Configure tenant-level sharing settings for SharePoint and OneDrive
SharePoint and OneDrive are two cloud-based platforms that allow you to store, share, and collaborate on files and folders in Microsoft 365. The external sharing features of SharePoint and OneDrive let users in your organization share content with people outside the organization (such as partners, vendors, clients, or customers). You can also use external sharing to share between licensed users on multiple Microsoft 365 subscriptions if your organization has more than one subscription.
Tip
External sharing is turned on by default for your entire SharePoint and OneDrive environment. You might want to turn it off globally before people start using sites or until you know exactly how you want to use the feature.
This training unit focuses on how organizations can change their organization-level sharing settings. To change the sharing settings for a site after you set the organization-level sharing settings, see Change sharing settings for a site. To learn how to change the external sharing setting for a specific user's OneDrive, see Change the external sharing setting for a user's OneDrive.
Additional viewing. Watch the following short video titled Control user sharing options to see how the settings on the Sharing page in the SharePoint admin center affect the sharing options available to users.
Organization-level external sharing settings for SharePoint and OneDrive
SharePoint has external sharing settings at both the organization level and the site level (previously called the "site collection" level). To allow external sharing on any site, you must allow it at the organization level. You can then restrict external sharing for other sites. If a site's external sharing option and the organization-level sharing option don't match, the most restrictive value is always applied. OneDrive sharing settings can be the same as or more restrictive than the SharePoint settings. Only Global administrators and SharePoint administrators in Microsoft 365 can change their organization-level sharing settings for SharePoint and OneDrive.
To change the organization-level external sharing setting for SharePoint and OneDrive, you must navigate to the Sharing page in the SharePoint admin center:
- In the Microsoft 365 admin center, under the Admin centers section in the navigation pane, select SharePoint.
- In the SharePoint admin center, select Policies in the navigation pane, and then select Sharing.
On the Sharing page that appears, there are several sections of settings that you can configure:
- External sharing
- More external sharing settings
- File and folder links
- Advanced settings for Anyone links
- Other settings
The following sections examine each of these settings sections on the Sharing page.
External sharing
This section of the Sharing page allows you to configure the overall sharing setting for your organization. Each site has its own sharing setting that you can set independently, though it must be at the same or more restrictive setting as the organization. For more information, see Change the external sharing setting for a site.
Important
Microsoft Entra external collaboration settings determine who can invite guests in your organization for site sharing (always) and file and folder sharing (if Azure B2B collaboration is enabled). Be sure to review Microsoft Entra guest access settings as part of your SharePoint and OneDrive sharing setup.
Note
The SharePoint setting applies to all site types, including those sites connected to Microsoft 365 groups and teams. Groups and Teams guest sharing settings also affect connected SharePoint sites. The OneDrive setting can be more restrictive than the SharePoint setting, but not more permissive.
SharePoint and OneDrive have four main types of sharing settings: Anyone, New and existing guests, Existing guests, and Only people in your organization. Each setting has different implications for the security and privacy of your content, and the ease of collaboration. The following table summarizes the main features and differences of each setting.
| Select this option: | If you want to: |
|---|---|
| Anyone (default level for both SharePoint and OneDrive) | Allow users to share files and folders by using links that let anyone who has the link access the files or folders without authenticating. This setting also allows users to share sites with new and existing guests who authenticate. If you select this setting, you can restrict the Anyone links so that they must expire within a specific number of days, or so that they can give only View permission. If you use file requests, then you must set OneDrive to Anyone, and you must enable the edit permissions for Anyone links. If OneDrive is set to anything other than Anyone, then file requests are disabled. For more information, see Best practices for sharing files and folders with unauthenticated users. |
| New and existing guests |
Require people who received invitations to sign in with their work or school account (if their organization uses Microsoft 365) or a Microsoft account, or to provide a code to verify their identity. Users can share with guests already in your organization's directory, and they can send invitations to people who will be added to the directory if they sign in. For more info about verification codes, see Secure external sharing in SharePoint |
| Existing guests |
Allow sharing only with guests who are already in your directory. These guests might exist in your directory because they previously accepted sharing invitations or because they were manually added, such as through Azure B2B collaboration. (To see the guests in your organization, go to the Guests page in the Microsoft 365 admin center). |
| Only people in your organization |
Turn off external sharing. If you restrict or turn off external sharing, guests typically lose access within one hour of the change. If you turn off external sharing for your organization and later turn it back on, guests who previously had access regain it. If you know that external sharing was previously turned on and in use for specific sites and you don't want guests to regain access, first turn off external sharing for those specific sites. |
Whichever option you choose at the organization or site level, the more restrictive functionality is still available. For example, if you choose to allow unauthenticated sharing using "Anyone" links, users can still share with guests, who sign in, and with internal users.
Note
Even if your organization-level setting allows external sharing, not all new sites allow it by default. For more information, see Default site sharing settings.
If you have confidential information that should never be shared externally, Microsoft recommends storing the information in a site that has external sharing turned off. Create more sites as needed to use for external sharing. Doing so helps you to manage security risk by preventing external access to sensitive information.
