logo

Microsoft 365 Guest Users and External Access: The Complete Guide

With its flagship productivity suite Microsoft 365 (formerly known as Office 365), Microsoft aims to break down the traditional business silos that inhibit content sharing and collaboration. The interwoven capabilities of SharePoint Online and OneDrive for Business allow users to collaborate with a wide range of colleagues from both inside and outside their organization.

Despite its benefits, file sharing poses several risks. What if your files are inadvertently or deliberately shared with the wrong users? What if users mishandle sensitive information? How can you stay in control of your guest users?

To mitigate security concerns around sharing, it’s important to understand how to configure the two mechanisms of sharing in Microsoft 365:

  • Guest access: Sharing content with guest members in Microsoft 365 groups or Microsoft Teams
  • External sharing: Sharing links to specific SharePoint and OneDrive assets with external parties

This article explains how to manage guest users and external access in Microsoft 365 to ensure business continuity without compromising the security of your critical data:

Guest Access in Microsoft 365

On the back end, Microsoft 365 groups are objects in Azure Active Directory (Azure AD). Each group object in Azure AD contains unique identifying information such as:

  • Information about the group owner
  • URLs for associated resources
  • Group membership list, including any guest accounts

How to Enable or Restrict the Guest Access Feature

By default, the guest access feature is enabled for a Microsoft 365 tenant, which means a Microsoft 365 group owner can invite anyone who has a business or consumer email account become guest members of the group.

As a Microsoft 365 administrator, you can set the level of external access for the tenant by going to the Microsoft 365 Groups page in the Microsoft 365 admin center. Under Services and Add-ins, you can control whether to turn off guest access entirely and whether group owners are allowed to invite guest users.

You can also use PowerShell to limit the policy on guest access. For example, you can:

  • Prevent guest users from accessing a specific group.
  • Block external guests from a specific domain.

How to Add a Guest User to a Group

Any group member can nominate an Office 365 group external user for guest access, but only the group owner can grant guest access. The process of adding a guest user to a group proceeds as follows:

  1. The group owner or a group member uses the Groups > Add Members command to nominate the external user for membership by entering the user’s email address.
  2. The group owner reviews the access permissions the guest would receive by joining and approves the nomination.
  3. The guest receives a welcome email and can begin participating in group activities.

What Level of Access Does a Guest User Have?

Guest members of a Microsoft 365 group:

  • Don’t have direct access to any of the group’s sites, such as a team site in SharePoint
  • Can participate in group activities through conversations and group calendar invitations sent to their email inbox
  • Can access shared files included in email messages, such as attachments or links, provided the administrator has enabled the requisite file-sharing permissions

External Sharing in Microsoft 365: SharePoint Online

The external sharing capabilities of SharePoint Online can be managed at two levels:

  • Across the entire Microsoft 365 tenant, through either the SharePoint Admin Center, the Microsoft 365 admin center or Azure AD
  • At the site level

How to Manage Tenant-Wide Sharing

Using the SharePoint Admin Center

To configure external sharing settings for the entire tenant, go to the Sharing page of the SharePoint admin center. The External sharing section on this page contains options that let you control the tenant-wide sharing level in SharePoint:

  • Only people in your organization: Turn off external sharing and limit sharing to internal users only. This is the default setting for communication sites and classic sites in SharePoint. As a security best practice, it’s recommended that you turn off tenant-wide external sharing by selecting this option.
  • Existing guests: Permit sharing with external users who have already been added to your Azure AD Existing guests may have joined your Azure AD by accepting a share invitation in the past or by being added as guest users by an administrator in the Azure portal. This option requires guests to authenticate into Microsoft 365 with valid credentials before they can access shared assets.
  • New and existing guests: Grant site owners and users full control permission to share sites with external users. Site users can also share files and folders to collaborate with external users.
  • Anyone: Allow anyone with the resource link to access the resource and forward the link to others. This option is selected by default, but it’s recommended that you change the external sharing setting to Only people in your organization. Beware of leaving the Anyone option selected, as it opens the door to uncontrolled sharing with anonymous, unauthenticated users and may put sensitive data at risk.

