Manage external sharing for your SharePoint online environment

If your organization performs work that involves sharing documents or collaborating directly with vendors, clients, or customers, then you might want to use your SharePoint Online sites to share content with people outside your organization who do not have licenses for your organization’s Microsoft Office 365 subscription.

There are three ways that users can share content on your site with people outside your organization:

If you’re looking for how-to information about sharing a site or document, see Share sites or documents with people outside your organization. If you’re wondering what types of users qualify as external users and what rights an external user has, see What is an external user?

Best practices for sharing sites

If you’ve shared an entire site with a user, then that user will be able to log in to the site and function like a full member of the site. They will be able to browse, search for, view, and edit content (depending on which permission group you assign them to). They will be able to do things like see the names of other site users in the People Picker or view document metadata. External users will also appear in the People Picker as site users. This means that other people who use your site could grant different permissions to these users than you initially granted when you shared the site with them. Be sure you know the identity of external users before you invite them to your site.

If you invite external users to your Team site, they will be able to view content on the Team site and all subsites. If you want to avoid having external users gain access to important or sensitive content on your Team site, you should create a subsite of your Team site that has unique permissions, and then share only that subsite with external users. To learn more about permissions inheritance, see What is permissions inheritance?

Similarly, if you want to share a subsite that you’ve created on your OneDrive for Business location, you might want to ensure that it has unique permissions so that you do not accidentally grant users permission to additional sites or content on your OneDrive for Business site.

Top of Page Top of Page

Best practices for sharing documents

If you share documents using anonymous guest links, then it is possible for invitation recipients to share those guest links with others, who could use them to view content. Do not use guest links to share documents that are sensitive. If you want to minimize the risk that someone might share an anonymous link, share a document by requiring sign-in instead.

Deciding how to share

When considering if and how you want to share content externally, think about the following:

  • To whom do you want to grant access to content on your Team site and any subsites, and what do you want them to be able to do?
  • To whom in your organization do you want to grant permission to share content externally?
  • Is there content you want to ensure is never available to be viewed by people external to your organization?

The answers to these questions will help you plan your strategy for content sharing.

Try this: If you need to:

Share a site

If you want to share a site, but you also want to restrict external users from gaining access to some of your organization’s internal content, consider creating a subsite with unique permissions that you use exclusively for the purpose of external sharing.

Provide someone outside your organization with ongoing access to information and content on a site. They need the ability to perform like a full user of your site and create, edit, and view content.
Share a document and require sign-in. Provide one or several people outside your organization with secure access to a specific document for review or collaboration, but these people do not require ongoing access to other content on your internal site.
Share a document, but don’t require sign-in. Share a link to a non-sensitive or non-confidential document with people outside your organization so that they can either view it or update it with feedback. These people do not require ongoing access to content on your internal site.

Top of Page Top of Page

Turn external sharing on or off for a SharePoint Online environment (tenant)

You can configure external sharing at two levels within the SharePoint admin center:

  1. You can turn external sharing on or off globally for an entire SharePoint Online environment (or tenant).    Additionally, if you turn on external sharing, you can specify if you want to allow sharing only with authenticated users, or if you want to allow users to share content with both authenticated users and anonymous users through guest links.
  2. You can turn external sharing on or off for individual site collections.    This provides you with the ability to secure content on specific site collections that you do not want to be shared. You can also specify which level of sharing you want to allow in a site collection (sharing with authenticated users, or sharing with both authenticated users and anonymous users through guest links).

When you first sign into the SharePoint admin center, external sharing is turned on by default for both your entire SharePoint Online environment (sometimes referred to as a tenant) and the site collections in it. You may want to turn it off globally before people start using sites or until you know exactly how you want to use the feature.


 Notes 

  • If your tenant has been upgraded from the 2010 experience, you will not be able to manage external sharing through the SharePoint admin center for sites that are still using the 2010 experience. To manage external sharing for sites using the 2010 experience, you will need to follow the steps in the 2010 article Share a site with external users.
  • The ability to share content through anonymous guest links is a new feature for 2013 sites. It will be turned off by default for any sites upgraded from the 2010 experience. If you want to enable it, you will need to turn it on.

You should include planning for external sharing as part of your overall permissions planning for SharePoint Online. In general, it is a best practice to operate on the “principle of least privilege” and grant external users minimal and limited access to your environment. You may even want to create a special permissions group to which external users are assigned when they receive invitations. You should also consider segmenting your content by security levels, so that sensitive content is centrally located and can be tightly secured. If you anticipate an ongoing need to have external users log in to your site and perform specific tasks consider creating a site collection that is dedicated to the purpose of external sharing. This way, you can allow external users access to specific content without opening up your entire environment to them.

