Secure external sharing recipient experience
In SharePoint, if you share with a person who isn't in the directory, they're sent a one-time code that they can use to verify their identity.
This article describes the current default one-time-passcode experience. However, we recommend that you enable SharePoint and OneDrive integration with Microsoft Entra B2B, which replaces this experience.
Recipients of secure external sharing who also use Microsoft 365 in their organization can sign in using their work or school account to access the document. After they enter the one-time passcode for verification the first time, they authenticate with their work or school account and have a guest account created in the host's organization. IT admins can manage them like any other guest account in their directory.
Guest accounts are used for sharing sites, and you can always add guests to your directory if you need to give them access to more than just a file or folder.
The following table shows the differences between sharing with people who have guest accounts and with ad hoc external recipients.
| Guest account | Ad hoc external recipient | |
|---|---|---|
| Can access shared files and folders | Yes | Yes |
| Verify access by... | Signing in to Microsoft 365 | Entering a time-sensitive and single-use code sent to the email address that the file or folder was share with |
| Actions are audited | Yes | Yes |
| Can have friendly name | Yes | Friendly name is the email address that the file or folder was shared with |
| Can be Group members | Yes | No |
| Can edit in Word, Excel, PowerPoint, or other Microsoft 365 apps | Yes | No |
| Access controlled by Microsoft Entra Conditional Access policies | Yes | No |
When you use the Share dialog box to share with "specific people" and the recipients are all outside the organization, then a secure link is created and the specified email addresses are secured, or added, to the link. This appears in audit logs in the following ways.
Note
If the UserType property of a User object is "guest", the user is outside of your organization but may be an ad hoc external recipient that does not have a guest account.
Note
Auditing operations related to sharing invitations can still appear in situations when SharePoint items other than files and folders are shared with guests (for example, when you share a SharePoint site with guests).
| Operation | Description |
|---|---|
| SecureLinkCreated | A link that only works for specific people was created. It's usually followed by a series of AddedToSecureLink operations, which signify the users who were secured to the link. The value in the Detail column for this activity identifies the UniqueSharingId for this link, which can be used to match against future AddedToSecureLink and RemovedFromSecureLink operations. |
| SecureLinkDeleted | A link that only works for specific people was deleted. It's usually preceded by a series of RemovedFromSecureLink operations, which signify the users who used to be secured to the link. The value in the Detail column for this activity identifies the UniqueSharingId for this link, which can be used to match against future AddedToSecureLink and RemovedFromSecureLink operations. |
| AddedToSecureLink | A link that only works for specific people was secured to a user. The value in the Detail column for this activity identifies the name or email of the user the link was secured to and whether this user is a guest. The value also has a UniqueSharingId column that identifies the link they were secured to. |
| RemovedFromSecureLink | A user was removed from a link that only works for specific people. The value in the Detail column for this activity identifies the name or email of the user the link was previously secured to and whether this user is a guest. The value also has a UniqueSharingId column that identifies the link they were secured to. |