Manage external sharing for your SharePoint Online environment

If your organization performs work that involves sharing documents or collaborating directly with vendors, clients, or customers, then you might want to use the external sharing features of SharePoint Online to share content with people outside your organization who do not have licenses for your Microsoft Office 365 subscription.

This article describes the external sharing features of SharePoint Online. If you’re looking for other external sharing features in Office 365, see:

What are the external sharing features of SharePoint Online?

External sharing features include:

  • The ability to turn external sharing on or off globally for an entire SharePoint Online environment (or tenant).    Turning external sharing off at the tenant level means no documents, sites, or site collections can be shared externally.
  • The ability to turn external sharing on or off for individual site collections.    This provides you with the ability to secure content on specific site collections that you do not want to be shared.
  • The ability to share sites and documents with authenticated users.    Authenticated users are those who are invited to sign in by using a Microsoft account or Office 365 user ID.
  • The ability to share sites and documents with guest users.    Guest users, also called anonymous users, don’t need a Microsoft account or Office 365 user ID to access your sites and documents. They access via guest links that you or your employees give to them.

What is an external user?

An external user is someone outside of your organization who can access your SharePoint Online sites and documents but does not have a license for your SharePoint Online or Microsoft Office 365 subscription. External users are not employees, contractors, or onsite agents for you or your affiliates.

External users inherit the use rights of the SharePoint Online customer who is inviting them to collaborate. That is, if an organization purchases an E3 Enterprise plan, and builds a site that uses enterprise features, the external user is granted rights to use and/or view the enterprise features within the site collection they are invited to. While external users can be invited as extended project members to perform a full range of actions on a site, they will not have the exact same capabilities as a full, paid, licensed member within your organization. The limitations are described in the table below.

External users can… External users can’t…
Use Office Online for viewing and editing documents. If your plan includes Office Pro Plus, they will not have the licenses to install the desktop version of Office on their own computers. Create their own personal sites (what used to be referred to as My Sites), edit their profile, change their photo, or see aggregated tasks. External users don’t get their own OneDrive for Business document library.
Perform tasks on a site consistent with the permission level that they are assigned. For example, if you add an external user to the Members group, they will have Edit permissions and they will be able to add, edit and delete lists; they will also be able to view, add, update and delete list items and documents. Be an administrator for a site collection (except in scenarios where you’ve hired a partner to help manage Office 365. You can designate an external user as a designer for your Public Website.
See other types of content on sites. For example, they can navigate to different subsites within the site collection to which they were invited. They will also be able to do things like view site feeds. See the company-wide newsfeed
Add storage to the overall tenant storage pool
Access the Search Center or execute searches against “everything.” Other search features that may not be available include: Advanced Content Processing, continuous crawls, and refiners.
Access site mailboxes
Access PowerBI features such as Power View, Power Pivot, Quick Explore, or Timeline Slicer. These features require an additional license, which is not inherited by external users.
Use eDiscovery. This requires an Exchange Online license.

Other features that might not be available to external users are:

  • Excel Services features, including Calculated Measures and Calculated Members, decoupled Pivot Tables and PivotCharts, Field List and field support, filter enhancements, search filters.
  • SharePoint Online data connection libraries
  • Visio Services

Top of Page Top of Page

Deciding how to share

External sharing is turned on by default for your entire SharePoint Online environment (sometimes referred to as a tenant) and the site collections in it. You may want to turn it off globally before people start using sites or until you know exactly how you want to use the feature.

You have a lot of flexibility when enabling external sharing so you’ll want to spend some time considering your options. For example, you can enable sharing across the tenant, which gives all users the ability to share. You can limit sharing to certain site collections so only those site collection administrators and administrators of sites within those collections can invite external users. You can also limit the ability to share sites and documents to a select group of users.

When considering if and how you want to share content externally, think about the following:

  • To whom do you want to grant access to content on your team site and any subsites, and what do you want them to be able to do?
  • To whom in your organization do you want to grant permission to share content externally?
  • Is there content you want to ensure is never available to be viewed by people external to your organization?

The answers to these questions will help you plan your strategy for content sharing.

