Guests Can Read, Not Take: Browser-Only Access for External Users in Microsoft 365
TL;DR
- Default Microsoft 365 sharing creates Anyone links, meaning anyone in the world can open a shared corporate document without proving their identity.
- Switching SharePoint's default sharing to new and existing guests forces external users to register as guests before opening anything shared with them.
- SharePoint's unmanaged device control creates two Conditional Access policies in Entra that restrict guests to browser-only access with downloads blocked.
- If guest users are not excluded from managed-device Conditional Access policies, they will most likely be blocked from collaborating entirely.
- These settings are highly restrictive and affect more than guests, so end-user communication has to go out before they are enabled.
Security architectures have a strange habit of evaporating the moment external collaboration enters the picture. The same tenant that requires compliant devices and MFA for employees will happily let a guest:
- Download files locally
- Open sensitive documents on devices nobody vets
- Skip proving their identity at all (by default, depending on settings)
The fix is not banning guests. It is one policy combination that confines them to authenticated, browser-based access where documents can be viewed but not downloaded. Here is how to set it up and what it will break if you skip the communication step.
Check how your managed-device policies treat guests first

In a previous post on requiring managed devices in Microsoft 365, we covered the recommended policies for restricting access to managed devices only. The key interaction: if you do not exclude guest users from those policies, they will most likely be blocked.
The outcome depends on a few factors, including the types of links being shared (Anyone versus New and Existing Guest) and how guests reach your tenant: through a VPN, through a Cloud PC or AVD, or from their own device. The overwhelmingly common case is a guest on their own corporate or personal machine, and for them a managed-device requirement blocks document collaboration, shared Teams, document repositories, all of it.
So guests get excluded from the managed-device policy. But excluded should not mean wide open, which is what the rest of this post fixes.
Kill the Anyone link and make guests prove who they are
When users share documents from SharePoint or OneDrive, the default Microsoft 365 settings create what is called an Anyone link: a URL that anyone in the world can open without verifying their identity. A sensitive corporate document becomes reachable as easily as a Google search result.
In the SharePoint admin center, go to Sharing and review your default policies. Change the default to new or existing guests. With that in place, external users must register as a guest in your organization before they can access anything shared with them. While the setting sits at Anyone, the managed-device policies above never even apply to these users, which is one more reason the default has to go.

A word of caution before flipping it. In most organizations this is a significant change for end users, so send out communications first. Two behaviors change immediately:
- Senders must specify the email addresses of the people they are sharing with.
- External users must accept an invitation that arrives by email.
Block downloads with app-enforced restrictions
The second layer stops guests from pulling files onto their device at all. That covers both data exfiltration and the nastier scenario of corporate documents landing on a machine already compromised by malware or ransomware.
The setting in the SharePoint admin center

Microsoft's steps: SharePoint and OneDrive unmanaged device access controls (opens in new tab).
What it creates in Entra
Behind the scenes, the setting generates two Conditional Access policies:
- One restricts mobile app and desktop client access to devices marked compliant or hybrid joined in Entra.
- One restricts browser access for SharePoint Online to use app-enforced restrictions, which is the mechanism in the support article above that limits what unmanaged devices can do.

What guests actually see
Guests can no longer open shared documents in desktop applications, and in the browser a banner explains that downloading is blocked.


They keep full browser-based collaboration: viewing, co-editing, commenting. They lose the ability to walk away with a local copy.
Roll it out like the breaking change it is
Be very careful turning this on, and understand the impact across the organization before you do. The unmanaged-device setting is highly restrictive, and not just for guests; anyone on a non-compliant device feels it. Communicate the change to the organization and its end users before go-live, and the policy becomes a quiet data protection win instead of a help desk fire.
Frequently asked questions
Will these settings break existing guest collaboration?
They change it noticeably. Requiring authenticated guests means senders must specify email addresses and recipients must accept an email invitation, and the download block stops desktop app access on unmanaged devices. Communicate before enabling, not after.
Why are guests blocked when a managed-device policy is enabled?
Policies requiring compliant or managed devices apply to guests too unless they are excluded, and guests almost never sign in from a device your tenant manages. Their access method matters: a personal or third-party corporate device will be blocked, while exclusions plus the browser-only controls keep collaboration working safely.
Do these controls apply only to guest users?
No. The SharePoint unmanaged device setting is highly restrictive and affects everyone signing in from a device that is not compliant or hybrid joined, not just guests. That is exactly why the rollout needs notice and a communication plan.
How many tenants still hand out Anyone links?
CloudCapsule checks external sharing defaults, guest access settings, and Conditional Access coverage across every tenant you manage, with evidence and remediation steps. 250+ controls, 60 seconds.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


