll-up, it carries significant risks.

The Case for Site Collection Isolation

Community experts and seasoned SharePoint architects overwhelmingly recommend using separate site collections for each customer. Here is why:

  1. Security Boundaries: A site collection is the primary security boundary in SharePoint. By isolating customers into their own site collections, you significantly reduce the risk of "permission bleeding." If a user is accidentally granted too much access, that access is still contained within that specific customer's site collection.
  2. Performance and Governance: Large extranets can grow quickly. Placing customers in separate site collections allows you to manage quotas, backup schedules, and even content databases independently.
  3. Search Scoping: It is much easier to define search scopes and results when the data is naturally partitioned by site collections.
  4. Feature Activation: You can enable specific features or branding for one customer without affecting others.

The Risks of the Sub-site Approach

Using a single site collection with sub-sites for each customer creates a "house of cards" scenario. Even with unique permissions on every sub-site, several issues persist:

  • Security Reviews: Auditing security inheritance becomes exponentially more difficult as the number of sub-sites grows. It is easy to lose track of where inheritance is broken and where it is still active.
  • Information Leakage: Certain SharePoint components, such as the People Picker or shared galleries, may inadvertently expose names or data from other customers if they reside in the same site collection.

Solving the Content Roll-up Challenge

A common argument for using sub-sites is the ease of using the Content Query Web Part (CQWP) to roll up shared content (like news or announcements) across all customers. However, you do not need to sacrifice security for this functionality.

Use Search-Driven Content

Instead of relying on the CQWP, you should use Search-based solutions. In classic SharePoint environments, this means using the Content Search Web Part (CSWP). In modern SharePoint, this is handled via the Highlighted Content web part or custom SPFx components using the Search API.

By using Search, you can aggregate content from across different site collections while maintaining strict security trimming. Users will only see the aggregated items they have explicit permission to view. This allows you to have a "Shared Resources" site collection that feeds content into individual customer portals seamlessly.

Enhancing Privacy with People Picker Configuration

In an extranet environment, privacy is as important as security. You do not want Customer A to type a common name into a People Picker and see a list of users from Customer B.

To prevent this in on-premises environments, you should use the PeoplePicker-OnlySearchWithinSiteCollection property. This ensures that the user selection tool only returns users who already have access to that specific site collection.

stsadm -o setproperty -pn peoplepicker-onlysearchwithinsitecollection -pv yes -url http://your-extranet-site

Note: In modern Microsoft 365 environments, this is managed through Azure AD B2B settings and SharePoint sharing policies, which provide even more granular control over guest visibility.

Advanced Isolation: Database and Tenant Level

For organizations with extreme security requirements (such as government or financial sectors), you may need to go beyond site collection isolation.

Content Database Isolation

One advanced strategy is to place each customer's site collection in its own dedicated Content Database. This provides a layer of physical isolation for the data. If one database becomes corrupted or needs to be restored to a previous point in time, it does not affect the other customers.

Multi-tenancy Features

In older versions of SharePoint (like 2010 and 2013), Microsoft introduced "Partition Services" or Multi-tenancy features. This allowed a single SharePoint farm to act as if it were multiple separate instances. While powerful, this adds significant complexity to the infrastructure and is generally only recommended for service providers hosting thousands of customers.

Best Practices for Modern Extranets

If you are building an extranet today in Microsoft 365, the landscape has shifted toward a "Flat Architecture." Sub-sites are now discouraged in favor of individual sites connected via Hub Sites.

  • Azure AD B2B: Use Azure Active Directory Business-to-Business (B2B) for identity management. This allows external users to use their own corporate credentials, reducing your management overhead.
  • Sensitivity Labels: Apply sensitivity labels to sites to automatically enforce encryption and sharing restrictions.
  • Guest Access Reviews: Regularly schedule access reviews to ensure that external users who no longer need access are removed from the system.

Common Mistakes to Avoid

  • Relying on "Hidden" Links: Never assume that because a link isn't in the navigation, the data is secure. If the URL is guessable and permissions aren't set, the data is exposed.
  • Manual Permission Management: Avoid assigning permissions to individual users. Always use SharePoint Groups or, ideally, Azure AD Groups to manage access.
  • Ignoring the "All Users" Group: Be extremely careful with the "Everyone" or "All Authenticated Users" groups. In an extranet, these groups may include every guest user from every customer.

Frequently Asked Questions

Can I use a single site collection if I have very few customers?

While it is possible, it is not recommended. Even with two customers, the risk of accidental disclosure is high. Starting with separate site collections builds a scalable foundation that won't require a painful migration later.

How do I handle branding across multiple site collections?

In modern SharePoint, you can use Site Designs and Site Scripts to apply consistent branding and configuration across many sites. For classic environments, you would typically use a custom Feature or Solution package to deploy your master pages and CSS.

Does search-based rollup work for external users?

Yes. SharePoint Search is "security-trimmed." This means the search index respects the permissions of the user performing the query. If a guest user doesn't have access to a document, it will never appear in their search results or roll-up web parts.

Wrapping Up

Building a SharePoint Extranet requires a "Security First" mindset. By choosing a site collection-per-customer architecture, you provide the highest level of isolation and mitigate the most common risks associated with external collaboration. Use search-driven web parts to bridge the gap for shared content, and leverage modern tools like Azure AD B2B to manage identities securely.

By following these best practices, you can create a professional, secure portal that fosters collaboration without compromising your organization's (or your customers') data integrity.