Your input shapes our product. Suggest a feature now →
Features Pricing Demos Add-ons Blog Guides Use cases Compare Tools Alerts FAQ Contact Sign in Start free trial
  1. Home
  2. Guides
  3. Audit External Users in SharePoint Online

Audit External Users in SharePoint Online (Step-by-Step)

External users accumulate quietly. A project begins, a contractor is invited, the engagement ends, but the guest account stays. Six months later that person still has access to document libraries containing commercial data that is no longer relevant to them. Multiply that pattern across a growing Microsoft 365 tenant and an external user audit becomes long overdue.

This guide covers every method for finding and reviewing external users in SharePoint Online: the Microsoft 365 admin centre, the SharePoint admin centre sharing report, PnP PowerShell, and ShareMaster's Report Master for a complete, library-level breakdown exportable to Excel. By the end you will have a clear list of every guest account with access to your environment and the context to decide what to do with each one.

What counts as an external user in SharePoint Online?

An external user is anyone accessing your SharePoint Online sites without a licensed account in your Microsoft 365 tenant. Two categories matter here:

  • Authenticated guests: People who signed in using a Microsoft account or an account from another Entra ID tenant. They appear in your directory as B2B guest users with #EXT# in their user principal name, such as contractor#EXT#@example.com.
  • Sharing link recipients: Anyone who received an "Anyone" or "People with the link" sharing link. Depending on the link type, these users may have no directory entry in your tenant at all.

This guide focuses on authenticated guests because their access is the most persistent and the most often overlooked. Sharing link audit is its own discipline; the companion guide on auditing shared links across your tenant covers that side of the picture.

Why external user access audits matter

Three situations make a periodic external user audit non-negotiable.

Contractor and partner offboarding. When an engagement ends, IT is rarely notified in time to remove guest access before the final invoice. Without a formal offboarding checklist that includes SharePoint permissions, former contractors routinely retain access for months or longer. A quarterly audit catches what offboarding missed.

Compliance requirements. ISO 27001, SOC 2, and most industry-specific frameworks require organisations to maintain a current, accurate list of who has access to information systems. A guest list that has never been reviewed is a gap that auditors will flag. Demonstrating a documented review cycle closes that gap.

Conditional access and identity hygiene. A large population of stale Entra ID guest accounts creates noise in identity reports, complicates conditional access policy targeting, and can interfere with Microsoft Entra ID Governance features if those are in use.

Note: Even if external sharing is disabled at the tenant level in the SharePoint admin centre, previously created guest accounts may still exist in Entra ID and retain residual access to SharePoint resources. Disabling sharing prevents new invitations but does not remove existing access grants. An audit is the only way to be certain.

How to find external users in the Microsoft 365 admin centre

Check the Active users list

  1. Go to the Microsoft 365 admin centre (admin.microsoft.com) and sign in with a global admin or user management admin account.
  2. Select Users, then Active users.
  3. Click Filter and choose Guest users from the filter options.
  4. Review the list. Guest accounts show no assigned Microsoft 365 licence and typically have a display name set to the external user's email address or their full name from their home organisation.
  5. Note the Last sign-in column. Accounts with no sign-in activity in 90 days or more are strong candidates for removal.

The admin centre guest list is tenant-wide. It tells you which guest accounts exist but not which SharePoint sites or libraries each person can access. For that you need a site-level permissions export.

Review the SharePoint admin centre sharing report

  1. Go to the SharePoint admin centre (admin.microsoft.com/sharepoint).
  2. In the left navigation, select Reports, then Sharing.
  3. The report shows a site-by-site breakdown of external sharing activity, including the number of external users with access per site and the sharing policies currently in effect.
  4. Sort by the external user count column to identify sites with the highest external exposure.

The sharing report is a useful starting point for prioritising which sites to audit in depth. It does not show permission levels, specific libraries, or the names of individual external users. Use it to rank your sites, then use the steps below to drill into each one.

