External Sharing in Sharepoint Online: How Does It Work

External Sharing in SharePoint Online: How Does It Work

2 Comments / SharePoint / By / / 10 minutes of reading

Last Updated on October 20, 2023

Are you thinking of sharing a SharePoint site externally?

Certainly, that’s possible. But you must know that it also poses some risks on your site, and you have to enable the feature on the admin center.

In this article, I’ll talk about how external sharing works, how to enable it, and how to actually invite a guest to your site.

Let’s get started.

How does external sharing work in SharePoint Online?

When you share a site externally, you basically share all the files, folders, documents, libraries, and lists within that site (as long as they’re publicly available on the site).

In SharePoint, you can control it at different levels:

  1. Tenant-wide
  2. Site-level

In the event that both levels have different sharing levels, the most restrive one will prevail — all of the site’s protection.

There are four sharing levels available (from the most permissive to the least permissive):

  1. Anyone: Users can share files and folders using links that don’t require sign-in.
  2. New and existing guests: Guests must sign in or provide a verification code.
  3. Existing guests: Only guests already in your organization’s directory.
  4. Only people in your organization: No external sharing allowed.

In addition, there are additional settings you can set up when you do it tenant-wide:

  • Limit external sharing by domain: You will be able to add domains in an allowed and blocked list for external sharing. On the other hand, this option will not function when users share files/folders with “Anyone” links.
  • Allow only users in specific security groups to share externally: No other users can share a site externally other than the ones you specified in this setting.
  • Guests might sign in using the same account to which sharing invitations are sent: If this option isn’t enabled, invited guests will be able to access the invitation to the site with any of their accounts. Whether or not this option is enabled, the invitation will always expire after someone redeems it once.
  • Allow guests to share items they don’t own: When enabled, guests will be able to share the contents in the site externally, which might pose a security threat.
  • Guest access to a site or OneDrive will expire automatically after a specified number of days: When enabled, the guest’s access to the site will be revoked after a number of days that you can specify.
  • People who use a verification code must reauthenticate after a specified number of days: When enabled, the user will need to reauthenticate and check whether the site is still shared externally.

Note: By the way, external sharing in SharePoint is often compared to Azure AD B2B Collaboration. Check out my article that talks more about it.

SharePoint Site External Sharing vs File/Folder External Sharing

If you share a site externally, then you give the guest access to all publicly available files and folders.

On the other hand, files/folders external sharing will only give the guests access to those specific files or folders on your site.

File/folder external sharing uses links to generate the content for an external guest. You can share the file/folder through:

  • Email: The guest has to validate his or her identity through an 8-digital passcode
  • Anonymously: The guest can directly click a link to access the shared file/folder without the need to verify his or her identity

When you share a site externally, it’s more secure since the guest has to prove their identity through a Microsoft ID or email address.

Guests who accepted the invitation to a site will end up with their names in the user directory, so the admin can clearly identify them as guests.

Site External Sharing vs Group External Sharing

Many of the sites in SharePoint, including some of your sites, are not only standalone sites. Many of them have accompanying groups.

The main difference between site external sharing and group external sharing is this:

When you share a site externally, you’re only giving access to the site itself. When you share a group, you also share various assets like sites, calendars, teams, etc.

In short, when you share a group externally, you’re inviting someone not only to your site — but to the Microsoft 365 assets connected to that group.

On the other hand, that guest will not have access to everything the group has since he will not be allowed to the Group Outlook calendar and Group Outlook Conversations.

Note: If you want to know more about the different types of sites you can create in SharePoint, check out this article where I discuss this topic in detail.

Sign up for exclusive updates, tips, and strategies

    How to enable external sharing in SharePoint

    As I have written earlier, there are two levels where you can enable external sharing, both of which have to be in the SharePoint admin center.

    Go to any of your sites in the tenant. Click on the app launcher icon on the upper left corner and then on the “Admin” button.

    Find the app launcher and click admin

    Then, expand the Admin centers option in the left panel and click on the “SharePoint” button.

