Need to collaborate with Office 365 guest users? Follow these best practices for SharePoint external sharing and OneDrive external sharing.
Updated on August 9, 2019.
Sharing content externally is easier than ever thanks to the cloud. And the shift from a technology- to intent-driven approach in Microsoft's modern workplace means users can collaborate with the right people, regardless of location.
Even still, external sharing remains a business risk. How can you allow your users the freedom to share and be sure sensitive information is kept secure?
To answer that question, we wrote this complete and definitive guide—so you can stay in control of the who, what, where, and when of external sharing.
What is external sharing?
External sharing in Office 365 is the act of making content available to someone outside of your organization.
Within the family of services provided in Office 365, SharePoint is the tool for document management. And that probably won't change anytime soon.
"I think the future of SharePoint is doing the things it does really well as part of the family of applications that, together, deliver the modern workplace to organizations," Microsoft MVP Susan Hanley recently told ShareGate.
So it should come as no surprise that many of the configurations and permissions for external sharing happen through the SharePoint admin center. But Microsoft's move towards cross-product collaboration in Office 365 means there's more than one way to work with outside collaborators.
External sharing and access can be enabled in:
- SharePoint Online
- OneDrive for Business
- Microsoft Teams
- Office 365 Groups
Sharing vs access
There's a few different ways to grant outside users access to resources within your organization.
External sharing allows you to share documents, files, folders, lists, libraries, and complete sites in your SharePoint Online. You can also externally share photos, Microsoft Office documents, files, and entire folders from your OneDrive.
But what happens if you want to collaborate with people outside your organization across multiple products—communicating through chat or coordinating meetings with a shared calendar?
If that's the case, you can also grant access to some content by adding people to an Office 365 Group or Microsoft Team.
External access vs guest access in Microsoft Teams
It's worth pointing out that external access and guest access mean two very different things in Teams.
Read how to authorize guest access in Microsoft Teams in the official Microsoft documentation.
External access gives access permission to an entire domain—allowing Teams users from other domains to find, contact, and set up meetings with you. External users can call you through Teams and send instant messages. But if you want them to be able to access teams and channels, guest access might be the better option.
Guest access gives access permission to an individual. Once a team owner has granted someone guest access, they can access that team's resources, share files, and join a group chat with other team members.
Guest access in Office 365 Groups
Another way to collaborate and share with external users is to add them as guest users to an Office 365 Group.
Any group owner of an Office 365 Group can grant access to their group’s conversations, files, calendar invitations, and the group notebook—although as an admin, you can also control that setting.
All of a guest’s interactions with the rest of the group take place through their email, since guests don’t have access to the group site. But they can still receive calendar invitations to their inbox, and—if the admin has turned on the setting—links to shared files and attachments.
Read step-by-step directions for how to add guests in the official Microsoft support documentation.
Guest users can also access an Office 365 Group's team site in SharePoint.
SharePoint Online external sharing
When it comes to external sharing, SharePoint Online lets you control settings at the:
- Organization level: For any external sharing to be allowed, it has to be enabled at the organization level. You can change the organization-level external sharing setting from the SharePoint admin center.
- Site level: Once enabled across the organization, external sharing can be restricted on a site-by-site basis. Global or SharePoint admins in Office 365 can change the external sharing setting for a site—but site owners can't.
If a site's external sharing option and the organization-level sharing option don't match, the most restrictive value will always be applied.
At the site level, you have four basic options when it comes to external sharing:
No external sharing
Choose this option to prevent all site users from sharing any site content externally.
Go to your SharePoint admin center, and in the left pane under Sites select Active sites. Select the proper site, and then click Sharing. Select the Only people in your organization option, and select Save.
This is the default setting for communication sites and classic sites, but otherwise external sharing is turned on by default for your entire SharePoint Online environment if it's been enabled at the organization-level.
Authenticated: existing guests
This option only allows external sharing with people already in your Azure Active Directory.
Go to your SharePoint admin center, and in the left pane under Sites select Active sites. Select the proper site, and then click Sharing. Select the Existing guests option, and select Save.
Users might already exist in your directory from previously accepting sharing invitations, or because they were manually added as guest users in the Azure portal.