For more information about planning for permissions, see Plan your permissions strategy.

Configure external sharing for your SharePoint Online environment

You must be a SharePoint Online administrator to configure external sharing.

  1. Go to the SharePoint admin center
  2. Click settings .
  3. In the section External sharing, do one of the following:
If you want to: Select this option: For this result:
Prevent all users on all sites from sharing sites or content with external users.

Don’t allow sharing outside your organization

  • Users will not be able to share sites or content with users who do not have licenses to your Office 365 subscription.
  • External sharing cannot be turned on for any individual site collections.
Require external users who have received invitations to view sites or content to sign-in with a Microsoft account before they can access the content. Allow external users who accept sharing invitations and sign in as authenticated users
  • Site owners or others with full control permission can share sites with external users.
  • All external users will be required to sign in before they can view content.
  • Invitations to view content can be redeemed only once. After an invitation has been accepted, it cannot be shared or used by others to gain access.
Allow site users to share sites with people who sign in as authenticated users, but you also want to allow site users to be able to share documents through the use of anonymous guest links, which do not require invited recipients to sign in.

Allow both external users who accept sharing invitations and guest links

  • Site owners or others with full control permissions can share sites with external users.
  • All external users will be required to sign in before they can view content on a site that has been shared.
  • Site owners or others with full control permissions can share documents and opt to require sign-in, or send an anonymous guest link for documents.
  • When site users share a document, they can grant external users either view or edit permissions to the document.
  • External users who receive anonymous guest links can view or edit that content without signing in.
  • Anonymous guest links could potentially be forwarded or shared with other people, who might also be able to view or edit the content without signing in.


 Notes 

  • If you turn off external sharing for your entire environment and later turn it back on, external users who previously had access to content or documents on sites will regain access to them. If you know that external sharing was previously turned on and in use for specific site collections and you do not want external users to be able to regain access if external sharing is ever turned on again globally, we recommend that you first turn off external sharing for those specific site collections.
  • When you turn off external sharing at the site collection level, all external user permissions for that site collection will be permanently deleted.
  • When you turn off external sharing at the site collection level, guest links will be disabled, but they could start working again if external sharing is ever turned on again. If you want to permanently revoke access to specific documents, you will need to disable the anonymous guest links.
  • If you disable external access, or limit external access to a more restrictive form, external users will typically lose access within one hour of the change.

Top of Page Top of Page

Turn external sharing on or off for individual site collections

You must be a SharePoint Online admin to configure external sharing for individual site collections. This task must be performed within the SharePoint Online admin center for site collections that use the 2013 experience, and site collection administrators are not allowed to change external sharing configurations.

For site collections that use the 2010 experience, you must change the external sharing features from the Site Collection Features page. For more information, see the version 2010 article Share a site with external users.

  1. Go to the SharePoint admin center.
  2. Click site collections.
  3. In the Site Collections list, select the specific site collection(s) you want to update and then click Sharing.
  4. Do one of the following:
If you want to: Select this option: For this result:
Prevent all users on all sites from sharing sites or sharing content on sites with external users.

Don’t allow sharing outside your organization

  • Users will not be able to share sites or content in this site collection with users who do not have licenses to your Office 365 subscription.
  • If sharing was previously turned on for this site collection, any external users who were invited to sign-in and view content on sites in this site collection will be permanently deleted.
  • If you ever plan to turn on external sharing for this site collection again, these external users would need to be re-invited.
Require external users who have received invitations to view sites or content to sign-in with a Microsoft account before they can access the content. Allow external users who accept sharing invitations and sign in as authenticated users
  • Site owners or others with full control permission can share sites with external users.
  • Site owners or others with full control permissions on a site can share documents with external users by requiring sign-in.
  • All external users will be required to sign in before they can view content.
  • Invitations to view content can be redeemed only once. After an invitation has been accepted, it cannot be shared or used by others to gain access.
Allow site users to share sites with people who sign in as authenticated users, but you also want to allow site users to share documents through the use of anonymous guest links, which do not require invited recipients to sign in.

Allow both external users who accept sharing invitations and guest links

  • Site owners or others with full control permissions can share sites with external users.
  • All external users will be required to sign in before they can view content on a site that has been shared.
  • Site owners or others with full control permissions can also share documents externally opt to require sign-in, or send an anonymous guest link for documents.
  • When users share a document, they can grant external users either view or edit permissions to the document.
  • External users who receive anonymous guest links can view or edit that content without signing in.
  • Anonymous guest links could potentially be forwarded or shared with other people, who might also be able to view or edit the content without signing in.