    Find SharePoint under the admin centers group

    Tenant-wide

    Doing this will enable all the sites in your tenant to be shared with external guests.

    In the SharePoint admin center, expand the “Policies” option and click on the “Sharing” button.

    Expand the policies option first and click on the sharing button

    On the next page, turn both SharePoint and OneDrive slider up to either “Anyone” or “New and existing guests” options, the latter the more secure.

    Related: Guide: How to Share Files on OneDrive With External Users

    If you want, expand the “More external sharing settings” to see more settings.

    Set slider to the most permissive option

    Once you’re done, make sure to scroll down and click on the “Save” button.

    Site-wide

    If you want to enable the external sharing feature on one site only, then you must go to the “Active sites” page in the admin center.

    Click on the active sites link on the left-hand side menu

    Once here, select the target side and click “Sharing” on the command bar.

    Select the target site first and click on the sharing button

    A “Sharing” panel will slide in from the right. On the “External sharing” options, select either “Anyone” or “New and existing guests” and click on the “Save” button.

    Select the anyone option and click on the save button

    Once the site has been updated, you can then go ahead and actually share it with external guests.

    Using PowerShell

    It’s also possible to use PowerShell in enabling the external sharing feature — both at the tenant level and at the site level.

    However, make sure to run Windows PowerShell in admin mode:

    Open PowerShell as an administrator

    Then, all you need to do is copy and paste the codes (credits to the Office 365 Reports) to the PowerShell terminal.

    For enabling it at the tenant level, you need to use the following code (make sure to replace “tenant” with your own):

    Connect-SPOService -url https://tenant-admin.sharepoint.com/

    Here are permission level codes to use:

    • ExternalUserAndGuestSharing – Anyone
    • ExternalUserSharingOnly – New and Existing guests
    • ExistingExternalUserSharingOnly – Existing guests
    • Disabled – Only people in your organization

    Now, paste in the code below and enter a permission level.

    Set-SPOTenant -SharingCapability PermissionLevel

    For example, since we’re sharing the site externally, we can set it to “Anyone” through the following:

    Set-SPOTenant -SharingCapability ExternalUserAndGuestSharing

    For the site level, you can use the same permission level codes included in the following snippet (replace “SiteLink” and “PermissionLevel”):

    Set-SPOSite -Identity <SiteLink> -SharingCapability PermissionLevel

    How to share a SharePoint site externally

    To share your SharePoint site with other people, go to the target site first.

    Then, click on the gear icon in the upper-right corner and then on the “Site permissions” option.

    Click the gear icon and select site permissions

    Now, there is a slight difference when sharing a site with an associated group (team sites) and standalone sites.

    Sharing a team site with a group externally

    If you share a team site with a group, then click on the “Add members” button first and select “Share site only”.

    Click on the add members button and select share site only

    Then, enter the email address of the guest to the form provided and click on the suggested email address.

    Enter the email address on the form and click on the suggested email address

    After that, make sure the guest only has a “Read” permission level to prevent any unauthorized edits. Once you’re done, click on the “Add” button.

    Make sure the guest only has a read permission level and click on the add button

    Sharing a standalone site externally

    Sharing a standalone site is a lot simpler — mainly because it has no other assets besides the site itself.

    On the “Permissions” panel, click on the “Share site” button.

    Click on the share site button to begin sharing the site externally

    Enter the guest’s email address on the form and click on the suggested email address.

    Enter the email address on the form and click on the suggested email address

    Similarly, make sure the guest has a read permission level only before you click on the “Add” button below.

    Make sure the guest only has a read permission level and click on the add button

    Now, if you want to check the status of your invitations, go to the “Site information” option on your site.

    Click on the gear icon and select site information

    Then, click on the “View all site settings” link at the bottom.

    On the site information panel, click on the view all site settings link

    On the “Site Settings” page, you will see a link that says “Access requests and invitations” under “Users and Permissions”.

    Click that link.