If you elect to allow sharing with Anyone, you can improve document management and security by configuring these recommended advanced settings:

  • Configure Anyone links to expire after a certain period of time.
  • Restrict guest links to allow only view access to files and folders.
  • Restrict default links to be accessible to Only people in your organization.
  • Enable the ATP safe attachments feature.
  • Restrict external sharing with users from blocked domains.

Using the Microsoft 365 Admin Center

You can also configure tenant-level sharing for SharePoint by going to the Microsoft 365 admin center and selecting Settings > Services & add-ins > Sites. This page lets you configure the same external sharing options as the SharePoint admin center.

Using Azure AD

For the highest level of control over external access to SharePoint, configure sharing settings in Azure AD. You can approach the Azure AD sharing configuration in either of two ways:

  • Have SharePoint use its own external sharing list, independent from Azure B2B, and configure organizational relationships settings in Azure AD. Log in to the Azure Portal and select Azure Active Directory > Overview > Organizational relationships. Go to the Settings page and define the SharePoint online external sharing settings you want to use for your organization.
  • Have SharePoint use the external sharing settings defined in Azure B2B and configure B2B collaboration in Azure AD.

Tip: The sharing settings configured in Azure AD override the sharing settings configured in the Microsoft 365 admin center or SharePoint admin center. For example, if you allow external sharing via the Microsoft 365 admin center but disable external sharing through Azure AD, the Azure AD setting takes precedence and external sharing will be turned off for your organization.

How to Manage Site-Level Access in SharePoint Online by External Users

In addition to configuring tenant-wide sharing policies, you can further restrict external sharing for a specific SharePoint site. To do this, you must have global admin or SharePoint admin privileges. Site owners cannot change the external sharing setting for sites.

How to Change the External Sharing Setting for a Site

  1. In the SharePoint admin center, go to Sites > Active Sites.
  2. Select the checkbox next to the site name.
  3. Click the “i” icon at the top right corner of the page.
  4. Select the desired sharing level from the list of sharing options. These are the same four sharing options that are available for tenant-wide configuration.

Tip: The external sharing setting for a specific site has to be the same or more restrictive than the tenant-level setting. For example, if tenant-wide sharing is limited to Existing guests, the sharing setting for a specific site can be changed to Only people in your organization, but it cannot be changed to a more permissive option such as Anyone.

In another typical use case, a global or SharePoint admin needs to restrict external users in a certain network domain from accessing a specific site. For example, users from the Client A domain should not be able to access a site specifically designed for collaborative sharing with Client B.

How to Restrict Access to a Site based on the User Domain

  1. In the SharePoint admin center, go to Sites > Active Sites.
  2. Select the checkbox next to the site name.
  3. Go to the Policies tab.
  4. Under External sharing, click Edit.
  5. Under Advanced settings for external sharing, select the checkbox next to Limit external sharing by domain.
  6. Click Add domains.
  7. Select Allow only specific domains.
  8. Enter the fully qualified domain name (FQDN) of each domain you want to add to the allow list. Only users from the listed domains will be eligible for invitations to the site.

External Sharing in OneDrive for Business

OneDrive for Business is a personal repository that people can use to store and sync files across multiple devices. In this sense, OneDrive functions like a home directory or personal mapped drive that lets users save files in cloud storage and retrieve them from any device.

Many customers also use OneDrive to share items with other users, although OneDrive wasn’t actually designed for this purpose. As an administrator, you can decide the level of access that external users have to OneDrive files in your organization.

How to Manage Tenant-Wide Sharing for OneDrive

Tenant-wide sharing settings apply to all the OneDrive instances for users in your Microsoft 365 account. There are two portals through which you can configure these sharing settings for OneDrive:

  • The Sharing page in the SharePoint admin center (Microsoft recommends using this page to configure your OneDrive sharing settings)
  • The Sharing page in the OneDrive admin center

How to Configure OneDrive Sharing through the SharePoint Admin Center

Follow the instructions and guidelines described earlier in “How to Manage Tenant-Wide Sharing Through SharePoint Admin Center.” OneDrive provides the same four sharing options as SharePoint.

