SharePoint External Sharing: Secure Collaboration Guide

SharePoint External Sharing: Balancing Collaboration and Security

External sharing is one of the most powerful and most dangerous features in SharePoint Online. When configured correctly, it enables seamless collaboration with clients, vendors, and partners. When misconfigured, it exposes sensitive data to unauthorized third parties. Every SharePoint administrator must understand the sharing model in depth.

This guide covers the complete external sharing framework, from tenant-level policies to individual link settings, with governance recommendations for enterprise environments.

---

Understanding the Sharing Model

Sharing Levels

SharePoint Online provides four sharing levels, ordered from most permissive to most restrictive.

Anyone (anonymous): Creates shareable links that work without sign-in. Anyone with the link can access the content. No identity verification. Most permissive and most risky.

New and existing external users: Allows sharing with external users who authenticate with a Microsoft account or email verification code. External users are added to Azure AD as guest accounts.

Existing external users only: Allows sharing only with external users who already exist in your Azure AD directory. New external users cannot be invited.

Only people in your organization: Disables all external sharing. Content is accessible only to users in your Azure AD tenant.

Sharing Hierarchy

The sharing hierarchy works from tenant down to individual items. The tenant-level setting is the ceiling. Sites can be set to the same level or more restrictive but never more permissive than the tenant. Individual files and folders within a site follow the site's sharing level.

Example: If the tenant is set to New and existing external users, a site can be set to Existing external users only or Only people in your organization, but it cannot be set to Anyone.

---

Configuring Tenant-Level Sharing

Recommended Configuration for Enterprise

```powershell

# Set tenant sharing to authenticated external users

Set-SPOTenant -SharingCapability ExternalUserSharingOnly

# Set default link type to Specific People (most restrictive)

Set-SPOTenant -DefaultSharingLinkType Direct

# Set default link permission to View

Set-SPOTenant -DefaultLinkPermission View

# Require external users to accept sharing invitations with the same account

Set-SPOTenant -RequireAcceptingAccountMatchInvitedAccount $true

# Set expiration for guest access

Set-SPOTenant -ExternalUserExpirationRequired $true

Set-SPOTenant -ExternalUserExpireInDays 90

# Set expiration for Anyone links (if enabled)

Set-SPOTenant -RequireAnonymousLinksExpireInDays 7

```

Site-Level Sharing Configuration

Override tenant settings for individual sites based on content sensitivity.

```powershell

# Disable external sharing on sensitive sites

Set-SPOSite -Identity https://contoso.sharepoint.com/sites/Finance -SharingCapability Disabled

# Allow authenticated external users on collaboration sites

Set-SPOSite -Identity https://contoso.sharepoint.com/sites/ClientProject -SharingCapability ExternalUserSharingOnly

# Allow Anyone links on marketing sites (use with caution)

Set-SPOSite -Identity https://contoso.sharepoint.com/sites/Marketing -SharingCapability ExternalUserAndGuestSharing

```

---

Guest Access Management

How Guest Accounts Work

When you share content with an external user, Azure AD creates a guest account in your directory. The guest account represents the external user's identity and controls their access to shared resources. Guest accounts are subject to conditional access policies, MFA requirements, access reviews, and audit logging.

Guest Account Lifecycle

Guest accounts should have a defined lifecycle. Creation happens when a sharing invitation is accepted. Regular review should occur quarterly through Azure AD access reviews. Expiration should be configured through the ExternalUserExpireInDays tenant setting. Removal should happen when the business relationship ends or the guest has not signed in for an extended period.

```powershell

# Find all guest accounts and their last sign-in date

Get-AzureADUser -Filter "userType eq 'Guest'" | Select-Object DisplayName, Mail, AccountEnabled, @{N='LastSignIn';E={(Get-AzureADUser -ObjectId $_.ObjectId).SignInActivity.LastSignInDateTime}}

# Remove specific guest accounts

Remove-AzureADUser -ObjectId "guest-user-object-id"

```

Guest Access Reviews

Azure AD access reviews automate the process of reviewing and removing stale guest access. Configure quarterly access reviews that notify site owners to confirm whether each guest still needs access. Guests not confirmed are automatically removed.

---

Sharing Link Types

Specific People Links

The most secure sharing link type. Only the specified recipients can access the content. Recipients must sign in to verify their identity. Use this as the default for all enterprise sharing.

People in Your Organization Links

Creates a link that works for anyone in your Azure AD tenant. The link does not work for external users. Useful for broad internal sharing where you want to make content easily accessible to all employees.