Authenticated: new and existing guests
External sharing is allowed with anyone outside your organization—but to access the shared content you have to add them to you Azure AD.
Go to your SharePoint admin center, and in the left pane under Sites select Active sites. Select the proper site, and then click Sharing. Select the New and existing guests option, and select Save.
Site owners (and anyone else with full control permission) can share the site with external users, and site users can share files and folders.
The external collaborator will receive an email invitation containing a link to the shared item.
To view a shared site, they need to sign in with:
- A Microsoft account
- A work or school account in Azure AD from another organization
To view shared files or folders, they either need to:
- Sign in if they have a Microsoft account
- Enter a verification code if they're using a work or school account in Azure AD from another organization or a non-Microsoft personal email
After signing in, they'll be added to your directory as guests and have the same permissions as an internal user. Users without a work or school account will need to enter a verification code very time, and won't be added to your directory.
This is the default setting for Office 365 Group-connected team sites if external sharing has been enabled at the organization level.
Share documents, files, and folders with any user via an anonymous link.
Go to your SharePoint admin center, and in the left pane under Sites select Active sites. Select the proper site, and then click Sharing. Select the Anyone option, and select Save.
Anyone with access to the shared link can view and edit the relevant files, and can forward the link freely as well. Be wary of this option—you won't be able to tell if sensitive information is being shared with unsuitable users outside your organization.
Authenticated or anonymous?
If you decide to enable external sharing in SharePoint—and we recommend that you do!—sharing with authenticated external users is the safest way to go.
There are pros and cons to each approach, so you'll need to decide which may be more relevant to the particular needs of your organization.
External sharing in SharePoint Online
|Authenticated users||Anonymous users|
|How it's accessed||- Must sign in or enter a verification code to view content||- Content is accessible via a shareable link|
|What can be shared||- A complete site|
- Lists and libraries
- Documents and list items
|- Only documents or folders|
|Who can share||- Site owners or users with full control permissions can share a site|
- Site users can share lists, libraries, and documents
|- Site users can share documents and generate a shareable view/edit link|
OneDrive for Business external sharing
Like SharePoint, you can configure external sharing in OneDrive at the organization and individual level. Because each OneDrive is a site within SharePoint, your organization's SharePoint settings and OneDrive settings are related.
Be careful: some sharing settings exist in multiple admin centers.
- In the Microsoft 365 admin center, under Settings > Services & add-ins > Sites, the External sharing setting is the same as the SharePoint external sharing setting in the OneDrive admin center.
- The Sharing page in the OneDrive admin center and in the classic SharePoint admin center control the same settings.
At the individual OneDrive level, the same four options exist for external sharing as what you saw in SharePoint. Navigate to your OneDrive admin center and follow the same steps as SharePoint to configure settings.
Note that there is a slight difference in the UI: the options are presented in a drop-down menu rather than radio buttons.
How can users share externally, and what happens when they do?
Depending on how external sharing has been configured, users have a few different options when they decide to share with people outside of the organization.
As mentioned above, they can choose to share content either with authenticated or anonymous external users.
Sharing a SharePoint document or folder
The screenshots below show the modern SharePoint Online experience, but the steps are the same in classic SharePoint.
- Go to the SharePoint document library where the document or folder you want to share is located. Select it by checking the circle to the left of the title.
2. Click Share, and select from the four options in Link settings.
Select one of the following:
- Anyone with the link: for external anonymous sharing
- People in [your organization] with the link: to share within your organization
- People with existing access: to share with users who already have access
- Specific people: to share with authenticated external users
3. Check Allow editing to enable the recipient to make edits. If you selected Anyone with the link, you'll also have the option of setting an expiration date for the link.
4. Once you've clicked Apply, you can choose to copy the link to your clipboard or send it via email.
5. The external user will receive an invitation to join the document or folder. Once they accept it, they can log in using a trusted email address or verification code—after which they'll be added to your organization's Azure AD.
If you selected Anyone with the link, they'll be able to view the shared content right away.
Sharing a SharePoint site
Global admins and site owners can share a SharePoint site with people outside your organization—as long as the right permissions are set.
