SharePoint External Sharing & Guest Access: Complete Security Guide

SharePoint External Sharing & Guest Access: Complete Security Guide

External collaboration is a double-edged sword. Done right, SharePoint external sharing enables seamless collaboration with clients, partners, and vendors. Done wrong, it becomes a data exfiltration nightmare that keeps your CISO up at night.

This guide covers everything you need to know about configuring, managing, and auditing external sharing in Microsoft 365 SharePoint—with enterprise security and compliance requirements in mind.

---

Understanding the External Sharing Model

SharePoint's external sharing model has three distinct sharing mechanisms:

1. Guest User Accounts (B2B Collaboration)

Guest users are added to your Microsoft Entra ID tenant with limited permissions:

• Receive invitation via email
• Authenticate with their own Microsoft account, organizational account, or one-time passcode
• Get explicit access to specific SharePoint sites or documents
• Appear in your tenant's user directory (auditable)

Best for: Ongoing collaboration with named external partners and clients.

2. "Specific People" Links

Shareable links tied to a specific email address:

• Recipient must authenticate before accessing
• Can be time-limited
• Can be revoked by the sender
• Audit trail maintained

Best for: Sharing specific documents with known external recipients.

3. "Anyone" Links (Anonymous Links)

Links that don't require authentication:

• Anyone with the link can access the content
• ⚠️ Cannot audit who accessed the content
• Can be restricted to view-only
• Can be time-limited

Appropriate use: Public-facing documents, press releases, non-sensitive marketing materials.

Inappropriate use: Contracts, financial data, personal information, proprietary information.

---

Tenant-Level Sharing Configuration

Setting the Tenant Sharing Level

Navigate to: SharePoint Admin Center → Policies → Sharing

The tenant setting is the maximum sharing level—individual sites can be more restrictive but not more permissive.

Enterprise recommended settings:

```

Tenant level: New and existing guests

✅ Guests must sign in using the same account to which sharing invitations are sent

✅ Allow guests to share items they don't own: OFF

✅ Guest access expires after: 90 days (then requires re-invite)

✅ People with existing access links: ON (internal bookmark links only)

```

Default link settings:

```

Default link type: Specific people (not "anyone")

Default link permission: View (not Edit)

✅ These links must expire within this many days: 30

✅ These links can only give these permissions: View

```

Domain Allowlist/Denylist

Restrict external sharing to approved partner domains:

Allowlist (whitelist) approach:

```

Allow sharing only with these domains:

• partnercompany.com
• clientdomain.org
• vendorname.net

```

Denylist (blacklist) approach:

```

Block sharing with these domains:

• competitorname.com
• knownthreat.com

```

PowerShell configuration:

```powershell

# Allow sharing only with specific domains

Set-SPOTenant -SharingAllowedDomainList "partnercompany.com clientdomain.org" `

-SharingDomainRestrictionMode AllowList

# Or block specific domains

Set-SPOTenant -SharingBlockedDomainList "competitorname.com" `

-SharingDomainRestrictionMode BlockList

```

---

Site-Level Sharing Configuration

Individual site sharing can be configured more restrictively than the tenant level.

Setting Site Sharing Level

SharePoint Admin Center → Active Sites → [Select site] → Sharing tab

Options (from most to least permissive):

• Anyone (if tenant allows it)
• New and existing guests
• Existing guests only
• Only people in your organization

When to Use Each Level

| Site Type | Recommended Sharing Level |

|-----------|--------------------------|

| Public intranet | Only people in your organization |

| Department collaboration | Only people in your organization |

| Project with external partners | New and existing guests |

• Extranet/partner portal | Existing guests only (after initial setup) |

| Client document delivery | New and existing guests (with link expiry) |

| Executive/HR/Legal sites | Only people in your organization |

---

Guest User Lifecycle Management

Inviting Guest Users

From SharePoint site:

• Site settings → Site permissions → Invite people
• Enter external email address
• Select permission level (Visit/Member/Owner)
• Optionally include a message

From Microsoft Entra ID (recommended for formal onboarding):

• Entra ID → Users → Invite external user
• Set guest policy group membership
• Assign Conditional Access policies before first login

Guest User Access Reviews

Configure periodic reviews via Microsoft Entra ID Governance:

• Entra ID → Identity Governance → Access reviews → New access review
• Scope: Guest users across Microsoft 365 groups
• Frequency: Monthly or quarterly
• Reviewers: Site owners, group owners, or managers
• Actions on inactivity: Remove access or mark as approved

Automated cleanup:

• Configure automatic guest account expiration (90-180 days of inactivity)
• Use Azure Logic Apps to notify site owners before guest access expires

Revoking Guest Access

When a guest engagement ends:

```powershell

# Remove guest from specific site

Remove-SPOUser -Site "https://yourtenant.sharepoint.com/sites/clientproject" `

-LoginName "guestuser_externalcompany.com#EXT#@yourtenant.onmicrosoft.com"

# Remove from all SharePoint sites (use with caution)

Get-SPOSite | ForEach-Object {

Remove-SPOUser -Site $_.Url -LoginName "guestuser_externalcompany.com#EXT#@yourtenant.onmicrosoft.com" -ErrorAction SilentlyContinue

}

# Delete guest account from Entra ID

Remove-MgUser -UserId "[email protected]#EXT#..."