How to audit external users across a site with ShareMaster

The native admin centre tools give you headcounts. Report Master gives you a row-per-user breakdown across every permission group and library in a site collection, complete with account types, permission levels, and the exact scope of each grant, all exported to Excel in one operation.

Connect to your tenant

  1. Open ShareMaster and select Report Master from the main toolbar.
  2. Enter your SharePoint Online tenant URL and authenticate with an account that has SharePoint admin rights.
  3. Select the site collection you want to audit from the dropdown. For a broad audit, work through your highest-risk sites as identified in the sharing report above.

Generate the permissions matrix

  1. In Report Master, choose the Permissions Matrix report type.
  2. Select whether to include subsites and all document libraries, or limit the scope to the top-level site.
  3. Click Run Report. Report Master queries the site's permission groups, individual user assignments, and any unique permissions set at the library or list level.

The permissions matrix is especially effective at surfacing external users who were added directly to a library rather than through a site-level group. These direct grants are precisely the ones admin centre views most often miss.

Export to Excel and filter by account type

  1. Click Export to Excel to download the full permissions matrix for the site.
  2. In Excel, apply a filter on the Login Name column.
  3. Filter for cells containing #EXT# to isolate all authenticated external guest users.
  4. Review the Permission Level column for each result. Full Control or Edit access granted to an external user warrants immediate scrutiny.
  5. Cross-reference with the guest account list from the admin centre. Any guest account that appears in the permissions export but has not signed in recently is a priority for removal.
Learn more about Report Master

What to do with your audit results

Once you have a filtered list of external users with their permission scopes, work through it in three passes.

Pass 1: Remove clearly stale accounts. Any guest who has not signed in for 90 or more days and whose engagement has ended should be removed. The default position should be that access is removed unless there is a current, documented reason to keep it. Do not retain access "just in case."

Pass 2: Right-size active accounts. Some external users may have broader access than their role requires. A supplier with member-level access to an entire team site may only need read access to a single shared library. Reducing scope limits risk without disrupting legitimate collaboration.

Pass 3: Document and schedule the next review. Record the audit date, the sites reviewed, the accounts removed, and any accounts retained with justification. Quarterly is the right cadence for most organisations; it aligns with common compliance frameworks and matches the natural rhythm of project and contract cycles.

For the shared links side of external access, the same review cycle applies. The guide on SharePoint shared links and external permissions covers how to find and revoke anonymous links and organisation-wide links that may have been issued without visibility.

Frequently Asked Questions

How do I find all external users in SharePoint Online?

External users appear in the Microsoft 365 admin centre under Users then Active users (filter by Guest), in the SharePoint admin centre under Reports then Sharing, and via PnP PowerShell using Get-PnPUser on each site. ShareMaster's Report Master produces a permissions matrix that flags each user's account type, making it simple to isolate external and guest accounts across an entire site collection in one export.

Can external users browse SharePoint content beyond what was shared with them?

No. External users can only access content they have been explicitly granted access to through a direct permission assignment or a sharing link. If they were added as site members rather than given narrower, library-specific access, their reach may still be broader than intended, which is one reason a library-level permissions audit is more informative than a site-level count.

How do I remove an external user from SharePoint Online?

To remove a guest from a specific site: Site settings, then Users and Groups, locate the guest account, and delete the entry. To revoke tenant-wide access: Microsoft 365 admin centre, Users, Active users, find the guest account, and delete it. Deleting the Entra ID B2B guest account removes their access to all SharePoint resources across your tenant.

Do SharePoint guest users count toward my Microsoft 365 licence limit?

No. Entra ID B2B guest accounts do not consume a Microsoft 365 user licence. If your Entra ID plan includes a ratio limit on guest accounts relative to paid member accounts, a very large guest population could eventually affect Entra ID feature availability, but the standard case is that guest accounts are licence-free.

Try ShareMaster free for 14 days