Anyone Links (Anonymous)

Creates a link that works without authentication. Anyone who obtains the link can access the content. Extremely risky for sensitive data. If you must enable Anyone links, configure short expiration periods (7 days maximum), set permissions to View only (never Edit), and require a password on the link.

Link Expiration

Configure expiration for sharing links to prevent indefinite access. Set organizational defaults through the tenant settings and allow site owners to set shorter expirations for sensitive content.

---

Data Loss Prevention for External Sharing

DLP Policies

Create Data Loss Prevention policies that detect when sensitive content is about to be shared externally and either block the sharing or notify compliance administrators.

Example DLP policy for external sharing:

Detect documents containing Social Security Numbers, credit card numbers, or HIPAA identifiers. When these documents are shared externally, block the sharing, notify the user that the content contains sensitive information, and notify the compliance team for review.

Configure DLP policies in the Microsoft Purview compliance center under Data loss prevention.

Sensitivity Labels and Sharing

Microsoft Purview sensitivity labels can enforce sharing restrictions automatically. A label marked Confidential can prevent external sharing entirely. A label marked Internal can restrict sharing to authenticated external users only. Labels provide a user-friendly way to enforce sharing policies without requiring users to understand the technical configuration.

---

Monitoring and Auditing External Sharing

Sharing Reports

Monitor external sharing activity through the SharePoint Admin Center sharing reports, Microsoft 365 audit log, and PowerShell reports.

```powershell

# Get all externally shared content

Get-SPOSite -Limit All | ForEach-Object {

$site = $_

$externalUsers = Get-SPOExternalUser -SiteUrl $site.Url -PageSize 50 -ErrorAction SilentlyContinue

if ($externalUsers.ExternalUsers.Count -gt 0) {

[PSCustomObject]@{

Site = $site.Url

ExternalUsers = $externalUsers.ExternalUsers.Count

SharingCapability = $site.SharingCapability

}

}

}

```

Audit Log Queries

Search the Microsoft 365 audit log for sharing events. Key events to monitor include SharingSet (sharing link created), SharingInvitationCreated (sharing invitation sent), AnonymousLinkCreated (Anyone link created), and SharingPolicyChanged (sharing settings modified).

---

Enterprise Sharing Governance

Sharing Policy Documentation

Create a documented sharing policy that covers who can share externally (all users or specific groups), what content can be shared externally (all content or specific sensitivity levels), how sharing is approved (self-service or requires approval), when sharing links expire (default and maximum), and how sharing is monitored and audited.

Sharing Training

Train users on the organization's sharing policy. Cover the difference between sharing link types and their risks, how to choose the appropriate link type for each scenario, what to do if they accidentally share sensitive content, and how to manage and revoke sharing links.

Incident Response

Define an incident response process for sharing policy violations. When sensitive content is shared externally inappropriately, the response should include immediately revoking the sharing link, notifying the compliance team, conducting an impact assessment, documenting the incident, and implementing preventive measures.

---

Frequently Asked Questions

Can I see who accessed a shared link?

For Specific People links, yes. The audit log shows who accessed the shared content. For Anyone links, no. Anonymous access is not tracked to individual users.

Can external users share content with others?

By default, guests can re-share content they have access to. You can prevent this by setting the site to restrict sharing permissions or by using sensitivity labels that prevent guest re-sharing.

What happens when an external user's guest account expires?

The user loses access to all shared content. Their guest account remains in Azure AD in a disabled state. If they need access again, you must re-invite them or renew their guest account.

---

For help configuring secure external sharing in your SharePoint environment, [contact our security team](/contact) for a sharing assessment. We implement external sharing frameworks for organizations in [regulated industries](/services) where data protection and compliance requirements govern every sharing decision.

External Sharing Scenarios

Client Collaboration Portals

Create dedicated client collaboration sites with controlled external sharing. Each client gets a communication site with a branded interface, shared document libraries for deliverables and correspondence, a news section for project updates, and a calendar for deadlines and milestones. Configure external sharing to allow only the specific client contacts to access the site. Use sensitivity labels to prevent client users from re-sharing content.

Vendor Document Exchange

For recurring document exchange with vendors (invoices, contracts, specifications), create an Exchange library pattern. The vendor uploads documents to a designated library. A Power Automate flow processes the upload, validates metadata, routes the document for internal review, and notifies the vendor of acceptance or rejection. External sharing is scoped to the Exchange library only; vendors cannot access other site content.

Board of Directors Portal

Board members are often external to the organization but need access to highly sensitive documents. Create a dedicated board portal with the most restrictive sharing settings. Require MFA for all access. Apply the highest sensitivity label. Disable download on unmanaged devices. Configure session timeouts to 30 minutes. Audit all access and generate access reports for the corporate secretary.