Wondering how to revoke access to content shared externally in Microsoft 365? We explain how to stop sharing SharePoint sites, files, and folders, with step-by-step instructions to “unshare” content in a pinch.
Managing guest access? check out our ultimate guide to Microsoft 365 external sharing
Sharing content externally is easier than ever in Microsoft 365. And with Microsoft Teams quickly becoming a hub for productivity—allowing users to collaborate on SharePoint files as well as chat—users can collaborate with the right people wherever they might be.
External sharing and the ability to collaborate with outside users is part of what makes Microsoft’s modern workplace so great! And ideally, you want to keep it turned on. But at the end of the day, even with all the opportunities it brings, external sharing is still a risk. According to McAfee’s 2019 Cloud Adoption and Risk Report, nearly a quarter of all data in the cloud is sensitive. And sharing of that sensitive data has increased 53% year-over-year.
So what can you do if you want to “unshare” a site, file, or folder for security reasons? In this article, we’ll focus on techniques around external sharing specifically.
To stop sharing content externally, you can:
Turn external sharing on or off
One surefire way to revoke access? Shut external sharing down. Guests will typically lose access to any previously shared content within one hour.
Both SharePoint and OneDrive let you control external sharing settings at the:
- Organization level: For any external sharing to be allowed, it has to be enabled at the organization level. You can change the organization-level external sharing setting from the SharePoint or OneDrive admin center.
- Individual site or OneDrive level: Once enabled across the organization, external sharing can be restricted on a site-by-site (or individual OneDrive) basis. Global or SharePoint admins in Microsoft 365 can change the external sharing setting for a site—but site owners can’t.
If a site’s external sharing option and the organization-level sharing option don’t match, the most restrictive value will always be applied.
How to turn external sharing on or off for SharePoint Online
By default, the sharing level for SharePoint and OneDrive is set to “Anyone.” If you want to restrict or disable external sharing at the organization level, you’ll need to:
- Sign in to the admin center as a global or SharePoint admin.
- In the left pane, select SharePoint (or OneDrive) under Admin centers. (If you don’t see it, select Show all for the full list of admin centers). If the classic SharePoint admin center appears, select Open it now at the top of the page to get to the new SharePoint admin center.
- In the left pane under Policies, select Sharing.
- Under External sharing, select Only people in your organization to turn off external sharing.
This setting is applied across your entire organization, including SharePoint sites connected to a Microsoft 365 Group.
How to turn external sharing on or off for a site
You can configure individual sharing settings for each site or OneDrive, but these can’t be more permissive than what you’ve set at the organization-wide level. They can either be the same or more restrictive.
Again, you need to be a global or SharePoint admin to change the external sharing setting for a site—not just the site’s owner.
To turn off external sharing at the site-level:
- Sign in to the admin center as a global or SharePoint admin.
- In the left pane, select SharePoint (or OneDrive) under Admin centers. (If you don’t see it, select Show all for the full list of admin centers). If the classic SharePoint admin center appears, select Open it now at the top of the page to get to the new SharePoint admin center.
- In the left pane, under Sites, select Active sites.
- Select the site you’d like to configure external sharing settings for, then click Sharing in the toolbar at the top.
- Select Only people in your organization to turn off external sharing.
If you want to change the external sharing setting for a user’s OneDrive, check out the official Microsoft documentation.
Although disabling external sharing is a great way to lock down sensitive data fast, it’s not ideal as a permanent solution. If you ever decide to turn external sharing back on, guests who previously had access will regain it.
Check out our easy-to-use tool for securing Microsoft Teams, ShareGate
Stop sharing OneDrive or SharePoint files or folders
What if there’s a specific piece of content you’d like to revoke access to? Microsoft lets you to stop sharing OneDrive or SharePoint files or folders—but only if you’re an admin or that item’s owner.
If you are, you also have the ability to change sharing permissions between “View” and “Edit” for external user who have been given direct access, or access through a specific people sharing link.
To stop or change sharing:
- Select the file or folder you want to stop sharing (you can only select one file or folder at a time).