Note
To limit internal sharing of contents on a site, you can prevent site members from sharing, and enable access requests. When users share a folder with multiple guests, the guests will be able to see each other's names in the Manage Access panel for the folder (and any items within it). However, they have different sharing settings that you can use to control who can access your content and what they can do with it. For more information, see Set up and manage access requests.
More external sharing settings
This section of the Sharing page allows you to configure more granular external sharing settings in your Microsoft 365 tenant.
The settings that you can configure in this section include:
Limit external sharing by domain. This setting is useful if you want to limit sharing with particular partners, or help prevent sharing with people at certain organizations. The organization-level setting on this page affects all SharePoint sites and each user's OneDrive. To use this setting, list the domains (maximum of 5000) in the box, using the format domain.com. To list multiple domains, press Enter after adding each domain.
You can also limit external sharing by domain by using the Set-SPOTenant Microsoft PowerShell cmdlet with -SharingDomainRestrictionMode and either -SharingAllowedDomainList or -SharingBlockedDomainList. For more information about limiting external sharing by domain at the site level, see Restricted domains sharing.
Allowed or blocked domains in Microsoft Entra ID also affect SharePoint and OneDrive site sharing (always) and file and folder sharing (if Azure B2B collaboration is enabled). Be sure to review Microsoft Entra collaboration restrictions as part of your SharePoint and OneDrive sharing setup.
Allow only users in specific security groups to share externally. You can restrict external sharing of SharePoint and OneDrive content so that only users in specific security groups can share externally. People in these security groups must be allowed to invite guests in the Microsoft Entra guest invite settings. For more information, see Manage security groups.
Guests must sign in using the same account to which sharing invitations are sent. By default, guests can receive an invitation at one account but sign in with a different account. After they redeem the invitation, it can't be used with any other account. This setting only applies to sharing that doesn't use Microsoft Entra B2B collaboration.
Allow guests to share items they don't own. By default, guests must have full control permission to share items externally.
Guest access to a site or OneDrive will expire automatically after this many days. If your administrator set an expiration time for guest access, each guest that you invite to the site or with whom you share individual files and folders is given access for a select number of days. For more information, see Manage guest expiration for a site
People who use a verification code must reauthenticate after this many days. If people who use a verification code selected to "stay signed in" in the browser, they must prove they can still access the account they used to redeem the sharing invitation by entering a code sent to that account. If Azure B2B collaboration is enabled, the Microsoft Entra setting is used instead of this setting.
File and folder links
This section of the Sharing page allows you to choose the option to show by default when a user creates a sharing link. This setting specifies the default for your organization, but you can choose a different default link type for a site.
The settings that you can configure in this section include:
Specific people. This option is most restrictive and impedes broad internal sharing. If you allow external sharing, this option lets users share with specific people outside the organization.
Only people in your organization. If links are forwarded, they work for anyone in the organization. This option is best if your organization shares broadly internally and rarely shares externally.
Anyone with the link. This option is available only if your external sharing setting is set to Anyone. Forwarded links work internally or externally, but you can't track who has access to shared items or who accessed shared items. This option is best for friction-free sharing if most files and folders in SharePoint and OneDrive aren't sensitive.
Important
If you select Anyone with the link, but the site or OneDrive is set to allow sharing only with guests who sign in or provide a verification code, the default link is Only people in your organization. Users need to change the link type to Specific people to share files and folders in the site or OneDrive externally.
Advanced settings for Anyone links
This section of the Sharing page enables you to select the expiration and permissions options for Anyone links.
The settings that you can configure in this section include:
- Link expiration. You can require all Anyone links to expire, and specify the maximum number of days allowed. If you change the expiration time, existing links keep their current expiration time if the new setting is longer, or be updated to the new setting if the new setting is shorter.
- Link permissions. You can restrict Anyone links so that they can only provide view permission for files or folders.
If you're using file requests, the link permissions must be set to View and edit for files and View, edit, and upload for folders.
Other settings
This section of the Sharing page allows you to choose how SharePoint and OneDrive display user names for files or pages.
The settings that you can configure in this section include:
Show owners the names of people who viewed their files in OneDrive. This setting lets you control whether the owner of a shared file can see on the file card the people who only view (and don't edit) the file in OneDrive. The file card appears when users hover over a file name or thumbnail in OneDrive. The info includes the number of views on the file, the number of people who viewed it, and the list of people who viewed it. To learn more about the file card, see See files you shared in OneDrive.
Note
This setting is selected by default. If you clear it, file viewer info is still recorded and available to you to audit as an admin. OneDrive owners can also still see people who viewed their shared Office files by opening the files from Office.com or from the Office desktop apps.
Let site owners choose to display the names of people who viewed files or pages in SharePoint. This setting lets you specify whether site owners can allow users who have access to a file, page, or news post to see on the file card who viewed the item.
This setting is turned on by default at the organization level and off at the site level for existing sites. Viewer information is shown only when the setting is on at both the organization and site level. We recommend that site owners turn on this feature only on team sites that don't have sensitive information. Learn how site owners can turn on this feature.
Note
Historical data is included when this setting is enabled. Likewise, if the setting is turned off and back on at the organization level or site level, the views during the off period are included in the history.
Use short links for sharing files and folders. When this option is selected, a shorter link format is used for sharing files and folders. This option might be useful if you have integrations that require a shorter URL.