How to secure external file sharing in SharePoint Online and Office 365

Wondering how to revoke access to content shared externally in Office 365? We explain how to stop sharing SharePoint sites, files, and folders, with step-by-step instructions to "unshare" content in a pinch.

Sharing content externally is easier than ever in Office 365. And with Microsoft Teams quickly becoming a hub for productivity—allowing users to collaborate on SharePoint files as well as chat—users can collaborate with the right people wherever they might be.

External sharing and the ability to collaborate with outside users is part of what makes Microsoft's modern workplace so great! And ideally, you want to keep it turned on. But at the end of the day, even with all the opportunities it brings, external sharing is still a risk. According to McAfee’s 2019 Cloud Adoption and Risk Report, nearly a quarter of all data in the cloud is sensitive. And sharing of that sensitive data has increased 53% year-over-year.

So what can you do if you want to "unshare" a site, file, or folder for security reasons? In this article, we'll focus on techniques around external sharing specifically. For details on managing guest access, check out our ultimate guide to Office 365 external sharing.


Turn external sharing on or off

One surefire way to revoke access? Shut external sharing down. Guests will typically lose access to any previously shared content within one hour.

Both SharePoint and OneDrive let you control external sharing settings at the:

If a site's external sharing option and the organization-level sharing option don't match, the most restrictive value will always be applied.

How to turn external sharing on or off for SharePoint Online

By default, the sharing level for SharePoint and OneDrive is set to "Anyone." If you want to restrict or disable external sharing at the organization level, you'll need to:

  1. Sign in to the admin center as a global or SharePoint admin.
  2. In the left pane, select SharePoint (or OneDrive) under Admin centers. (If you don't see it, select Show all for the full list of admin centers). If the classic SharePoint admin center appears, select Open it now at the top of the page to get to the new SharePoint admin center.
  3. In the left pane under Policies, select Sharing.
  4. Under External sharing, select Only people in your organization to turn off external sharing.

This setting is applied across your entire organization, including SharePoint sites connected to an Office 365 Group.

How to turn external sharing on or off for a site

You can configure individual sharing settings for each site or OneDrive, but these can't be more permissive than what you've set at the organization-wide level. They can either be the same or more restrictive.

Again, you need to be a global or SharePoint admin to change the external sharing setting for a site—not just the site's owner.

To turn off external sharing at the site-level:

  1. Sign in to the admin center as a global or SharePoint admin.
  2. In the left pane, select SharePoint (or OneDrive) under Admin centers. (If you don't see it, select Show all for the full list of admin centers). If the classic SharePoint admin center appears, select Open it now at the top of the page to get to the new SharePoint admin center.
  3. In the left pane, under Sites, select Active sites.
  4. Select the site you'd like to configure external sharing settings for, then click Sharing in the toolbar at the top.
  5. Select Only people in your organization to turn off external sharing.

If you want to change the external sharing setting for a user's OneDrive, check out the official Microsoft documentation.

Although disabling external sharing is a great way to lock down sensitive data fast, it's not ideal as a permanent solution. If you ever decide to turn external sharing back on, guests who previously had access will regain it.

Stop sharing OneDrive or SharePoint files or folders

What if there's a specific piece of content you'd like to revoke access to? Microsoft lets you to stop sharing OneDrive or SharePoint files or folders—but only if you're an admin or that item's owner.

If you are, you also have the ability to change sharing permissions between "View" and "Edit" for external user who have been given direct access, or access through a specific people sharing link.

To stop or change sharing:

  1. Select the file or folder you want to stop sharing (you can only select one file or folder at a time).
  2. In the right hand corner of the screen, just below your profile picture, select InformationInformation icon to open up the Details pane.
  3. Under the "Has access" header, you'll see the People icon, the Links icon, and/or the Email icon (depending on how you have the file or folder shared). Click on any of these, or select Manage access underneath the icons.