The steps for sharing depend on whether the site is a:
- Communication site
- Classic site
- Office 365 Group-connected team site
- Navigate to the communication site you want to share and select Share site in the top right corner.
- Enter the names of the users, groups, or security groups you want to share the site with.
3. Change the permission level (Read, Edit, or Full control) as needed, then click Share.
- Navigate to the classic SharePoint site you want to share and select Share site in the top right corner.
- Enter the names of the people or groups you want to share the site with.
3. Select SHOW OPTIONS to select a permission level or choose not to send an email invitation, then click Share.
Office 365 Group-connected team site
This is essentially the same thing as adding an authenticated external user. They'll receive an invite via email prompting them to sign in—after which they'll be added as a new guest user to your Azure Active Directory.
The main difference here is that once the invitation is accepted, they'll receive group emails, calendar invites, and Yammer discussions as well. They'll also gain access to the group's associated SharePoint team site and content.
By default, anyone in your organization can add guest users to an Office 365 Group. But permissions and access differ between group owners, group members, and group guests.
How to manage external sharing at the organization level
If you're going to let external users have access to your environment, it's important to stay aware and in control.
Global and SharePoint admins in Office 365 can control access at the organization level, affecting all SharePoint sites and each user's OneDrive.
To enable advanced external sharing settings, navigate to your SharePoint or OneDrive admin center. In the left pane under Policies, select Sharing.
Specify the sharing level at the organization level in your SharePoint or OneDrive admin center. By default, the level is set at "Anyone".
These settings apply to all site types, including Office 365 Group-connected team sites. You'll see the same four options that you're given for configuring external sharing at the site level.
- Limit external sharing by domain. Don't want any invitations sent to Gmail accounts? Turn on this setting if you want to limit sharing with people at certain organizations or domains. Learn more about limiting external sharing by domain in the official Microsoft documentation.
- Guests must sign in using the same account to which sharing invitations are sent. Guests can, by default, receive an invitation email at one account and sign in with another. Enable this setting to limit external users to using one account.
- Allow guests so share items they don't own. By default, guests can only share items externally that they have full control permissions for. Check this box to make sure external users can't share documents they didn't create.
File and folder links
This setting specifies the default option that shows when a user gets a link. This sets the default for your organization, but it's worth noting that individual site owners can change the default settings for their site.
- Specific people: With this option, users can enter external email addresses. Recipients will need to verify their identity to access the file.
- Only people in your organization: Links can be forwarded between, and accessed by, any user within your organization.
- Anyone with the link: You can only select this option if your organization-level external sharing is set to "Anyone". Users can forward links to anyone—internally and externally—and there's no way to track who's had access.
Advanced settings for "Anyone" links
If you do allow links to be shared externally with anyone, it's a good idea to put some limitations in place.
- Link expiration: Set links to expire after a certain number of days.
- Link permissions: Restrict permissions so recipients can only view files or folders.
- Display to owners the names of people who viewed their files: Control whether the owner of shared files and folders can see who has viewed them—even if they don't have the proper permission to make edits. In OneDrive, a card with file access statistics will appear when a user hovers over a file name or thumbnail. Statistics include: number of views on file, number of people who viewed it, and a list of everyone who's viewed it.
- Available on the classic sharing page: Limit external sharing to specific security groups in your organization; You can also choose whether you want the default link permission to be view or edit.
External sharing best practices
- Don’t turn off external sharing! Rather, configure external sharing to your specific business needs, while keeping in mind that your users will need to collaborate with external guests.
- Implement proper governance policies to ensure everyone is on the same page when it comes to reacting to and correcting an external sharing blunder.
- Educate your users on proper external sharing (i.e. how to share a document, vs. sharing a site) to avoid them inadvertently giving access to sensitive data.
- Turn off anonymous sharing. In most cases, it’s probably best to only allow authenticated external users, or to set an expiration date at the very least. You’ll be able to control and follow-up with who has access to what.
- Double check the permission levels of your site collections to ensure external users don’t inherit permissions that allow them to wreak havoc in your environment.
- Manage security by checking reports every day.
External sharing can be a very important part of proper collaboration in your organization, so don’t be afraid of it! Once you’ve understood the way it works, you’ll never want to work any other way.