    Find and click the access requests and invitations link

    On the next page, you will see all the invitations you sent, when they were requested, and what’s the status of the invitation.

    Status of external user invitations

    Best Practices to Follow When Sharing Externally

    Like I wrote earlier, sharing your SharePoint site externally poses some threat to your site’s security and confidentiality.

    However, there are some ways to mitigate that:

    1. Only enable external sharing when you have to

    This goes without saying but, you must keep the external sharing disabled until the time you need to use it to invite someone outside your organization.

    With this, you will limit the risks to your site especially when you select the option to share it with anyone (the most permissive option).

    In addition, once you’re done sharing your site externally, turn it off again. You can always enable it anytime you need to so there’s no use keeping it open.

    2. Enable “Guests might sign in using the same account to which sharing invitations are sent”

    When you invite a guest to the site, that person will be able to sign in using any credentials as long as that person redeems the invitation.

    However, if you enable this option, the guest must sign in with the account to where you sent the invitation.

    This will restrict the guest to using only the account with the email address where you sent the invitation, although the invitation will expire after it has been redeemed once.

    But this method is more secure and will make sure only that person can redeem the invitation you sent.

    Related: How to Secure OneDrive: Personal Vault Walkthrough Tutorial

    3. Teach your users about governance policies

    No matter how vigilant you are over your site’s security, it will matter less if your users don’t value security as much as you do.

    On the other hand, there is a way to restrict who will be able to share the site externally (and you can be picky about it).

    However, this is often overlooked, which is why you must take the time to teach your users about governance policies, especially when sharing externally.

    Note: If you’re concerned about SharePoint security, I wrote an updated guide about it along with the best practices to follow in 2022.

    External Sharing Experience for the Guest

    So what happens after you send the invitation to the guest?

    First, that guest will receive the following email at the email address you entered on the form.

    The guest will receive an email that invites him or her to the site

    When the guest clicks on the link to the site, that person will see the following page:

    The guest will see a page welcoming him to SharePoint

    If the user has a Microsoft account, he or she can use that to sign in to the site.

    However, this will not apply if you enabled the “Guests might sign in using the same account to which sharing invitations are sent” option.

    In the event that the user has no Microsoft account and you didn’t enable the option mentioned earlier, that person can readily create an account.

    Now, once the guest successfully logs in to the site, the status of the invitation, as seen on the “Site Setting” page, will now show “Accepted by”.

    Securely Share Your Site Externally

    It’s not unusual for an organization to invite an external user to the site. More often, you need to invite contractors and specialists to the team.

    The steps I outlined in this article will allow you to enable the external sharing tenant-wide or at the site level and actually share a site with external guests.

    But make sure to follow the best practices I advised when doing so:

    1. Only enable external sharing when you have to
    2. Enable “Guests might sign in using the same account to which sharing invitations are sent”
    3. Teach your users about governance policies

    Now, do you have some questions regarding external sharing in SharePoint Online? If you do, kindly leave them in the comment section below.

    For inquiries and concerns, please use the site contact form and I’ll reach back to you as soon as possible.

    About Ryan Clark

    As the Modern Workplace Architect at Mr. SharePoint, I help companies of all sizes better leverage Modern Workplace and Digital Process Automation investments. I am also a Microsoft Most Valuable Professional (MVP) for SharePoint and Microsoft 365.

    View all posts by Ryan Clark | Website

    Subscribe
    Notify of
    guest
    2 Comments
    Oldest
    Newest Most Voted
    Inline Feedbacks
    View all comments

    Saysha Robinson
    Saysha Robinson
    1 year ago

    Can you describe how to extend access for external users whose access is expiring soon but still need access?

    0
    Reply
    Karen
    Karen
    1 year ago

    on “sign in using the same account to which the invite was sent,” it’s not clear whether, in the answer, they can use any *Microsoft* account/ID, or any account (can’t imagine it’s the latter, but would be good to spell out; thanks).

    0
    Reply
    2
    0
    Would love your thoughts, please comment.x
    ()
    x
    Scroll to Top