From here you can choose to either:

  • Stop sharing the file/folder completely by clicking on Stop sharing.
  • Delete a sharing link by clicking on the ellipses (...) next to the link, then clicking the X next to the link to remove it.
  • Revoke access to a sharing link from a specific person by finding their name under the header "This link works for", then clicking the X next to their name to remove them.

This method is effective, but only if you already know which piece of content you want to stop sharing.

Stop sharing a SharePoint site with individual users

As outlined above, you can revoke someone's access to a sharing link for a specific file or folder. But global admins and site owners can share an entire SharePoint site with people outside your organization, as long as the right permissions are set.

If your chief concern is who you're revoking access from, you're probably better off removing individual external users.

The steps to stop sharing depend on whether the site is a:

How to stop sharing a modern SharePoint site

When you share a SharePoint site with an external user, they become a Site member. So if you want to revoke their access, you need to remove them from the site's Members group.

If the site in question is a group-connected team site, see below. For communication sites, you can jump right into the following steps:

  1. Navigate to the site you want to stop sharing, click on the Gear icon in the upper right corner, then select Site permissions.
  2. Under Site members, click on the drop-down arrow beneath the user you want to remove, then select Remove.

How to stop sharing a classic SharePoint site

The steps are slightly different if your site was created using the classic SharePoint interface:

  1. Navigate to the site you want to stop sharing, click on the Gear icon in the upper right corner, then select Site settings.
  2. Under Users and permissions, select Site permissions.
  3. Click on the site's Members group, then click the check box next to the user you want to remove.
  4. Click on Remove User Permissions.
  5. When the confirmation pop-up appears, click OK.

How to stop sharing an Office 365 Group-connected team site

If someone has access to a group-connected team site, you'll have to go about things a little bit differently.

That's because all of an Office 365 Group's assets—like its SharePoint site, Microsoft Team, and Planner—inherit membership from the Office 365 Group. When you add owners or members to the Office 365 group, they're given access to the SharePoint site along with the other group-connected services. And heads up: by default, every SharePoint team site is part of an Office 365 Group.

But SharePoint Online actually gives you two options if you want to grant someone access to your site:

  • Add Members to your Group: Microsoft's preferred method, this option adds a user to the associated Office 365 Group. They will be automatically added to the SharePoint site members permission group, allowing them to edit the site, and they'll also get full access to the group's other resources.
  • Share Site Only: You also have the option to manage site permissions separately from the Office 365 group by using SharePoint groups, although Microsoft recommends against it. Users are not added to the Office 365 Group, and only have access to the shared site—not the other Office 365 Group resources.

Revoking access to a group-connected team site depends on how access was originally granted. If the external user was added to the Office 365 Group, then the group owner needs to remove that guest from the Office 365 Group (this can be done either in the admin center or using Outlook).

To remove site permissions for an external user who isn't a member of the associated Office 365 Group—i.e. someone granted access through Share Site Only—you can follow the same steps outlined above for how to stop sharing a modern SharePoint site.

This option, much like the second one, requires that you already have a specific person or piece of content in mind. But how can you keep track of all the potential threats when content is constantly being shared, and users are joining or leaving the company all the time?

Stay on top of sharing as you scale

The options outlined above will do the trick if you already know what you want to stop sharing or who you want to stop sharing with (or if you need to shut external sharing down until you figure it out). But as your organization scales, staying on top of external sharing gets more and more difficult for IT.

A third-party tool like ShareGate Apricot makes it easy to ensure external users have access to the right things, showing you links to all files shared by each team in your tenant in one convenient place. See who’s shared what externally—and if needed, revoke access. And easily schedule periodic reviews so team owners can validate guest membership and external sharing. That way, you're sure your data stays secure. 


Securing SharePoint content is a whole lot easier when you can see everything that's been shared externally. ShareGate Apricot is easy to setup and even easier to manage—no clunky interface, no coding, and no Azure AD premium subscription required.

Ensure external users have access to the right things in Teams.

You might also like