Overview of external sharing in SharePoint and OneDrive in Microsoft 365
Note
By end of June 2024, old invitations sent via the legacy SharePoint Invitation Manager no longer grants access to guests. Users can reshare the document with the guest to generate a new, valid invitation
The external sharing features of SharePoint and OneDrive let users in your organization share content with people outside the organization (such as partners, vendors, clients, or customers). You can also use external sharing to share between licensed users on multiple Microsoft 365 subscriptions if your organization has more than one subscription. External sharing in SharePoint is part of secure collaboration with Microsoft 365. Also read Overview of external collaboration options in Microsoft 365.
Important
Trial tenants can utilize SharePoint's robust collaboration features, but the scope of external sharing will be restricted compared to licensed tenants. This is designed to prevent potential abuse and ensure a safe experience for all users.
Planning for external sharing should be included as part of your overall permissions planning for SharePoint and OneDrive. This article describes what happens when users share, depending on what they're sharing and with whom.
If you want to get straight to setting up sharing, choose the scenario you want to enable:
- Collaborate with guests on a document
- Collaborate with guests in a site
- Collaborate with guests in a team
(If you're trying to share a file or folder, see Share OneDrive files and folders or Share SharePoint files or folders in Microsoft 365.)
Note
External sharing is turned on by default for your entire SharePoint and OneDrive environment. You may want to turn it off globally before people start using sites or until you know exactly how you want to use the feature.
There are two external sharing models used in SharePoint and OneDrive:
SharePoint external authentication
SharePoint and OneDrive integration with Microsoft Entra B2B
When using Microsoft Entra B2B integration, Microsoft Entra external collaboration settings, such as guest invite settings and collaboration restrictions apply.
The following table shows the differences between the two sharing models.
Sharing method | Files and folders | Sites |
---|---|---|
SharePoint external authentication (Microsoft Entra B2B integration not enabled) |
No guest account created* Microsoft Entra settings don't apply |
N/A (Microsoft Entra B2B always used) |
Microsoft Entra B2B integration enabled | Guest account always created Microsoft Entra settings apply |
Guest account always created Microsoft Entra settings apply |
*A guest account may already exist from another sharing workflow, such as sharing a team, in which case it's used for sharing.
For information on how to enable or disable Microsoft Entra B2B integration, see SharePoint and OneDrive integration with Microsoft Entra B2B.
SharePoint has external sharing settings at both the organization level and the site level (previously called the "site collection" level). To allow external sharing on any site, you must allow it at the organization level. You can then restrict external sharing for other sites. If a site's external sharing option and the organization-level sharing option don't match, the most restrictive value will always be applied. OneDrive sharing settings can be the same as or more restrictive than the SharePoint settings.
Whichever option you choose at the organization or site level, the more restrictive functionality is still available. For example, if you choose to allow unauthenticated sharing using "Anyone" links, users can still share with guests, who sign in, and with internal users.
Note
Even if your organization-level setting allows external sharing, not all new sites allow it by default. See Default site sharing settings for more information.
Security and privacy
If you have confidential information that should never be shared externally, we recommend storing the information in a site that has external sharing turned off. Create additional sites as needed to use for external sharing. This helps you to manage security risk by preventing external access to sensitive information.
Note
To limit internal sharing of contents on a site, you can prevent site members from sharing, and enable access requests. For info, see Set up and manage access requests.
When users share a folder with multiple guests, the guests will be able to see each other's names in the Manage Access panel for the folder (and any items within it).
When you or your users create Microsoft 365 groups (for example in Outlook, or by creating a team in Microsoft Teams), a SharePoint team site is created. Admins and users can also create team sites in SharePoint, which creates a Microsoft 365 group. For group-connected team sites, the group owners are added as site owners, and the group members are added as site members. In most cases, you'll want to share these sites by adding people to the Microsoft 365 group. However, you can share only the site.
Important
It's important that all group members have permission to access the team site. If you remove the group's permission, many collaboration tasks (such as sharing files in Teams chats) won't work. Only add guests to the group if you want them to be able to access the site. For info about guest access to Microsoft 365 groups, see Manage guest access in Groups.
When users share with people outside the organization, an invitation is sent to the person in email, which contains a link to the shared item.
Because these guests don't have a license in your organization, they're limited to basic collaboration tasks:
They can use Office.com for viewing and editing documents. If your plan includes Office Professional Plus, they can't install the desktop version of Office on their own computers unless you assign them a license.
They can perform tasks on a site based on the permission level that they've been given. For example, if you add a guest as a site member, they'll have Edit permissions and they'll be able to add, edit and delete lists; they'll also be able to view, add, update and delete list items and files.
They'll be able to see other types of content on sites, depending on the permissions they've been given. For example, they can navigate to different subsites within a shared site. They'll also be able to do things like view site feeds.
If your authenticated guests need greater capability such as OneDrive storage or creating a Power Automate flow, you must assign them an appropriate license.
You can stop sharing with guests by removing their permissions from the shared item, or by removing them as a guest in your directory.
You can stop sharing with people who have an Anyone link by going to the file or folder that you shared and deleting the link or by turning off Anyone links for the site.
Learn how to stop sharing an item
If you have technical questions about this topic, you might find it helpful to post them on the SharePoint discussion forum. It's a great resource for finding others who have worked with similar issues or who have encountered the same situation.
Searching for site content shared externally
Configure Teams with three tiers of protection
Create a secure guest sharing environment
Settings interactions between Microsoft 365 Groups, Teams and SharePoint