Sharing SharePoint and OneDrive Files With Outside Organizations Safely

TL;DR
- External sharing is turned on by default for your entire SharePoint Online environment and the site collections in it.
- SharePoint offers four sharing modes: no sharing, sharing only with existing directory users, sharing with authenticated external users, and anonymous link sharing.
- Authenticated external users sign in and are added to your 365 directory, labeled with #EXT# and Guest, so access is traceable.
- Anonymous links can share documents and folders but never whole sites, can be set to expire, and leave no directory record, so they are revoked by deleting the link.
- For confidential data, keep it in one or more site collections where external sharing is turned off entirely.
When clients work with partners, vendors, or each other, the files have to cross organizational boundaries. SharePoint and OneDrive are built for exactly that, and the catch is that the door is open before you decide to open it. External sharing is turned on by default for your entire SharePoint Online environment and every site collection in it.
This is part of a series on using Office 365 for inter-tenant collaboration. Here the focus is SharePoint and OneDrive: the sharing modes, how each type of external user behaves, and where to draw the line for confidential data.
What inter-tenant collaboration is supposed to deliver
The goals an MSP is usually solving for:
- A central location for files and conversations
- Sharing of calendars
- Using instant messaging
- Audio and video calls for communication
- Securing access to resources and applications
The four SharePoint sharing modes
Note again that external sharing is turned on by default for your entire SharePoint Online environment and the site collections in it. The four modes, from most to least restrictive:
No sharing
Sites and documents can only be shared with internal users in your Office 365 subscription.
Sharing only with external users already in your directory
Sites, folders, and documents can only be shared with external users who are already in your Office 365 user directory: users who have previously accepted a sharing invitation, or users you imported from another Office 365 or Azure Active Directory tenant.
Sharing with authenticated external users
Sites can be shared with external users who have a Microsoft account, or a work or school account from another Office 365 subscription or an Azure Active Directory subscription. They are not required to log in but receive a one-time code.
Sharing with anonymous users
Documents and folders, but not sites, can be shared via an anonymous link where anyone with the link can view or edit the document, or upload to the folder.
For the underlying behavior, see Microsoft's documentation on external sharing in SharePoint Online (opens in new tab).
Authenticated external users, step by step
Business scenario: you have created a site in SharePoint for an upcoming project and want to add a business partner from another firm.

Open site permissions
Go to Settings > Site Permissions.

Invite the external user
Click Invite People and type in the email address of the external user.

Share the site only
Click Share Site Only and type in the email address of the external user.


Customize the invitation text
You can write a message that will go in the email inviting the user to the site.

The invitation email
The end user gets an email with a subject line of "Invitee Name wants to share site name" and a body containing a link to the SharePoint site.

Authentication
Once the link is clicked, the user is asked to sign in with a Microsoft account.

Directory record
Once the user successfully authenticates, they are added to your directory in 365, distinctly labeled with #EXT# and Guest.

Anonymous users, step by step
Business scenario: you have files or documents you want outside users to view or edit. View and edit links are created separately and can be set to expire at a specified time. Anonymous users are not added to the user list in Office 365. You discontinue sharing with them by going to the document or folder you shared and deleting the anonymous link.

Share the document
Choose the document you want to share and click the share icon in the right-hand corner.

Open link settings
Click the link settings and choose "Specific People."

Designate the user
Add the outside user's email address and click Send.

The document link email
The user gets an email with a link to the document. Clicking it takes them to the doc where they can view or edit depending on the permissions you gave them.

Where to manage all of this
All share settings can be customized in the SharePoint and OneDrive admin centers.

Where to draw the line
If you have confidential information that should never be shared with external users, consider keeping it in one or more site collections where external sharing is turned off. Isolating the sensitive content is the cleanest defense against a tenant-wide default that ships in the on position.
Frequently asked questions
Is external sharing on by default in SharePoint Online?
Yes. As of July 2018, external sharing is turned on by default for the entire SharePoint Online environment and the site collections within it. If you do not want it, you have to turn it off deliberately at the tenant or site-collection level.
What is the difference between an authenticated external user and an anonymous user in SharePoint?
An authenticated external user must sign in with a Microsoft or work or school account and is added to your 365 directory, labeled #EXT# and Guest, so their access is visible and revocable. An anonymous user accesses content through a link with no sign-in and no directory record; you stop their access by deleting the link.
How do you protect confidential SharePoint data from external sharing?
Keep confidential information in one or more dedicated site collections where external sharing is turned off. That isolates the sensitive content from the tenant-wide default, which is on.
Find the oversharing before a client does
External sharing defaults on, and links pile up quietly. CloudCapsule checks SharePoint and OneDrive sharing posture against 250+ controls in 60 seconds, across every tenant you manage.
Try a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


