Introduction
Microsoft SharePoint enables users to share files with coworkers in just a few clicks. However, external sharing is just as easy— which puts the security of your sensitive data at risk.
To help you control external sharing of files and folders without interfering with legitimate collaboration, this article details the external sharing settings available in the Microsoft administrative interfaces and offers best practices for configuring them. We will cover settings in the Microsoft 365 Admin Center, the SharePoint and OneDrive for Business admin centers, the classic SharePoint Online Admin Center, and the modern SharePoint Online Admin Center.
Microsoft 365 Admin Center: Tenant-level Settings for External Sharing
When configuring external sharing in Microsoft SharePoint, it is best for your admin teams to start at the tenant (organization) level. Open the Microsoft 365 Admin Center (formerly Office 365) and go to Settings –> Services & add-ins –> Sites.
You can then specify options to control tenant-level external sharing:
In most cases, the second option, “New and existing external users (sign-in required)” is recommended because it provides a balance of flexibility and control. Here is more detailed advice on selecting the best options for your organization:
Choose this option: | If your objective is to… |
Let users share SharePoint Online and OneDrive content with people outside the organization | Enable external sharing at the tenant level, subject to the constraints you specify below. |
Only existing external users (sign-in required) | Require external users (guests) to sign in with a Microsoft account before accessing content, and limit sharing to external users who already exist in your directory because they either have already been shared with or were manually imported. |
New and existing external users (sign-in required) | Allow both existing and new external users to access shared content once they have signed in with a Microsoft account. |
Anyone, including anonymous users | Allow use of anonymous links, which do not require sign-in to access |
Set anonymous links to expire in these many days | If you allow anonymous access links, specify automatic expiration dates for them. |
Site Collection & OneDrive for Business Settings for External Sharing
After you have configured your tenant-wide sharing settings, it’s time to start configuring top-level external sharing settings for SharePoint Online and OneDrive for Business in their respective admin centers.
As you can see, the options available for controlling sharing links in SharePoint Online are similar the ones discussed above:
Choose this option: | If your objective is to |
Anyone | Allow users to share files and other site content with anyone. |
New and existing external users (Recommended) | Allow users to share content with external users, but require them to sign in with a Microsoft account to access it. This option is usually best for site collections with external collaborators, especially if you’re in the process of migrating to a newer version of SharePoint. |
Existing external users | Allow external sharing only with users who already exist in your directory. |
Only people in your organization | Do not allow any external sharing. |
And the external sharing options for OneDrive are very similar as well, though the text is slightly different:
Again, allowing users to share content with anyone who has the link puts your files at significant risk. Requiring external users to sign in provides more control. It is often wise to establish more restrictive settings for OneDrive than SharePoint, since users tend to save more sensitive information in OneDrive.
The classic SharePoint Online Admin Center enables you to create external sharing settings for each SharePoint site. Go to the “Site Collections” section and click Sharing:
The screenshot below shows the options available:
By default, external sharing is disallowed, but you can choose to enable it for any sites you choose and select the type of sharing that is permitted. For example, you can create stricter control for sites that contain sensitive data and more permissive controls for sites that are more collaboration oriented. You can also choose who is allowed to invite new users to a site; however, it is usually best to leave this decision up to the site owners.
In the modern SharePoint Admin Center, and the settings have been changed to reflect the same options discussed earlier:
You can attain even greater access control using these following options:
- Unmanaged devices — You can restrict access from devices that aren’t compliant or joined to the domain. Options range from allowing full access, allowing web only (not desktop or mobile), and blocking access entirely.
- Idle session sign-out —You can automatically sign out users from inactive browser sessions.
- Network location — You can allow access from specific IP addresses only.
- Apps that don’t use modern authentication —You can deny access to applications that rely on legacy authentication protocols.
Additional Security Controls
Other security controls can affect external sharing in SharePoint and OneDrive for Business. In particular, the following controls can prevent users from sharing certain documents and other content externally:
- Data Loss Prevention (DLP) policies
- Record retention policies externally.
- eDiscovery requirements
- Microsoft Purview Information Protection (formerly Microsoft Information Protection) security controls
In addition, the following auditing and alerting capabilities can help administrators stay on top of the sharing of documents externally:
- All user activity related to shared files is viewable in the audit logs.
- Administrators can choose to be notified when users perform specific actions in SharePoint or OneDrive for Business.
Using PowerShell to Gain Visibility into External Sharing
PowerShell scripts can help you gain visibility into external sharing. For instance, the script below will return all your tenant’s external users (requires SharePoint Admin rights):
The output will look like the following:
How Netwrix Can Help
Carefully configuring the settings detailed above will give your organization significant control over how content can be externally shared. However, but third-party tools can deliver even better visibility and control, which is critical to ensuring data security.
Data access governance software from Netwrix enables you to reduce the risk of a data breach by reducing the exposure of your sensitive data. It can also help you comply with regulations like the GDPR, which requires organizations to implement data protection by design and default.
In particular, Netwrix solution enable you to:
- Identify your most critical data.
- Reduce access to sensitive data to the required minimum to reduce the risk of insider threats and minimize the damage from ransomware and other attacks.
- Streamline regular privilege attestations by data owners.
- Protect sensitive data whenever it goes with accurate and consistent tagging of content.
- Audit activity across your IT ecosystem and quickly spot and block threats.