SharePoint External Sharing Security Guide

How Do You Secure External Sharing in SharePoint Online?

Securing SharePoint external sharing requires a layered approach combining tenant-level sharing policies, site-level restrictions, conditional access rules, sensitivity labels, and Data Loss Prevention (DLP) policies. In our 25+ years managing enterprise SharePoint environments, we have found that the biggest security risk is not external sharing itself — it is uncontrolled external sharing where organizations lack visibility into what is shared, with whom, and for how long.

External sharing is a business requirement that cannot be eliminated. Partners, clients, vendors, and contractors all need access to specific documents. The goal is to enable collaboration while maintaining control, visibility, and the ability to revoke access instantly when needed.

Understanding SharePoint Sharing Levels

SharePoint Online offers four sharing levels, from most permissive to most restrictive:

1. Anyone (anonymous links): Creates a link that works for anyone, with no sign-in required. The most dangerous option — the link can be forwarded, shared publicly, or intercepted. We recommend disabling this at the tenant level for all enterprise environments.

2. New and existing guests: Requires external users to authenticate with a Microsoft account, work account, or one-time passcode. Creates a guest user record in Azure AD. This is the recommended level for most external collaboration.

3. Existing guests only: Only allows sharing with external users who already exist in your Azure AD directory. Useful for organizations that want to pre-approve all external users.

4. Only people in your organization: Disables all external sharing. Appropriate for highly sensitive sites but too restrictive for general use.

Configuring Tenant-Level Defaults

Navigate to the SharePoint admin center > Policies > Sharing. Set the tenant-level default to "New and existing guests" as a reasonable baseline. Disable "Anyone" links unless you have a specific, governed use case.

Configure these critical settings at the tenant level:

• Link expiration: Set default link expiration to 30 days. External users can request re-sharing when links expire, giving you natural access review points.
• Link permissions: Default to "View only" rather than "Edit." Users can upgrade to edit on specific shares when needed.
• Require guests to sign in: Always enabled. Anonymous access creates unauditable sharing.
• Allow only users in specific security groups to share externally: Limit who can initiate external sharing to trained users who understand the policies.

Site-Level Sharing Restrictions

Not every SharePoint site should have the same sharing level. Override the tenant default at the site level for sensitive content.

Classification-Based Sharing

Use sensitivity labels to automatically enforce sharing restrictions based on content classification:

• Public: Allow new and existing guests, 90-day link expiration
• Internal: Allow existing guests only, 30-day link expiration
• Confidential: Only people in your organization, no external sharing
• Highly Confidential: Only people in your organization, no download, watermarking enabled

When a user creates a new site or Team and applies a sensitivity label, the corresponding sharing restriction is automatically enforced. This eliminates the need to manually configure sharing settings on every site.

Per-Site Overrides

For sites that need exceptions to the default policy, use the SharePoint admin center or PowerShell to set site-specific sharing levels. Document every exception with the business justification and the approving authority. Review exceptions quarterly and remove those that are no longer needed.

Conditional Access for External Users

Azure AD Conditional Access policies add authentication-layer security that SharePoint sharing settings alone cannot provide. Create dedicated policies for guest users that enforce stronger controls.

Recommended Conditional Access Policies for Guests

Policy 1: MFA Required for All Guest Access

Target all guest users accessing SharePoint Online and require multi-factor authentication on every session. This single policy eliminates the risk of compromised guest credentials.

Policy 2: Block Unmanaged Devices

Require guests to access SharePoint only from compliant devices or through the web browser with session restrictions. For web-only access, configure session controls to prevent downloads and block copy/paste in the browser.

Policy 3: Location-Based Restrictions

If your external collaborators are in known locations, restrict guest access to specific countries or IP ranges. Block access from high-risk countries that are not relevant to your business.

Policy 4: Session Timeout

Configure short session timeouts (1 hour) for guest access to sensitive sites. Internal users may have 8-hour sessions, but guests should re-authenticate more frequently.

App Protection Policies

For guests accessing SharePoint from mobile devices, configure Microsoft Intune App Protection Policies that prevent data leakage. These policies can block screenshots, prevent copy/paste to external apps, require a PIN for app access, and encrypt data at rest on the device — all without requiring device enrollment.

Data Loss Prevention Integration

DLP policies add content-aware protection to external sharing. Even if sharing settings allow external access, DLP policies can block sharing of specific content types.

Configuring DLP for External Sharing

Create DLP policies in Microsoft Purview that detect sensitive information types in SharePoint content:

• Financial data: Credit card numbers, bank account numbers, tax IDs
• Healthcare data: Medical record numbers, diagnosis codes, patient identifiers
• Personal data: Social Security numbers, passport numbers, driver license numbers
• Custom data: Your organization's project codes, internal account numbers, proprietary terms

Configure policy actions to block external sharing when sensitive content is detected, notify the content owner, and generate an incident report for the compliance team. DLP policies can override sharing permissions — even if a site allows external sharing, DLP can block the specific share if the document contains sensitive data.

Policy Tips

Enable policy tips to educate users in real-time. When a user attempts to share a document containing sensitive data externally, a policy tip appears explaining why the share is blocked and providing guidance on how to proceed (remove sensitive data, use a different sharing method, or request an exception).

