One of the benefits of Office 365 and SharePoint Online, is the ability to share documents, calendars, lists, and tasks with external users and collaborate with partners and vendors in a single environment. This feature is offered to anyone with an Office 365 subscription and setting it up is simple and easy. Before setting up external sharing, it is important to be aware of the settings available for external sharing, that can be set according to the needs of your organization.

In this post, I will explain everything you need to know about external sharing in SharePoint Online and how to configure it and help you strike the right balance between encouraging collaboration with external partners, vendors and customers and securing your data at the same time.

 Types of External Users

Before we begin setting up external sharing, we have to first understand who is an external user. An external user is a user account that does not belong to your Office 365 subscription but has access to content in your subscription. There are 2 types of external users, an anonymous user and an authenticated external user.

An Authenticated External User is an external user who must sign in using their Azure AD account or a Microsoft Account.

An Anonymous User is an external user who does not have to sign in and can access content using anonymous guest links.

 

Configure External Sharing

Tenant Level

Sign in to Office 365 and Navigate to the Admin Center by clicking the Office 365 Ribbon and Select the SharePoint Admin Center.

You can also get to the SharePoint Admin Center by replacing the tenant-name below with your tenant name.

https://<tenant-name>.admin.sharepoint.com/

Select the Sharing Tab in the left Navigation bar. Here you will see a list of settings that allows you to control how users share content with people outside your organization.

 

Don’t allow sharing outside your organization.

Select this option if you want to prevent users from sharing content with external users.

Allow sharing only with the external users that already exist in your organization’s directory

Select this option if you have external users already part of your directory that has been imported using Azure B2B Collaboration and you would like to share externally with only those users. This can be used to share content between two organizations more securely.

Allow users to invite and share with authenticated external users

Select this option if you would like external users who receive an invitation to sign in and access content using a Microsoft Account. This is a good option to force external users to sign if before they can access content. The link to redeem invitations can only be redeemed once and by the email address, it was sent to.

Allow sharing to authenticated external users and using anonymous access links

Select this option if you would like to share content with external users who sign in as authenticated users and anonymous users. Anonymous users can access content using guest links, which does not require users to sign in.

 

Restrict External Sharing for Anonymous users and Authenticated External Users

Here are some ways you can enforce more security with Anonymous access links in SharePoint Online. In the same Sharing Tab, you will see more settings related to Anonymous links

 

Set an Expiration Date on the Tenant Level

Users within your organization can share anonymous links with external users and set an expiration date. If you would like to enforce a mandatory expiration date setting, you can set an expiration date for your anonymous links on the tenant level.

Allow external users to view or edit documents

You can also set whether Anonymous access links allow recipients to View only or View and Edit.

You can also set whether anonymous users can access links to view content or also edit documents on the tenant level.

 

Here are some ways you can enforce more security with Authenticated external users. In the same Sharing Tab, you will see more settings related to Anonymous links

 

If you would like to limit who can share content with external users in your organization, you can add the security groups to restrict this functionality to. Users in the security group will be allowed to share with external users.

You can also set the security groups you would like to share with both authenticated external users and anonymous users.

 

Domain Level external sharing

You can restrict the external users from certain domains. This applies to only future invitations and not to external users from other domains who already have access. External users must accept sharing invitations using the same account that the invitations were sent to

 

Site Collection Level

Now that we covered the settings on the tenant level. You can also set the sharing setting on a site collection level. To setup sharing on a site collection, sign in to Office 365 and Navigate to the Admin Center. Click the Office 365 Ribbon and Select the SharePoint Admin Center. Click Site Collections.

Select the site collection you would like to share and select Sharing. You can over ride the settings from the tenant level for that specific site collection. The Sharing Options are the same as the ones on the Tenant Level.

 

Don’t allow sharing outside your organization.

Allow sharing only with the external users that already exist in your organization’s directory

Allow users to invite and share with authenticated external users

Allow sharing to authenticated external users and using anonymous access links

 

A Best Practice and Recommended Approach

It is important to note that it is not possible for the site collection level setting to be less restrictive than the tenant level setting. It can be more restrictive. To satisfy this requirement, it is better to be less restrictive on the tenant level and apply a more restrictive setting on the site collection level.

This gives you the most flexibility in allowing site collections that need less restrictive external sharing and a site collection that need external sharing disabled.

 

 

User’s Experience Sharing in SharePoint Online

All the settings covered till now, are configured by the Administrator on tenant or site collection level. Now we will go over the user’s experience when sharing with external users in SharePoint Online.

Shared Link Settings

A document or file stored in SharePoint Online can be accessed by anyone who has access to the file. But a user can share a document or content in SharePoint Online with someone who does not have access. A user can select a file and select Share. They will have the option to select from a choice of settings.

Anyone gives any person including people outside your organization access to the link.

People in your Organization gives everyone in your organization access to the link.

People with Existing Access will not give any additional access other than that is already present.

Specific People will give access to only the people you specify.

 

Default Link Settings

When a user in SharePoint gets a link, a link could be an Anonymous link, internal link or a direct link. An anonymous link can be accessed by anyone and is controlled by your tenant and site collection setting. An internal link can only be accessed by users within your organization. A direct link is a unique link that can be opened by only the individual you specify.

An Administrator can set the default link behavior when a user clicks get a link in SharePoint Online. You can also use the option to use shorter links while sharing.

In this post, I covered all the external sharing options available on the tenant level and on the site collection level. Microsoft has given us a lot of options that can be configured according to the needs of any organization. We have to make sure we strike the right balance between securing our data and at the same time also not limiting the productivity of users within our organization.