Browse all topics
All guidesGlossary
SharePoint & OneDrive

SharePoint external sharing

The layered controls that decide who outside your organisation can access SharePoint and OneDrive content.

External sharing in SharePoint and OneDrive is one of the most useful and most dangerous features in Microsoft 365. Knowing the layered controls — and where each kicks in — is essential for a sane tenant.

The four levels of sharing

The tenant-wide and per-site sharing setting can be set to one of four levels:

  1. Anyone — anyone with the link, no sign-in required. The most permissive.
  2. New and existing guests — external users sign in or get a one-time passcode. Guest accounts are created.
  3. Existing guests only — only users already in the directory as guests can be invited.
  4. Only people in your organisation — no external sharing at all.

The tenant-wide level is the maximum; each site's level can be the same or more restrictive. The per-site setting in the SharePoint admin center is the right granularity for most policy decisions.

"Anyone" links are powerful — recipients don't sign in, can't be tracked, and can forward the link freely. By default they expire (configurable in SharePoint admin settings). Most security teams disable Anyone links tenant-wide or limit them to view-only.

Guest expiration

Even with guest sharing, accounts can drift. Inactive guest cleanup in Entra ID (and SharePoint's own guest expiration policies) is essential. A typical policy: guests are removed if not active for 90–180 days.

Sensitivity labels for sites

The modern way to govern site-level sharing is via sensitivity labels applied to the SharePoint site (or the underlying Microsoft 365 Group / Team). A label can enforce:

  • Maximum external sharing level.
  • Whether unmanaged devices can access.
  • Whether default sharing links are "Anyone," "People in your org," or "Specific people."
  • Default link permissions (View vs Edit).
  • Conditional Access policies.

This pushes governance from a separate admin task into the data-classification flow that users already do — pick the right label, and the right controls follow.

SharePoint Advanced Management

SAM (now part of the Copilot prerequisites for many tenants) adds oversharing reports, restricted access controls to lock down high-risk sites, and block download policies that prevent download from Word, Excel, PowerPoint, and PDFs while still allowing in-browser viewing.

For any tenant where Copilot is in scope, doing this work first is the most important investment you can make.