Try this: If you need to:

Share a site

If you want to share a site, but you also want to restrict external users from gaining access to some of your organization’s internal content, consider creating a subsite with unique permissions that you use exclusively for the purpose of external sharing. Similarly, if you want to share a subsite that you’ve created on your OneDrive for Business location, you might want to ensure that it also has unique permissions so that you do not accidentally grant users permission to additional sites or content on your OneDrive for Business site.

SharePoint uses a permissions inheritance model where new sites automatically inherit permissions from their parent sites. By assigning unique permissions to subsites you are “breaking” the inheritance chain. To learn more about permissions inheritance, see What is permissions inheritance?

Provide someone outside your organization with ongoing access to information and content on a site. They need the ability to perform like a full user of your site and create, edit, and view content.
Share a document and require sign-in. Provide one or several people outside your organization with secure access to a specific document for review or collaboration, but these people do not require ongoing access to other content on your internal site.
Share a document, but don’t require sign-in.

Share a link to a non-sensitive or non-confidential document with people outside your organization so that they can either view it or update it with feedback. These people do not require ongoing access to content on your internal site.

Note that if you share documents using anonymous guest links, then it’s possible for invitation recipients to share those guest links with others who could use them to view content.

You should include planning for external sharing as part of your overall permissions planning for SharePoint Online. In general, it’s a best practice to operate on the “principle of least privilege” and grant external users minimal and limited access to your environment. You may even want to create a special permissions group to which external users are assigned when they receive invitations. You should also consider segmenting your content by security levels, so that sensitive content is centrally located and can be tightly secured. If you anticipate an ongoing need to have external users log in to your site and perform specific tasks consider creating a site collection that is dedicated to the purpose of external sharing. This way, you can allow external users access to specific content without opening up your entire environment to them.

For more information about planning for permissions, see Plan your permissions strategy.

Top of Page Top of Page

Turn external sharing on or off for a SharePoint Online environment (tenant)

You must be a SharePoint Online administrator to configure external sharing.

  1. From the SharePoint admin center, click settings.
  2. In the External sharing section do one of the following:
If you want to: Select this option: For this result:
Prevent all users on all sites from sharing sites or content with external users.

Don’t allow sharing outside your organization

  • Users will not be able to share sites or content with users who do not have licenses to your Office 365 subscription.
  • External sharing cannot be turned on for any individual site collections.
Require external users who have received invitations to view sites or content to sign-in with a Microsoft account before they can access the content. Allow external users who accept sharing invitations and sign in as authenticated users
  • Site owners or others with full control permission can share sites with external users.
  • All external users will be required to sign in before they can view content.
  • Invitations to view content can be redeemed only once. After an invitation has been accepted, it cannot be shared or used by others to gain access.
Allow site users to share sites with people who sign in as authenticated users, but you also want to allow site users to be able to share documents through the use of anonymous guest links, which do not require invited recipients to sign in.

Allow both external users who accept sharing invitations and guest links

  • Site owners or others with full control permissions can share sites with external users.
  • All external users will be required to sign in before they can view content on a site that has been shared.
  • Site owners or others with full control permissions can share documents and opt to require sign-in, or send an anonymous guest link for documents.
  • When site users share a document, they can grant external users either view or edit permissions to the document.
  • External users who receive anonymous guest links can view or edit that content without signing in.
  • Anonymous guest links could potentially be forwarded or shared with other people, who might also be able to view or edit the content without signing in.


 Notes 

  • If you turn off external sharing for your entire environment and later turn it back on, external users who previously had access to content or documents on sites will regain access to them. If you know that external sharing was previously turned on and in use for specific site collections and you do not want external users to be able to regain access if external sharing is ever turned on again globally, we recommend that you first turn off external sharing for those specific site collections.
  • When you turn off external sharing at the site collection level, all external user permissions for that site collection will be permanently deleted.
  • When you turn off external sharing at the site collection level, guest links will be disabled, but they could start working again if external sharing is ever turned on again. If you want to permanently revoke access to specific documents, you will need to disable the anonymous guest links.
  • If you disable external access, or limit external access to a more restrictive form, external users will typically lose access within one hour of the change.

Top of Page Top of Page

Turn external sharing on or off for individual site collections

You must be a SharePoint Online admin to configure external sharing for individual site collections. Site collection administrators are not allowed to change external sharing configurations.