 Notes 

  • If external sharing is turned off for the entire SharePoint Online environment, you will not be able to turn it on for specific site collections.
  • The external sharing settings for individual site collections cannot be less restrictive than whatever is allowed for the entire SharePoint Online environment, but these settings can be more restrictive. For example, if external sharing is turned on for the entire SharePoint Online environment, but it is limited to allowing only authenticated users, then that will be the only kind of external sharing you can allow in a specific site collection. If external sharing through both sign-in and anonymous guest links is allowed for the entire SharePoint Online environment, you can opt to turn off external sharing entirely for a specific site collection or you can limit external sharing to authenticated users (no guest links).
  • If external sharing is turned off globally in the SharePoint Online Admin center, any shared links will stop working. If the feature is later reactivated, these links will resume working. It is also possible to disable individual links that have been shared if you want to permanently revoke access to a specific document.
  • If you change the external sharing settings for the My Site site collection, these changes will also apply to any existing or newly created My Site personal content site collection.
  • Sharing settings on the –my site site collection (e.g., https://contoso-my.sharepoint.com) will apply to the OneDrive for Business sites for all users of the organization. You cannot selectively manage sharing for a particular user’s OneDrive for Business site.

Top of Page Top of Page

Manage external sharing for sites that have not been upgraded to the 2013 experience.

If your Office 365 subscription has recently been upgraded to the 2013 experience, and you have not yet upgraded the site collections and sites in your SharePoint Online environment, you will need to use different settings to manage external sharing for these site collections. For more information, see the 2010 article Share a site with external users.

Top of Page Top of Page

View external sharing settings for site collections

To quickly view the external sharing settings for multiple site collections, select the site collections on the site collections page in the SharePoint Admin center, and then click Sharing.

The dialog box will display the current settings. Click Cancel to dismiss the dialog box without applying any changes.

 Note    For site collections still using the 2010 experience, you will need to go to the Site Collection Features page for each site collection to see if the feature is activated. For more information, see the 2010 article Share a site with external users.

Top of Page Top of Page

Remove external users

If a site has been shared with an external user, and you want to revoke that user’s access to the site, you can do so by removing that individual’s permissions for the site.

  1. Go to the site on which you want to withdraw an invitation.
  2. Click settings Settings button > Site Settings.
  3. Under Users and Permissions, click People and groups.
  4. Under Groups, select the group from which you want to remove users.
  5. Select the users you want to remove, point to Actions, and then click Remove Users from Group.
  6. When you are asked to confirm that you want to remove the user(s), click OK.


 Notes 

  • There is no global way to see a list of all the sites to which an external user has access. You need to go to the individual sites to determine whether a specific user has access to it
  • There is also no global way to see a list of all documents that have been shared externally.

Top of Page Top of Page

Withdraw invitations

If you want to withdraw an invitation you have sent to an external user, you can revoke the invitation before it is accepted.

  1. Go to the site on which you want to withdraw an invitation.
  2. Go to Settings Settings button > Site Settings.
  3. Under Users and Permissions, click Access requests and invitations.
  4. Under External User Invitations, find the person you would like to uninvited to the site and click Open Menu.
  5. In the properties window, click Withdraw.

If the external user has already accepted an invitation, and you want to remove them from your site, you can do so by removing them from the SharePoint permissions group to which you assigned them. The person in your organization who has permissions as the Office 365 admin or SharePoint Online admin may also remove them by using the SharePoint Online Management Shell. For more information, see the user management cmdlets in the article Introduction to the SharePoint Online Management Shell.

Top of Page Top of Page

Disable an anonymous guest link

When a document has been shared through a guest link, you can see this information in the properties menu for the document.

Properties dialog box showing that a document has been shared with a guest link.

You can revoke access to a document that has been shared through a guest link by disabling the link.

  1. Go to the library that contains the document for which you want to remove a guest link.
  2. Point to the document, and click Open Menu.
  3. Click a guest link in the sentence Open to anyone with a guest link.
  4. Next to the URL for the guest link, click the Delete button.
  5. When you are asked if you want the link disabled, click Disable Link.
    Dialog box asking you if you want to disable a guest link for a document that has been shared so that it will not work anymore.

When people outside your organization attempt to access the content using the guest link, they will see a message indicating that they cannot access it.

Top of Page Top of Page

 
 
Applies to:
Office 365 Enterprise admin, Office 365 Midsize Business admin, SharePoint admin center, SharePoint Online Enterprise (E1), SharePoint Online Enterprise (E3 & E4), SharePoint Online Midsized Business