Convenient knowledge sharing is a vital component of productive collaboration. While we used to primarily depend on email to share content, SharePoint presented better means to collaborate both with internal and external users.
While SharePoint’s external sharing capabilities provide a better way to connect with people and groups outside your organization, it can also incite security concerns when not managed properly.
To fully utilize the benefits of this capability, read on as we go over what you need to know about external sharing in SharePoint Online.
Enable External Sharing in SharePoint Online
By default, external sharing is enabled throughout your SharePoint environment and the sites in it. The external sharing settings can then be modified at both the organization level and the site level.
Turning on external sharing at the organization level enables you to allow all sites to be shared externally. If you don’t want the other sites to be shared, you can then restrict access to those sites by configuring the external sharing settings at the site level.
Degrees of Restrictions
There are different levels of restrictions you can choose when sharing SharePoint items:
- Anyone links: Everyone who has the link can access the shared item without having to authenticate their identities.
- New and existing guests: Signing in with a Microsoft account or a school or work account will be required to access the shared item. An invitation to sign in will be required for new guests while existing guests who already signed in previously will have access to the shared item automatically.
- Existing guests: Users are only allowed to share content with guests who are already registered in your directory either by previously signing in or being added in manually in your Azure AD B2B.
- Only people in your organization: Content can only be shared internally.
Need to ensure uploaded data remains securely stored within the organization’s own Microsoft 365 tenant?
AvePoint Confide is the only secure virtual project room fully integrated with Microsoft 365, and hosted on the end-user cloud tenant, providing optimal security and workflow efficiency.
How does external sharing in SharePoint work?
When an item—a file, a folder, or a site—is shared, a link is generated which is then sent to the guest’s email.
- To access a shared file or folder, the guest must sign in with a Microsoft account.
- To access a shared site, the guest will be prompted to sign in with a Microsoft account or a work or school account in Azure AD from another organization.
To configure the organization-level SharePoint external sharing settings:
- Go to the SharePoint admin center under the Microsoft 365 admin center.
- Choose Policies and select Sharing.
- Set the external sharing setting to Anyone or New and existing guests, according to your preferences or governance policies.
- Click Save.
To configure site-level SharePoint external sharing settings:
- Go to the SharePoint admin center, expand Sites, and choose the Active sites
- Select the site you want to share, click the ellipsis (…), then choose Sharing.
- Set the external sharing setting to Anyone or New and existing guests.
- Click Save.
Consider SharePoint’s Integrations
Sharing in SharePoint Online is more complex than merely sharing links though. Because Microsoft platforms are deeply integrated, other settings must be configured to ensure you’re only sharing the right data with the right people.
Microsoft 365 Group-Connected Sites
While sharing SharePoint files directly means you’re only giving access to that particular file, site sharing is a trickier affair.
When a SharePoint site is created, a corresponding Microsoft 365 Group is automatically created as well. This Microsoft group is integrated with a variety of Microsoft services aside from the SharePoint site—Planner, Outlook, shared calendar, and so on.
Once a guest is a member of a SharePoint site, the guest also becomes a member of the Microsoft 365 Group connected to it. That means when you give someone access to a site, you are also allowing them to have access to the services integrated with the Microsoft 365 Group.
If unsure whether it’s safe to share all the site data and the integrated access associated with the site, create a new site with only the appropriate content you are willing to share and invite the guest there.
With Azure AD B2B, guest authentication becomes more manageable. Instead of signing in with or creating a Microsoft work or school account, Azure AD B2B instead provides a One-Time Passcode to verify guest identities.
Moreover, a guest directory can be created in the Azure AD B2B. When choosing the Existing guests sharing restriction, guests won’t need to reauthenticate every time a SharePoint item is shared with them.
Unlike the Microsoft 365 integration, Azure AD B2B is optional, so if you want to utilize its features, make sure to turn the integration on in your SharePoint settings.
Establish Proper Governance
It’s no secret that there are various risks when enabling external sharing. Malicious or accidental, data leaks and uncontrolled sharing can all lead to a vulnerable environment.
Proper governance could help alleviate these risks. Whether you choose to utilize Microsoft’s native governance capabilities or leverage third-party governance solutions, a transparent view of how your data is being used and accessed will be crucial to establishing a secure guest-sharing environment.
Certainly, following SharePoint Online external sharing best practices (like putting link expiration to Anyone links) is helpful, but a better plan must be prepared especially for organizations with sensitive data or those that need to comply with data regulations.
For better control over your external sharing environment, consider going beyond the native Microsoft governance tools. There are third-party integrations like Policies and Insights for Microsoft 365 that can give you better audit reports and even alert you of risks and unwanted sharing for more proactive management of your guest sharing environment.
Using Confide for external users & vendors without exposure or risks
When you need to quickly share or create a secure project with sensitive documents, you can leverage Confide to create project rooms with guest users without exposing those users to your Active Directory.
- Use Confides technology to invite guest users without exposure to your Active Directory.
- Isolate and host secure documents or project rooms locally with secure and granular permission settings.
- Enable business teams to leverage tools and workflows within Confide that help them collaborate securely with their external collaborators or vendors.