logo

Office 365 File Sharing for Internal and External Users: OneDrive for Business, SharePoint and MS Teams

Office 365 is a powerful collaboration tool — especially now that so many people work virtually. In particular, individuals and teams can easily share documents in Office 365.

Office 365 file sharing involves three systems:

  • SharePoint Online, an advanced collaboration tool built for working on files with others and publishing files for everyone to see.
  • OneDrive, a cloud storage platform that is meant primarily for personal files. An individual’s OneDrive files are private unless they are explicitly shared with others. Underneath the covers, OneDrive is actually just a document library in a SharePoint site
  • Microsoft (MS) Teams, a hub that provides teams with features like one-to-one chats and video conferencing, but also shared resources, including a SharePoint Online site and document library.

However, sharing raises some important challenges for system admins who shepherd sensitive data. Here, we’ll cover the basics of how to share files and folders internally and externally, as well as methods admins can use to ensure sharing happens securely.

How to Share Files in Office 365

Office 365 allows sharing of both files and folders.

  • File sharing — When you share a file, you grant access to a single file only; users who have access to the file will not have access to other files, even those located in the same folder, unless you share those files too.
  • Folder sharing —When you share a folder, you grant access to the folder and every file and subfolder within it, including any new ones you later create in the shared

OneDrive, MS Teams and SharePoint secure file sharing can be internal or external.

Office 365 File Sharing with Internal Users

Office 365 users can share files with other users in the same Azure Active Directory (AD) domain with non-guest permissions. For example, in MS Teams, members of a team can share files in a private chat or in a channel, and a OneDrive user can share their files with a colleague in the company. Under the covers, all of these files are stored in SharePoint.

A couple of tips about internal sharing in Teams:

  • Teams has different roles for internal users: Owners and Members.
  • Both Owners and Members will see the Files tab within each team they belong to.
  • Any files stored or shared inside a team follow the sharing and permissions rules of SharePoint.
  • Both Owners and Members have the ability to share any files or pages — or even the entire site collection — to anyone in the organization.

Office 365 File Sharing with External Users

Office 365 applications also allow users to share documents and other files with external users — vendors, business partners, customers and others outside the organization.

Obviously, with external sharing, more care is needed to ensure that access is granted appropriately. By default, the guest access feature is enabled for a Microsoft 365 tenant, which means a Microsoft 365 group owner can invite anyone who has a business or consumer email account become guest members of the group. These guest users become actual users in your Azure AD, and admins can grant them access to Microsoft Teams conversations, SharePoint Online sites or data on OneDrive. In fact, guest users have the same access rights to files as team members unless specific parameters are set up on the front end.

As a Microsoft 365 administrator, you can set the level of external access for the tenant by going to the Microsoft 365 Groups page in the Microsoft 365 admin center. Under Services and Add-ins, you can control whether to turn off guest access entirely and whether group owners are allowed to invite guest users.

When it comes to external sharing, there are some differences worth noting between OneDrive and SharePoint on the one hand and Teams on the other.

External sharing in OneDrive and SharePoint

As noted earlier, OneDrive sites are actually in SharePoint. SharePoint Online and OneDrive secure file sharing with external users can be managed at two levels:

  • Across the entire Microsoft 365 tenant — through either the SharePoint admin center, the Microsoft 365 admin center or Azure AD
  • At the site level

There are a few ways you can share documents externally in OneDrive and SharePoint:

  • Create a link for secure sharing — If you want to limit who will be able to your content, choose Specific people under Link settings when generating the sharing link. The recipient will then go through an identity verification process before they can view the content. If a recipient doesn’t have a Microsoft account, they will be sent a passcode by email to verify their identity. Once the person’s identity has been authenticated, they will be able to see your shared file or folder. If the link is forwarded to someone outside of the list of people you specified , it won’t work.
  • Create a link that anyone can access — This will allow anyone with the link to have access to your file, without having to authenticate. Moreover, recipients can forward links to other people, who will be able to access the file. If you don’t want your content to be accessed by anonymous users, don’t use this method of external file sharing.

External Sharing in MS Teams

You can also use MS Teams to share files externally. There are two options:

  • External access (federation) — Federation enables Teams users in specified external domains to find, chat, call and send meeting invitations to people in your organization. Federated users from outside can’t access your internal Teams activities or resources.
  • Guest access — Use guest access to add specific people from outside your company to your channels and teams using their email addresses. They’ll be able to see your chat logs, files and meetings.