Guest Access Lifecycle Management

The security of external sharing is only as strong as your guest lifecycle management. Without proactive management, your Azure AD accumulates stale guest accounts with persistent access to sensitive content.

Automated Access Reviews

Configure Azure AD Access Reviews to periodically review guest access. Monthly reviews for sensitive sites and quarterly reviews for standard sites ensure that guests who no longer need access are promptly removed.

Access reviews can be delegated to site owners, who understand the business context better than IT administrators. When a reviewer marks a guest as "no longer needed," access is automatically revoked.

Guest Expiration Policies

Azure AD allows you to set automatic expiration for guest accounts. Configure guests to expire after 90-180 days unless their access is explicitly renewed. This creates a natural cleanup mechanism that prevents indefinite guest access.

Monitoring Guest Activity

Use the Azure AD sign-in logs and SharePoint audit logs to monitor guest activity. Look for:

• Guests who have not signed in for 30+ days (candidates for removal)
• Guests accessing content outside normal business hours
• Guests downloading large volumes of content
• Guests accessing sites beyond their expected scope

Create automated alerts for anomalous guest behavior using Microsoft Sentinel or Power Automate connected to the audit log.

Advanced Sharing Controls

Information Barriers

Information barriers prevent specific groups from communicating or sharing content with each other. In financial services, this prevents investment banking and trading teams from sharing information. In multi-tenant environments, this prevents different client teams from accessing each other's content.

Sensitivity Labels with Encryption

For the most sensitive content, apply sensitivity labels that encrypt the content and restrict actions even after it is shared. A document encrypted with a "Confidential — External" label can be shared with approved guests who can view it but cannot print, forward, or copy the content. The encryption follows the document — even if downloaded, the restrictions remain enforced.

Verified Domains

Restrict external sharing to specific email domains. If you only collaborate with partners at three companies, limit external sharing to those three email domains. This prevents accidental sharing with personal email addresses and unauthorized organizations.

Audit and Reporting

SharePoint Sharing Reports

The SharePoint admin center provides sharing reports that show external sharing volume, most-shared sites, and top external collaborators. Review these reports weekly to spot unusual sharing patterns.

Unified Audit Log

Search the Microsoft 365 unified audit log for sharing events (SharingSet, SharingInvitationCreated, AnonymousLinkCreated). Create saved searches for your most common audit queries and export results for compliance reporting.

Power BI Dashboards

For enterprise-grade visibility, build Power BI dashboards that visualize sharing patterns across your tenant. Connect to the Microsoft Graph API and audit log to create real-time dashboards showing active guests, sharing volume trends, and policy compliance rates.

External Sharing Governance Framework

Implementing these technical controls requires a governance framework that defines who can share, what can be shared, how sharing is approved, and how it is monitored.

Our [SharePoint consulting services](/services/sharepoint-consulting) include external sharing governance design tailored to your regulatory requirements. We work with your legal, compliance, and IT teams to create policies that enable collaboration without exposing your organization to unnecessary risk.

For ongoing monitoring and incident response, our [SharePoint support plans](/services/sharepoint-support) include weekly sharing audits, guest lifecycle management, and DLP policy tuning. Organizations planning a [migration to SharePoint Online](/services/sharepoint-migration) should design their sharing governance framework before migration to avoid inheriting overly permissive settings. [Contact us](/contact) for an external sharing security assessment.

Frequently Asked Questions

Should I disable external sharing entirely?

No. Disabling external sharing pushes collaboration to unmanaged channels (personal email, Dropbox, USB drives) where you have zero visibility and control. It is always more secure to enable controlled sharing in SharePoint than to force users into shadow IT solutions.

How do I revoke all access for an external user immediately?

Delete the guest account from Azure AD. This immediately revokes access to all SharePoint content, Teams, and other M365 resources. For faster revocation of a specific shared link, use the SharePoint admin center or PowerShell to remove the sharing link directly.

Can external users access SharePoint search?

Guest users can search within sites they have access to, but they cannot search across your entire tenant. Search results are security-trimmed to only show content the guest is authorized to access. However, search result metadata (titles, snippets) of accessible documents is visible, so ensure document titles do not contain sensitive information.

What is the difference between guest access and anonymous access?

Guest access requires the external user to sign in with a Microsoft account, work account, or one-time passcode. Their identity is known and their activity is auditable. Anonymous access uses links that work without sign-in — anyone with the link can access the content, and you cannot identify who accessed it or revoke access for a specific person.

How do sensitivity labels affect external sharing?

Sensitivity labels can enforce sharing restrictions automatically. A label configured to block external sharing overrides site-level sharing settings. Labels with encryption restrict what guests can do with content even after access is granted (no print, no download, no forward). This provides content-level protection that persists regardless of where the content is shared.

Can I allow external sharing for some users but not others?

Yes. Create a security group for users authorized to share externally and configure the SharePoint tenant sharing settings to allow external sharing only from members of that group. All other users will be unable to share externally regardless of site-level settings.

How do I track what external users are doing in SharePoint?

Use the Microsoft 365 unified audit log to search for guest user activities. Filter by user type (Guest) and activity type (FileAccessed, FileDownloaded, FileModified). For continuous monitoring, stream audit logs to Microsoft Sentinel and create detection rules for suspicious guest behavior patterns.