SharePoint Online: How to manage sharing with external users

- select the contributor at the end of the page -
Office 365 has many useful features, but one of its biggest perks is the way it enables users to easily collaborate with customers, partners and colleagues in other businesses.

Even with on-premise SharePoint 2013 you don't have to worry about access or connector licences for external users. Though, you can't use the Microsoft account authentication system to have them sign in, instead you need to manage authentication yourself (that's easier with third-party tools like AvePoint Perimeter and ITG External Share, but it's just built in with SharePoint Online).

If you allow External Sharing in SharePoint Online, users can share documents or site collections, instead of emailing documents. This is a plus, because it means they're not filling up the mail quota with attached files, nor are they wasting time transferring changes from multiple document versions into their final edit. You'll want to keep in mind, however, that the defaults share a lot more than you might expect, so you should double check some of these settings.

For one, you can block all sharing outside of the business, but that's only likely to send users off to Dropbox or OneDrive (or straight back to email). The admin settings for External Sharing on Office 365 come in handy here, because they let you choose between only allowing external users (who have to sign in as authenticated users) or allowing anonymous guest links (you can do this for each site collection).

Anonymous guest links are convenient (sometimes too convenient, depending on how you view document security). Your users can only share a specific document with a link, but that lets anyone who has a link view and, in some cases, edit documents without signing in (signing in means they have to associate their email address with a Microsoft account). They don't get to see lists, libraries or site collections--which authenticated users can see if a user shares them--but if they pass on the link to someone else, that person can then view or edit the documents as well.

Authenticated user access isn't as straightforward as you might think, either. Depending on the settings for the collection and where they click the Share button, when users share a document they might also end up sharing the site collection it's in, the parent site and the associated lists and libraries. When you share a site using the Share button, external users get access to the root site that the site collection is part of, they become group members and get Contribute rights (these rights let external users share content with other external users). That's great if someone in the other company needs to add their boss to the discussion, but not so great if they decide to share it with your competition.

Your permissions for other sites matter, too. If you allow all authenticated users to see any site, that includes external users. That's what the warning means in the Share dialog related to “sites that share permissions”, but you can't rely on your users to know or handle all of these permissions. Permissions inheritance can go up the hierarchy, as well as down. To avoid surprises, make specific member groups for individual sites, that way sharing a document won't mean sharing other sites by accident.

You can turn off anonymous access for the whole of SharePoint Online from the Settings section of the SharePoint admin center, under external sharing. If you want to block anonymous guest access completely, do it here:

sharepoint online 1

If you want to control those settings for each site collection separately, select those sites in the Site collection section of the SharePoint admin center, and click Sharing on the ribbon to get the same options (no sharing, authenticated users, external users or external and anonymous users).

sharepoint online

Rather than making every site collection share-able, find out what users need and what they don't. You might want to have some specific shareable document libraries, but keep others only for internal use. External users can request access to a site they don't have permission for in the same way internal users can (look under Access requests and invitations in Site Settings). So, as you can see, there's an escape hatch if your security settings get in the way of someone's collaboration.

You can see all your external users in the Office 365 admin center under External Sharing, Sites; you can view or delete them from here. You can also do that from the SharePoint Online Management Shellwith the  PowerShell Get-SPOExternalUser and Remove-SPOExternalUser commands. If you want to see which permissions external users already have, look in the Site Settings for a site and choose Check Permissions in the ribbon to get a list of users and permission levels. If you want to see the files they've accessed, check the Content Activity Reports in Site Settings. And, if you need a lot more visibility for external users, look at third-party tools like Sharegate and AvePoint DocAve.

Because external users need a Microsoft account (an organizational one works too) to authenticate, your users may end up performing some technical support. If they invite someone who doesn't have the required account, and they miss the link at the bottom of the invitation message telling them to create one, they'll end up on a page that states they don't have the right permissions. If you'd rather give those external users a pre-provisioned account, you can either create a free Azure Active Directory to provision Microsoft accounts in, or create Office 365 user accounts that you don't provision with any licences. This equates to more management on your end, but it also gives you a little extra control.

Get our content first. In your inbox.

Loading form...

If this message remains, it may be due to cookies being disabled or to an ad blocker.


Mary Branscombe

Mary Branscombe has been a technology journalist for over two decades, and she’s been the formal or informal IT admin for most of the offices she’s worked in along the way. She was delighted to see the back of Netware 3.11, witnessed the AOL meltdown first-hand the first time around when she ran the AOL UK computing channel, and has been a freelance tech writer ever since. She's used every version of Windows (client and server) and Office released, and every smartphone too. Her favourite programming language is Prolog, giving her a soft spot for Desired State Configuration in PowerShell 4. And yes, she really does wear USB earrings. Find her on Twitter @marypcbuk.