The four external sharing tiers available in SharePoint Online and OneDrive for Business, from most to least permissive:
| Sharing tier | Who can access shared content | Sign-in required | Typical use |
|---|---|---|---|
| Anyone | Any person who receives the link, including unauthenticated users outside your organisation | No | Public marketing assets, event registration forms, anonymous feedback |
| New and existing guests | External users invited by email; new invitations create a B2B guest account in Entra ID | Yes (Microsoft account or Entra ID guest) | Partner portals, contractor collaboration, client-facing document libraries |
| Existing guests only | External users already present in your Entra ID directory as guests | Yes | Controlled access for pre-approved partners; no new external invitations from this point |
| Only people in your organisation | Internal Microsoft 365 users only; no external or anonymous access regardless of link type | Yes (internal account only) | Finance, HR, legal, and confidential strategy content |
Where to Configure External Sharing in SharePoint Online
External sharing settings exist at three distinct levels. The most restrictive combination of tenant setting and site setting governs what a user can actually do when they click Share.
| Level | Location in admin centre | Scope | Required role |
|---|---|---|---|
| Tenant | SharePoint admin centre > Policies > Sharing | All sites and OneDrive for Business accounts in the tenant | SharePoint Administrator or Global Administrator |
| Site collection | SharePoint admin centre > Sites > Active sites > [site] > Settings; or Site settings > Site permissions | All content within that site collection only | SharePoint Administrator or Site Collection Administrator |
| OneDrive for Business (per user) | SharePoint admin centre > Settings > OneDrive; or per-user PowerShell via Set-SPOSite | That specific user's OneDrive account only | SharePoint Administrator or Global Administrator |
Sharing Link Types and Default Settings
When a user shares a file or folder, SharePoint presents a choice of link types in the sharing dialog. The default pre-selected option is set by the admin and has an outsized effect on which link types are actually used across the organisation. Users who click Share and immediately click Copy Link take whatever default is set without changing it.
| Setting | Options | Default (new tenants) | Admin guidance |
|---|---|---|---|
| Default link type | Specific people / People in your organisation / Anyone (if tenant allows) | People in your organisation | Change to Specific people for environments handling sensitive or regulated content. The default pre-selects in the dialog; users with appropriate permissions can still override it. |
| Default link permission | View / Edit | Edit | Changing to View prevents recipients from modifying content by default, reducing accidental write access. Users can still change to Edit when sharing if they have permission to do so. |
| Anyone link expiration | Never / 1 to 730 days | Never (unless configured) | Set a maximum expiry (30 to 90 days is common practice) so unauthenticated links do not remain permanently valid. Existing links are not retroactively expired when this setting changes. |
| Anyone link permission | View only / View and edit / View and upload (folders) | View and edit | Restrict to View only to prevent unauthenticated recipients from modifying content through an anonymous link. |
Guest Accounts and Entra ID Integration
When the tenant is set to New and existing guests, inviting an external email address creates a B2B guest account in Entra ID (formerly Azure Active Directory). That guest account appears in the directory, can be assigned to Microsoft 365 groups, and remains present until explicitly deleted or expired. The table below shows the Entra ID controls that govern guest account creation and lifecycle.
| Setting | Location | What it controls |
|---|---|---|
| Guest invitation permissions | Entra admin centre > External identities > External collaboration settings | Whether admins only, member users, or guests themselves can invite new external accounts. Set to Admins and users in the Guest Inviter role or Admin only to prevent end users from creating new guest accounts through SharePoint sharing dialogs. |
| Guest account expiration | Entra admin centre > External identities > External collaboration settings > Guest user access expiration | Automatically disables guest accounts after a configured period unless reviewed. Reduces stale accounts from contractors and project partners who no longer require access. |
| Access reviews | Microsoft Entra ID Governance (requires P2 or Governance licence) | Sends periodic review requests to the guest's internal sponsor; the sponsor must confirm access is still required. Not included in base Microsoft 365 licences. |
Domain Allowlists and Blocklists
Domain restrictions let SharePoint admins limit external sharing to named partner organisations or block sharing with consumer mail providers. Both options are configured at Policies > Sharing > More external sharing settings in the SharePoint admin centre.
- Allowlist mode: only users with email addresses from listed domains can receive invitations. All other external domains are automatically blocked. Use this when external sharing should be limited to a specific set of partners, clients, or suppliers.
- Blocklist mode: users from listed domains cannot receive invitations. All other external domains remain available. Use this to block consumer providers (such as gmail.com or hotmail.com) while keeping business-to-business sharing open.
Domain restrictions apply to new invitations only. A user already present in your Entra ID directory as a guest can still be added to a site even if their domain is subsequently added to the blocklist, because the invitation step is bypassed for existing guests. Clean up the Entra guest directory periodically - domain restrictions only block new invitations, and stale guest accounts accumulate over time.
Auditing Active External Shares
Configuring the correct settings is step one. Knowing what has actually been shared externally across your tenant is step two, and it is the step most organisations skip. The Microsoft Purview audit log records all external sharing events, but querying it to produce a usable inventory of every live external share across hundreds of sites requires PowerShell or a dedicated reporting tool.
ShareMaster's Report Master exports a full permission matrix for any site or library, including the display name, email address, and current permission level of every external user. For bulk identification and removal of shared links after an audit, the shared links audit guide covers the process from discovery to remediation. The SharePoint permission levels reference explains what each permission level grants, which matters when interpreting the external users you find in a permission report.
Frequently Asked Questions
What is the difference between Anyone links and People in your organisation links?
Anyone links allow any person who receives the link to access the content without signing in. They can be forwarded to anyone, including people with no relationship to your organisation, and remain valid until they expire or are revoked. People in your organisation links require the recipient to sign in with a Microsoft 365 account in the same tenant. External users cannot use them even if the link is forwarded outside the organisation.
Can a SharePoint site allow more external sharing than the tenant-level setting?
No. The tenant setting is an absolute ceiling. A site can be configured at the same tier or more restrictive, but never more permissive. A tenant set to Existing guests only cannot have any individual site configured as Anyone or New and existing guests.
Do external guest users need a Microsoft 365 licence?
Guests accessing SharePoint via invitation do not need a licence in your tenant. They authenticate with their own Microsoft account or Entra ID guest account and can only access content they have been explicitly granted permission to see or edit. Certain premium capabilities, including Microsoft Purview sensitivity labels applied to documents, may require the guest to hold a licence from their home organisation.
How do I restrict external sharing to specific email domains?
In the SharePoint admin centre, go to Policies > Sharing > More external sharing settings. Configure an allowlist (only listed domains can receive invitations) or blocklist (listed domains are blocked). This applies tenant-wide to new invitations. Existing guest accounts are not removed by adding their domain to a blocklist after provisioning.