External collaboration is essential for modern businesses, but it comes with security and compliance challenges. Microsoft 365 provides robust controls for managing external sharing in SharePoint and OneDrive, allowing organizations to balance productivity with data protection. This guide explains how external sharing works, the available options, and best practices for configuring these settings.
What Is External Sharing?
External sharing enables users to share files, folders, and sites with people outside your organization. This is critical for working with partners, vendors, and clients. However, improper configuration can lead to data leaks or unauthorized access, making it vital to set policies that align with your security requirements.
External Sharing Models
Microsoft offers two primary models for external sharing:
1. SharePoint External Authentication (without Microsoft Entra B2B integration)
- No guest account is created for shared content.
- Microsoft Entra settings do not apply.
2. Microsoft Entra B2B Integration Enabled
- Guest accounts are always created.
- Microsoft Entra collaboration settings apply, including guest invite restrictions.
Enabling Microsoft Entra B2B provides stronger identity management and compliance controls.
Organization-Level Sharing Settings
Admins can configure external sharing at the organization level in the SharePoint admin center under Sharing. These settings apply to all SharePoint sites and OneDrive accounts, though site-level settings can be more restrictive.
Options include:
Anyone
Allows sharing via links without authentication. Best for friction-free collaboration but should be limited for sensitive data.
New and Existing Guests
Requires sign-in with a Microsoft account or verification code.
Existing Guests Only
Restricts sharing to guests already in your directory.
Only People in Your Organization
Disables external sharing entirely.
Tip: OneDrive settings can be more restrictive than SharePoint but never more permissive.
Advanced External Sharing Controls
Microsoft 365 offers additional settings to fine-tune external sharing:
Domain Restrictions
Limit sharing to specific domains or block certain organizations.
Security Group Restrictions
Allow only designated groups to share externally.
Guest Access Expiration
Automatically revoke guest access after a set number of days.
Verification Code Reauthentication
Require periodic reauthentication for added security.
Link Settings
Configure default link types (Anyone, Specific People, Organization Only) and enforce link expiration or view-only permissions.
Best Practices for Secure Collaboration
- Enable Microsoft Entra B2B Integration for identity and compliance management.
- Use Domain Restrictions to prevent accidental sharing with unauthorized organizations.
- Set Expiration Policies for guest access and sharing links.
- Audit Sharing Activity regularly using Microsoft 365 compliance tools.
- Educate Users on secure sharing practices and the risks of “Anyone” links.
The Bottom Line
External sharing in SharePoint and OneDrive is powerful but must be managed carefully. By leveraging Microsoft 365’s granular controls and following best practices, organizations can enable secure, efficient collaboration without compromising data security.