  1. From the SharePoint admin center, click site collections.
  2. Check the box next to those site collections whose sharing settings you want to turn on or off.
  3. In the ribbon, click Sharing.

ribbon from SharePoint Online admin center with Sharing button highlighted

  1. Do one of the following:
If you want to: Select this option: For this result:
Prevent all users on all sites from sharing sites or sharing content on sites with external users.

Don’t allow sharing outside your organization

  • Users will not be able to share sites or content in this site collection with users who do not have licenses to your Office 365 subscription.
  • If sharing was previously turned on for this site collection, any external users who were invited to sign-in and view content on sites in this site collection will be permanently deleted.
  • If you ever plan to turn on external sharing for this site collection again, these external users would need to be re-invited.
Require external users who have received invitations to view sites or content to sign-in with a Microsoft account before they can access the content. Allow external users who accept sharing invitations and sign in as authenticated users
  • Site owners or others with full control permission can share sites with external users.
  • Site owners or others with full control permissions on a site can share documents with external users by requiring sign-in.
  • All external users will be required to sign in before they can view content.
  • Invitations to view content can be redeemed only once. After an invitation has been accepted, it cannot be shared or used by others to gain access.
Allow site users to share sites with people who sign in as authenticated users, but you also want to allow site users to share documents through the use of anonymous guest links, which do not require invited recipients to sign in.

Allow both external users who accept sharing invitations and guest links

  • Site owners or others with full control permissions can share sites with external users.
  • All external users will be required to sign in before they can view content on a site that has been shared.
  • Site owners or others with full control permissions can also share documents externally opt to require sign-in, or send an anonymous guest link for documents.
  • When users share a document, they can grant external users either view or edit permissions to the document.
  • External users who receive anonymous guest links can view or edit that content without signing in.
  • Anonymous guest links could potentially be forwarded or shared with other people, who might also be able to view or edit the content without signing in.


 Notes 

  • If external sharing is turned off for the entire SharePoint Online environment, you will not be able to turn it on for specific site collections.
  • The external sharing settings for individual site collections cannot be less restrictive than whatever is allowed for the entire SharePoint Online environment, but these settings can be more restrictive. For example, if external sharing is turned on for the entire SharePoint Online environment, but it is limited to allowing only authenticated users, then that will be the only kind of external sharing you can allow in a specific site collection. If external sharing through both sign-in and anonymous guest links is allowed for the entire SharePoint Online environment, you can opt to turn off external sharing entirely for a specific site collection or you can limit external sharing to authenticated users (no guest links).
  • If external sharing is turned off globally in the SharePoint Online Admin center, any shared links will stop working. If the feature is later reactivated, these links will resume working. It is also possible to disable individual links that have been shared if you want to permanently revoke access to a specific document.
  • If you change the external sharing settings for the My Site site collection, these changes will also apply to any existing or newly created personal sites (formerly called My Sites).
  • Sharing settings on the –my site site collection (e.g., https://contoso-my.sharepoint.com) will apply to the OneDrive for Business sites for all users of the organization. You cannot selectively manage sharing for a particular user’s OneDrive for Business site.

Top of Page Top of Page

View external sharing settings for site collections

To quickly view the external sharing settings for a group of site collections:

  1. From the SharePoint admin center, click site collections.
  2. Check the box next to those site collections whose sharing settings you want to check.
  3. In the ribbon, click Sharing.
  4. Scroll through the list of URLs to see sharing settings for each site collection.

sharing dialog showing settings for two site collections

Top of Page Top of Page

Manage external user accounts and invitations

Once external sharing has been enabled for the tenant and/or site collection and sharing permissions established, authorized users can send invitations, create guest links, and revoke access, and so on. For complete instructions, see Share sites or documents with people outside your organization.


 Notes 

  • There is no global way to see a list of all the sites to which an external user has access. You need to go to the individual sites to determine whether a specific user has access to it
  • There is also no global way to see a list of all documents that have been shared externally.

For more information

The admin settings for external sharing differ depending on what Office 365 plan your organization subscribes to.

Top of Page Top of Page

 
 
Applies to:
Office 365 Enterprise admin, Office 365 Midsize Business admin, SharePoint admin center, SharePoint Online Enterprise (E1), SharePoint Online Enterprise (E3 & E4), SharePoint Online Midsized Business