- In the right hand corner of the screen, just below your profile picture, select Information to open up the Details pane.
- Under the “Has access” header, you’ll see the People icon, the Links icon, and/or the Email icon (depending on how you have the file or folder shared). Click on any of these, or select Manage access underneath the icons.
From here you can choose to either:
- Stop sharing the file/folder completely by clicking on Stop sharing.
- Delete a sharing link by clicking on the ellipses (…) next to the link, then clicking the X next to the link to remove it.
- Revoke access to a sharing link from a specific person by finding their name under the header “This link works for”, then clicking the X next to their name to remove them.
This method is effective, but only if you already know which piece of content you want to stop sharing.
Stop sharing a SharePoint site with individual users
As outlined above, you can revoke someone’s access to a sharing link for a specific file or folder. But global admins and site owners can share an entire SharePoint site with people outside your organization, as long as the right permissions are set.
If your chief concern is who you’re revoking access from, you’re probably better off removing individual external users.
The steps to stop sharing depend on whether the site is a:
How to stop sharing a modern SharePoint site
When you share a SharePoint site with an external user, they become a Site member. So if you want to revoke their access, you need to remove them from the site’s Members group.
If the site in question is a group-connected team site, see below. For communication sites, you can jump right into the following steps:
- Navigate to the site you want to stop sharing, click on the Gear icon in the upper right corner, then select Site permissions.
- Under Site members, click on the drop-down arrow beneath the user you want to remove, then select Remove.
How to stop sharing a classic SharePoint site
The steps are slightly different if your site was created using the classic SharePoint interface:
- Navigate to the site you want to stop sharing, click on the Gear icon in the upper right corner, then select Site settings.
- Under Users and permissions, select Site permissions.
- Click on the site’s Members group, then click the check box next to the user you want to remove.
- Click on Remove User Permissions.
- When the confirmation pop-up appears, click OK.
How to stop sharing an Office 365/Microsoft 365 Group-connected team site
If someone has access to a group-connected team site, you’ll have to go about things a little bit differently.
That’s because all of a Microsoft 365 Group’s assets—like its SharePoint site, Microsoft Team, and Planner—inherit membership from the Microsoft 365 Group. When you add owners or members to the Microsoft 365 group, they’re given access to the SharePoint site along with the other group-connected services. And heads up: by default, every SharePoint team site is part of a Microsoft 365 Group.
But SharePoint Online actually gives you two options if you want to grant someone access to your site:
- Add Members to your Group: Microsoft’s preferred method, this option adds a user to the associated Microsoft 365 Group. They will be automatically added to the SharePoint site members permission group, allowing them to edit the site, and they’ll also get full access to the group’s other resources.
- Share Site Only: You also have the option to manage site permissions separately from the Microsoft 365 group by using SharePoint groups, although Microsoft recommends against it. Users are not added to the Microsoft 365 Group, and only have access to the shared site—not the other Microsoft 365 Group resources.
Revoking access to a group-connected team site depends on how access was originally granted. If the external user was added to the Microsoft 365 Group, then the group owner needs to remove that guest from the Microsoft 365 Group (this can be done either in the admin center or using Outlook).
To remove site permissions for an external user who isn’t a member of the associated Microsoft 365 Group—i.e. someone granted access through Share Site Only—you can follow the same steps outlined above for how to stop sharing a modern SharePoint site.
This option, much like the second one, requires that you already have a specific person or piece of content in mind. But how can you keep track of all the potential threats when content is constantly being shared, and users are joining or leaving the company all the time?
Stay on top of sharing as you scale
The options outlined above will do the trick if you already know what you want to stop sharing or who you want to stop sharing with (or if you need to shut external sharing down until you figure it out). But as your organization scales, staying on top of external sharing gets more and more difficult for IT.
A third-party tool like ShareGate makes it easy to ensure external users have access to the right things, showing you links to all files shared by each team in your tenant in one convenient place. See who’s shared what externally—and if needed, revoke access. And easily schedule periodic reviews so team owners can validate guest membership and external sharing. That way, you’re sure your data stays secure.