Skip to main content

Sharing SharePoint and OneDrive Files With Outside Organizations Safely

Nick Ross3 min read
Office 365 inter-tenant collaboration: Sharepoint and OneDrive

TL;DR

  • External sharing is turned on by default for your entire SharePoint Online environment and the site collections in it.
  • SharePoint offers four sharing modes: no sharing, sharing only with existing directory users, sharing with authenticated external users, and anonymous link sharing.
  • Authenticated external users sign in and are added to your 365 directory, labeled with #EXT# and Guest, so access is traceable.
  • Anonymous links can share documents and folders but never whole sites, can be set to expire, and leave no directory record, so they are revoked by deleting the link.
  • For confidential data, keep it in one or more site collections where external sharing is turned off entirely.

When clients work with partners, vendors, or each other, the files have to cross organizational boundaries. SharePoint and OneDrive are built for exactly that, and the catch is that the door is open before you decide to open it. External sharing is turned on by default for your entire SharePoint Online environment and every site collection in it.

This is part of a series on using Office 365 for inter-tenant collaboration. Here the focus is SharePoint and OneDrive: the sharing modes, how each type of external user behaves, and where to draw the line for confidential data.

What inter-tenant collaboration is supposed to deliver

The goals an MSP is usually solving for:

  • A central location for files and conversations
  • Sharing of calendars
  • Using instant messaging
  • Audio and video calls for communication
  • Securing access to resources and applications

The four SharePoint sharing modes

Note again that external sharing is turned on by default for your entire SharePoint Online environment and the site collections in it. The four modes, from most to least restrictive:

No sharing

Sites and documents can only be shared with internal users in your Office 365 subscription.

Sharing only with external users already in your directory

Sites, folders, and documents can only be shared with external users who are already in your Office 365 user directory: users who have previously accepted a sharing invitation, or users you imported from another Office 365 or Azure Active Directory tenant.

Sharing with authenticated external users

Sites can be shared with external users who have a Microsoft account, or a work or school account from another Office 365 subscription or an Azure Active Directory subscription. They are not required to log in but receive a one-time code.

Sharing with anonymous users

Documents and folders, but not sites, can be shared via an anonymous link where anyone with the link can view or edit the document, or upload to the folder.

For the underlying behavior, see Microsoft's documentation on external sharing in SharePoint Online (opens in new tab).

Authenticated external users, step by step

Business scenario: you have created a site in SharePoint for an upcoming project and want to add a business partner from another firm.

SharePoint project site

Open site permissions

Go to Settings > Site Permissions.

Site permissions menu

Invite the external user

Click Invite People and type in the email address of the external user.

Invite people

Share the site only

Click Share Site Only and type in the email address of the external user.

Share site only
Confirm share

Customize the invitation text

You can write a message that will go in the email inviting the user to the site.

Customize invitation message

The invitation email

The end user gets an email with a subject line of "Invitee Name wants to share site name" and a body containing a link to the SharePoint site.

Sharing invitation email

Authentication

Once the link is clicked, the user is asked to sign in with a Microsoft account.

Sign in prompt

Directory record

Once the user successfully authenticates, they are added to your directory in 365, distinctly labeled with #EXT# and Guest.

Guest user in directory

Anonymous users, step by step

Business scenario: you have files or documents you want outside users to view or edit. View and edit links are created separately and can be set to expire at a specified time. Anonymous users are not added to the user list in Office 365. You discontinue sharing with them by going to the document or folder you shared and deleting the anonymous link.

Document library

Share the document

Choose the document you want to share and click the share icon in the right-hand corner.

Share icon

Click the link settings and choose "Specific People."

Link settings

Designate the user

Add the outside user's email address and click Send.

Designate recipient

The user gets an email with a link to the document. Clicking it takes them to the doc where they can view or edit depending on the permissions you gave them.

Document link email

Where to manage all of this

All share settings can be customized in the SharePoint and OneDrive admin centers.

Admin center sharing settings

Where to draw the line

If you have confidential information that should never be shared with external users, consider keeping it in one or more site collections where external sharing is turned off. Isolating the sensitive content is the cleanest defense against a tenant-wide default that ships in the on position.

Frequently asked questions

Is external sharing on by default in SharePoint Online?

Yes. As of July 2018, external sharing is turned on by default for the entire SharePoint Online environment and the site collections within it. If you do not want it, you have to turn it off deliberately at the tenant or site-collection level.

What is the difference between an authenticated external user and an anonymous user in SharePoint?

An authenticated external user must sign in with a Microsoft or work or school account and is added to your 365 directory, labeled #EXT# and Guest, so their access is visible and revocable. An anonymous user accesses content through a link with no sign-in and no directory record; you stop their access by deleting the link.

How do you protect confidential SharePoint data from external sharing?

Keep confidential information in one or more dedicated site collections where external sharing is turned off. That isolates the sensitive content from the tenant-wide default, which is on.

Find the oversharing before a client does

External sharing defaults on, and links pile up quietly. CloudCapsule checks SharePoint and OneDrive sharing posture against 250+ controls in 60 seconds, across every tenant you manage.

Try a free scan
Nick Ross

Written by

Nick Ross

CEO · Microsoft MVP · Founder, T-Minus 365

Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.

Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.

Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.

Keep reading