```

---

Conditional Access for External Users

Apply stronger authentication requirements for guests:

Recommended Guest Conditional Access Policies

Policy 1: Require MFA for all guests

```

Name: Require MFA for External Users

Users: Guest users

Cloud apps: SharePoint Online, Teams

Conditions: Any location, any device

Grant: Require MFA (authentication strength: Multifactor authentication)

```

Policy 2: Block guests from unmanaged devices

```

Name: Block Guest Access from Unmanaged Devices

Users: Guest users

Cloud apps: SharePoint Online

Conditions: Device compliance = Unknown/Non-compliant

Grant: Block access

```

Policy 3: Limit guest sessions

```

Name: Limit Guest Session Length

Users: Guest users

Cloud apps: SharePoint Online

Session: Sign-in frequency = 8 hours

```

SharePoint Unmanaged Device Policy for Guests

SharePoint Admin Center → Policies → Access control → Unmanaged devices:

• Set to "Allow limited, web-only access" for guests from unmanaged devices
• This enables web browser read-only access while blocking downloads, sync, mobile app access

---

Auditing External Sharing Activity

Microsoft Purview Audit Log

All external sharing events are captured in the Microsoft 365 audit log:

Key events to monitor:

• `SharingSet` — External sharing link created
• `SharingInvitationCreated` — Guest user invited
• `SharingInvitationAccepted` — Guest accepted invitation
• `AnonymousLinkCreated` — Anyone link created
• `AnonymousLinkUsed` — Anonymous link accessed
• `SiteCollectionAdminAdded` — External user added as site admin

PowerShell audit query:

```powershell

# Search for external sharing events in the past 30 days

Search-UnifiedAuditLog `

-StartDate (Get-Date).AddDays(-30) `

-EndDate (Get-Date) `

-Operations "SharingSet,SharingInvitationCreated,AnonymousLinkCreated" `

-ResultSize 1000 |

Select-Object CreationDate, UserIds, Operations, AuditData

```

External Sharing Reports

SharePoint Admin Center → Reports → Sharing:

• Sites with most external sharing activity
• Guest users with broadest access
• Anonymous link usage trends

Power BI reporting: Connect Microsoft 365 audit logs to Power BI for executive dashboards showing external sharing trends over time.

---

Data Loss Prevention for External Sharing

Microsoft Purview DLP Policies

Create DLP policies that restrict external sharing of sensitive content:

```

Policy: Block external sharing of PII

• Condition: Content contains Social Security Number OR Credit Card Number
• Action: Block sharing with external users
• Notification: Alert user + notify compliance team

```

```

Policy: Warn on external sharing of confidential documents

• Condition: Sensitivity label = Confidential
• Action: Show warning before sharing externally
• Option: Allow with business justification

```

Sensitivity Label Integration

Configure sensitivity labels to restrict external sharing:

• Purview portal → Information Protection → Labels → [Label name] → Edit
• Access control settings → Configure encryption
• Select: "Grant permissions now"
• Add your internal users/groups but NOT "All authenticated users"
• Label-encrypted documents cannot be accessed by guests by default

---

External Sharing Governance Framework

Policy Documentation

Document your external sharing policy covering:

• Who can share externally (all users, specific roles, IT-approved only)
• What can be shared externally (classification level thresholds)
• How long external access lasts (link expiry, guest account expiry)
• How external sharing is monitored and audited
• Incident response for unauthorized external sharing

Approval Workflows

For high-sensitivity environments, implement approval workflows:

Power Automate flow triggered on external sharing event:

• Sharing event detected via Microsoft Graph subscription
• Flow checks document sensitivity label
• If Confidential or above: notify data owner and require approval
• If not approved within 24 hours: auto-revoke the sharing link

Employee Training

External sharing policy must be accompanied by training:

• When NOT to share externally (PII, confidential financials)
• How to share securely (specific people links, not anyone links)
• How to revoke access when external engagement ends
• How to report suspected unauthorized external access

---

External Sharing in Regulated Industries

Healthcare (HIPAA)

PHI cannot be shared via "Anyone" links (no audit trail). Requirements:

• Guest users for covered entity partners only
• BAA in place before sharing PHI
• Sensitivity labels on PHI documents blocking external sharing
• Monthly external access review for PHI sites

Financial Services (SOC 2, SEC)

Requirements:

• No anonymous links for any financial data
• Guest access limited to approved vendor domains
• Quarterly access review for all external users
• Audit log retention minimum 12 months
• External sharing events included in SOC 2 evidence

Government (FedRAMP)

GCC High tenants:

• External sharing with non-federal entities requires authorization
• Guest access restricted to other GCC High tenants by default
• No commercial tenant users can access GCC High content

---

Conclusion

External sharing is a critical business function—but it demands governance to prevent data leakage. By configuring tenant-level policies, implementing Conditional Access for guests, establishing an access review cadence, and deploying DLP controls, you can enable external collaboration while maintaining security and compliance.

EPC Group has helped organizations in healthcare, financial services, legal, and government implement secure external sharing frameworks that satisfy auditors while preserving business agility. Contact us for a SharePoint security assessment focused on your external collaboration risk.