How-to Enable Sharepoint External Sharing

One of the great advantages of SharePoint Online and OneDrive is that you can easily share your content not only internally, but also with external and guest users. In SharePoint Online is external sharing turned on by default for all your SharePoint Sites.

Now you may have noticed that you are unable to share files or folder from a Team site, even though you have set (or left) the external sharing in the SharePoint Admin Center on Anyone.

A typical error that your users get when they try to share a file or folder is:

Your organization policies do not allow you to share with these users

The reason for this is that new Microsoft 365 Teams sites are set to “New and Existing Guest” by default. SharePoint Communication sites are even set to “Only people in your organization”.

In this article, we will explain the different SharePoint External Sharing levels, and how to enable them. Not only globally, but also per site and how we can use PowerShell for this.

SharePoint External Sharing Permissions

In SharePoint, we have 4 different sharing levels. We can set those levels globally and also per site with PowerShell. Besides those 4 levels, we can also set a couple of other, important permissions.

SharePoint External Sharing Permissions

So what are the different SharePoint External Sharing permissions:

Anyone

External users and guests can access shared files and folders using a link that don’t require sign-in. This option is also called Anonymous sharing because basically anyone with the link can have access to the files.

New and Existing Guests

This is the default permission for new Microsoft 365 connected sites. External users and guest must sign to access the shared files or folder. They can either signin with their Microsoft account or need to enter a verification code.

The external users will be added to your Azure-AD as a guest user. You can view your guest users in the Microsoft 365 Admin Center > Users > Guest Users.

Existing Guests

With this option you can only share items with external users that are in your Azure AD as a guest user.

Only people in your organization

Basically disable the external sharing at all. You can only share items internally. This is the default option for SharePoint communication sites.

SharePoint Admin Center permission settings

In the SharePoint Admin Center you can set the global permissions related to sharing. You will find the sharing policies in the SharePoint Admin Center under Policies > Sharing.

The most important policies is ofcourse the External Sharing. The level that you set here is the maximum for all the sites. So, if you set it to New and existing guest, then you can’t set an individual team site to Anyone (ExternalUserAndGuestSharing) with PowerShell. Because that is less restrictive then your organisations policy.

More external sharing settings

Make sure you expandthe More external sharing settings. Check the Guest must signin with the same account.., otherwise a sharing invention can be opened by anyone who has the mail.

Also make sure you de-select Allow guest to share items they don’t own. This is an option that in most case should be turned off.

File and folder link

In the file and folder section you can set the default link type. If you allow sharing with Anyone (anomynous links), then I recommend to set this on Specific people.

Ofcourse your users want to create a simple link and share it, but keep in mind that you don’t have much control over those links. You can’t see who opens it or with who the link is shared. So I also try to minimize the use of it.

Also really important if you are using the sharing with anyone permission, set an expiration on the links, 14 days for example. And set the permission level to view only.

Enable External Sharing with PowerShell

With PowerShell, you can easily set the correct sharing permission for a SharePoint site. We are going to use the PnP-PowerShell module for this. If you don’t have it installed yet, then you can install it in PowerShell with the following cmd:

Install-Module SharePointPnPPowerShellOnline

If you have PnP PowerShell installed we can continue with setting the sharing permission for our team site. First, we are going to connect to our SharePoint admin site.

You can find the URL to connect to by opening the SharePoint Admin Center in your browser and get the URL from the addressbar.

# Connect to SharePoint Admin
Connect-PnPOnline https://contoso-admin.sharepoint.com -UseWebLogin

# Set the sharing permission for the SharePoint site
# Replace the URL with the URL of your SharePoint site
Set-PnPTenantSite -Url https://contoso.sharepoint.com/teams/lab01 -Sharing ExternalUserAndGuestSharing

# Check the settings
# Replace the URL with the URL of your SharePoint site
Get-PnPTenantSite -Url https://contoso.sharepoint.com/teams/lab01 | select SharingCapability 

I prefer to use the -UseWebLogin switch, because this way we can also connect to SharePoint with an MFA enabled account (so we don’t need to use the app password)

To options for the -Sharing switch are:

  • Disabled – No external sharing
  • ExistingExternalUserSharingOnly – Only external users that are already in your Azure AD
  • ExternalUserAndGuestSharing – Sharing files and folders with an anonymous link
  • ExternalUserSharingOnly – External users need to log in or enter verification code

Set sharing level on multiple sites

With PowerShell we can easily set or change the sharing level on multiple SharePoint sites. This is really usefull if you already have a couple of sites running and you want to change the permission for them.

It’s alway a good idea to get first an overview of the current settings. With the following cmd you can create a list of all the SharePoint sites and their current sharing permission

# List all permissions of the SharePoint sites
Get-PnPTenantSite | select Title, Url, SharingCapability | where {$_.SharingCapability -ne 'ExternalUserAndGuestSharingOnly'}

To change the permissions you can use the following script

# Get all sites that are not set to ExternalUserAndGuestSharingOnly
$sites = Get-PnPTenantSite | select Title, Url, SharingCapability | where {$_.SharingCapability -ne 'ExternalUserAndGuestSharingOnly'}

# Loop through each site
ForEach ($site in $sites)
{
    # Ask confirmation before changing the permissions
    Write-host $site.title " is set to " $site.SharingCapability
    $r = Read-Host 'Change to External and Guest user? y/n'
    if($r -eq 'y')
    {
        Set-PnPTenantSite -Url $site.Url -Sharing ExternalUserAndGuestSharing
    }
}

Sharing SharePoint Communication Site

By default SharePoint Communication site can only be shared internally. There also isn’t an option to change this in the SharePoint Admin Center or on the communication site self.

But with PowerShell, we can change the sharing permissions just like any other SharePoint site. You can use the script above here, all you need to do is use the correct URL of the communication site.

Sharing is then done by click on Share on the top right side. You can then enter the email address of the guest user with who you want to share the site.

External Sharing Best Practice

Allowing your users to collabirate and share data is pretty much always an good idea. If you disable sharing in SharePoint, your users will probably email the files or use WeTransfer. Better is to give them the right tools and educate them in how to use the sharing options correctly.

If possible, set the permission level on New and Existing guests. This way the external users will need to login, allowing you to track who have access to what. But also it gives you the tools to revoke permissions if nessacary.

Make sure the permissions of your existing SharePoint sites are matching your policy. Use the PowerShell script to check the current settings.

If you are using the anomynous links (sharing with Anyone), make sure your set an expiration on the links and limit the permissions.

Keep in mind that you will not only need to educate your users, but also the external users in the beginning. Yes, anomynous links are easy to work with, but make a short guide for your external users, so they know how to login or how to create a Microsoft account. Training your users is the most important step when it comes to using the sharing capabilities of SharePoint.

You may also like the following articles:

Get more stuff like this

IT, Office365, Smart Home, PowerShell and Blogging Tips

I hate spam to, so you can unsubscribe at any time.

Leave a Comment

0 Shares
Tweet
Pin
Share
Share