Manage External Sharing at the Tenant Level – Office 365 (SharePoint Online)

Office 365 with SharePoint Online allows you to have granular level control of your data and how it’s shared internally and externally. In the post below, I will highlight a few of the common settings and highlight the default settings. Please keep in mind that you will need to do your own internal security assessment and fit these settings to your organization.

For more detailed information about all the external sharing scenarios in SharePoint Online, please use the Microsoft KB below.

Login to the Office Admin Center

On the left navigation menu, click Admin Centers

Click SharePoint

  • You need the correct permissions to access SharePoint Admin center and make the changes

Click Sharing

Sharing Outside your organization – Select the option that meets your security requirements.

  • Don’t allow sharing outside your organization – Prevents all users for all sites from sharing with external users. This option is typically set when organizations cannot share any content externally.
  • Allow sharing only with the external users that already exist in your organization’s directory – Allow sharing only for external users that are in the organizations directory. External users who do not already exist in your organization’s directory are prevented from accessing data. This is the most secure method to share data externally since the external users accessing the data must reside in the organizations directory. This gives the ability for checks and balances to be put in place because a typical user is not allowed to add external users to the organizations directory. Typically this goes through an approval work flow and is strictly governed.
  • Allow users to invite and share with authenticated external users – External users who have received sharing invitations are required to sign-in with a Microsoft account to access the content. This method is a little less secure than the one above, but it’s more secure than the one below. This gives the ability for external sharing governed by the user sending the links.
  • DEFAULT – Allow sharing to authenticated external users and using anonymous access – Allow site users to share sites with people who sign in as authenticated users, but you also want to allow site users to share documents through the use of anonymous guest links, which do not require invited recipients to sign in. You can also specify, in number of days, when the links will expire. This is the least secure and default option in SharePoint Online.

Default Link Type

  • Direct – Accessible only to users who already have permission to access the document
  • Internal – Accessible only to users within your organization
  • DEFAULT – Anonymous access links – Accessible by anyone

Additional Settings

  • Limit external sharing using domains – This option gives you granular level control to the domains you want or don’t want to allow sharing with.
  • Prevent external users from sharing files, folders, and sites they don’t own – I would highly recommend that you check this box. This prevents external users from sharing data they don’t own or that they should not be sharing.
  • External users must accept sharing invitations using the same account that the invitations were sent to – I would highly recommend that you check this box. This locks access down to the account where the invite was sent.

This screen shot is the default sharing settings for SharePoint Online

This screen shot is how I setup my own SharePoint Online external sharing.

Leave a Reply