If you want to limit external access, you can choose to only allow specific domains or block specific domains, which will allow you to communicate with all external domains except for the ones on the block list.

To get more information about managing external access, read the blog post, Microsoft Teams external users and guest access.

Best Practices for File and Folder Sharing

The following best practices will help you reduce the risks that come with sharing files and folders:

  • Disable third-party storage services. You can prevent files from being shared via Dropbox or other services outside of your purview. Log on to the Office 365 admin center and go to the Settings Then select “Office on the web” from the Services tab, deselect “third-party storage” and save your changes.
  • Require multifactor authentication (MFA). You have protocols for your own team members to ensure their accounts aren’t compromised, but guest users may not live up to your standards. Requiring MFA for guest accounts improves security.
  • Classify your data. Classifying data enables you to set up security controls and policies based on how sensitive your data is. The Microsoft Compliance Center also offers a variety of options for customizing controls for guest access based on data labels. In particular, set up policies to control which types of content can be shared with external users.
  • Create separate SharePoint site for files intended to be shared externally. You can create a site for each customer or partner, for example. This way, customers and partners have access to only the SharePoint shared documents specifically meant for them.
  • Protect against uploading of malicious files. When a guest user is given access to your Office 365 shared folder, they are allowed to upload files as well. In the Microsoft 365 Security admin center, you can set up Advanced Threat Protection (ATP) for SharePoint, OneDrive and Microsoft Teams; ATP scans uploaded documents for malicious content.
  • Set expiration dates on links. Sharing of files should be limited to the period of collaboration. This option is available in the Advanced Settings when you set up file sharing.
  • Follow the principle of least privilege. Granting each user only the bare minimum permissions they need to complete their work goes a long way towards mitigating the risks of OneDrive and SharePoint file sharing.

Best Practices for Monitoring

No matter how carefully you design your environment, procedures and policies, in order to protect your sensitive and regulated data properly, you also need insight into what is happening. In particular, be sure to audit the following:

  • Data access attempts — This is especially critical when users are allowed to share files and folders with external guest
  • Group membership changes — To adhere to the least-privilege principle, you need to know when users are added to groups, especially any group that allows them access to more data or confers admin-level privileges.
  • Activity around Office 365 applications — You also need insight into application activity. Microsoft offers several native monitoring options, but they have important limitations. In particular, reports must be run individually and have only a handful of predefined option

Getting Help

Netwrix solutions deliver the deep visibility you need into your SharePoint, OneDrive for Business and MS Teams environments. Netwrix Auditor provides insight into permissions, changes and access activity so you know who has access to your organization’s files and what they’re doing with their access. It also sends alerts when potential threats arise so you can take action before it’s too late.

Meanwhile, Netwrix Data Classification automatically classifies and tags data across your various repositories, making it easier to implement appropriate controls and policies, and improving the effectiveness of both native tools like Microsoft Information Protection (MIP) and third-party security solutions.

Frequently Asked Questions

How can I share files and folders in OneDrive for Business?

You can share files by copying and pasting the content into a message or attaching the file to an email. Alternatively, you can send a link to a OneDrive for Business shared folder or file.

How can I share files and folders in SharePoint Online?

SharePoint makes it easy to share files and folders. Just select the file or folder and click “share.” You’ll be able to specify many options for which users to share with and how much access to grant.

Can you share a OneDrive for Business folder with external users? 

Yes, you can share OneDrive folders with external users, provided your administrator has set up the appropriate permissions in OneDrive.

Can you share SharePoint files with external users? 

Yes, provided an administrator has set up the appropriate permissions in SharePoint.

How can I ensure secure file sharing in Office 365? 

The following best practices will help you make the most of the collaborative features of Office 365 without compromising the integrity of your company’s data:

  • Limit user permissions to the bare minimum, granting them access to only the files they need to complete their work.
  • Classify your data and use the labels to develop policies for what data can be share with external users.
  • Disable external sharing for folders or files that are strictly in-house.
  • Keep a discrete SharePoint folder for each client.
  • For the most thorough and airtight monitoring and threat detection, invest in solutions like Netwrix Auditor and Netwrix Data Classification.
Jeff is a former Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that can dramatically improve your system administration experience.