Tip: The sharing level for OneDrive must be the same as or more restrictive than the sharing level for SharePoint. For example, if tenant-wide sharing in SharePoint is set to Existing guests, you can only configure OneDrive to use the same setting or the more restrictive Only people in your organization setting.

How to Configure OneDrive Sharing through the OneDrive Admin Center

  1. Log in to the OneDrive admin center.
  2. Navigate to the Sharing

Here, you can set the level of external sharing for OneDrive and configure more fine-grained sharing controls such as:

  • The type of link generated by default when a user shares a file
  • The expiration period for links
  • Whether to allow editing and uploading privileges for links that share OneDrive files or folders externally
  • Specific domains to allow or block users from receiving sharing invitations
  • Whether external users must use the same account to receive and accept sharing invitations
  • Whether external users can share content they don’t own
  • Whether content owners can audit the list of users who have viewed their content

How to Manage External Sharing for an Individual OneDrive

To customize the sharing level for a specific user’s OneDrive, use the Microsoft 365 admin center:

  1. Log in to the Microsoft 365 admin center with global admin or SharePoint admin privileges.
  2. Go to Users > Active users.
  3. Select the OneDrive user for which you want to change the sharing level.
  4. Go to the OneDrive tab.
  5. Select Manage sharing under the Sharing section.
  6. Configure the external sharing level and save your changes.

Tip: The external sharing level for an individual OneDrive must be the same as or more restrictive than the sharing level configured for OneDrive tenant-wide.

How to Mitigate the Risk of Unauthorized External Sharing of Critical Data

Classifying your data will help you understand where your critical data resides, including whether a particular SharePoint Online site or site collection or a OneDrive for Business folder shared with external users contains sensitive data. This insight will enable you to set up external sharing according to the sensitivity and value of data stored there.

To ensure comprehensive and accurate data discovery and classification, choose an advanced solution like Netwrix Data Classification. Its automated and highly accurate data tagging enables you to choose appropriate sharing settings and also enables users to easily find the data they need. The tagging will also improve the effectiveness of the data loss prevention (DLP), information rights management, records management and other data governance solutions your organization already using or planning to implement. You can also set up workflows that will automatically move overexposed data from SharePoint Online and OneDrive for Business repositories to a designated quarantine area.

FAQ

Who are guest users in Microsoft 365?

A guest is any external user who has been granted permission by the owner of a Microsoft 365 group to participate in group conversations, calendar invitations, file sharing and notebook activities. Microsoft 365 guest users are the same as Office 365 guest users.

What is external sharing in Microsoft 365?

External sharing refers to the ability of SharePoint Online and OneDrive users to share access links to files and folders with external users. SharePoint site owners can also share site access with external users.

How do I get a list of guest users in my Microsoft 365 tenant?

You can either:

  • Visit the Guests page in the Microsoft 365 admin center.
  • Use PowerShell for Azure AD and run a script that systematically uses the Get-AzureADuser cmdlet and outputs the list of guest users to a CSV file.

How do I find out which external users have access to SharePoint Online?

Download the SharePoint Search Query Tool and follow the process described in this Microsoft support article to get a list of all the resources external users have access to.

Can I limit external sharing of files in Microsoft 365?

Yes, you can turn off external sharing completely for your organization. There are also ways to limit external sharing. For example, you can:

  • Only share to Azure AD guests who provide valid authentication credentials
  • Configure file-sharing links with view-only permissions
  • Block users in specific network domains from receiving sharing invitations

How do I manage external sharing in Microsoft 365?

As a global admin or SharePoint admin, you can manage external sharing using PowerShell or any of the following portals:

  • SharePoint admin center
  • Microsoft 365 admin center
  • OneDrive admin center
  • Azure Portal
Jeff is a Director of Global Solutions Engineering at Netwrix. He is a long-time Netwrix blogger, speaker, and presenter. In the Netwrix blog, Jeff shares lifehacks, tips and tricks that can dramatically improve your system administration experience.