How to Enable Sharepoint External Sharing

One of the great advantages of SharePoint Online and OneDrive is that you can easily share your content internally and with external and guest users. External Sharing in SharePoint Online is turned off by default for all your SharePoint Sites.

Now you may have noticed that you are unable to share files or folder from a SharePoint site, even though you have set (or left) the external sharing in the SharePoint Admin Center on Anyone.

A typical error that your users get when they try to share a file or folder is:

Your organization policies do not allow you to share with these users

The reason for this is that new Microsoft 365 Teams sites are set to “New and Existing Guest” by default. SharePoint Communication sites are even set to “Only people in your organization”.

In this article, we will explain the different SharePoint External Sharing levels, and how to enable them. Not only globally, but also per site and how we can use PowerShell for this.

SharePoint External Sharing Permissions

In SharePoint, we have 4 different sharing levels that we can set for external sharing. We can set those levels globally and also per site with PowerShell. Besides those 4 levels, we can also set a couple of other, important permissions.

SharePoint External Sharing Permissions

So what are the different SharePoint External Sharing permissions:

Anyone

External users and guests can access shared files and folders using a link that don’t require sign-in. This option is also called Anonymous sharing because basically anyone with the link can have access to the files.

New and Existing Guests

This is the default permission for new Microsoft 365 connected sites. External users and guest must sign to access the shared files or folder. They can either signin with their Microsoft account or need to enter a verification code.

The external users will be added to your Azure-AD as a guest user. You can view your guest users in the Microsoft 365 Admin Center > Users > Guest Users.

Existing Guests

With this option you can only share items with external users that are in your Azure AD as a guest user.

Only people in your organization

Basically disable the external sharing at all. You can only share items internally. This is the default option for SharePoint communication sites.

SharePoint Admin Center permission settings

In the SharePoint Admin Center you can set the global permissions related to sharing. You will find the sharing policies in the SharePoint Admin Center under Policies > Sharing.

The most important policies is ofcourse the External Sharing. The level that you set here is the maximum for all the sites. So, if you set it to New and existing guest, then you can’t set an individual team site to Anyone (ExternalUserAndGuestSharing) with PowerShell. Because that is less restrictive then your organisations policy.

More external sharing settings

Make sure you expandthe More external sharing settings. Check the Guest must signin with the same account.., otherwise a sharing invention can be opened by anyone who has the mail.

Also make sure you de-select Allow guest to share items they don’t own. This is an option that in most case should be turned off.

File and folder link

In the file and folder section, you can set the default link type. If you allow sharing with Anyone (anonymous links), then I recommend setting this on Specific people.

Of course, your users want to create a simple link and share it, but keep in mind that you don’t have much control over those links. You can’t see who opens it or with who the link is shared. So I also try to minimize the use of it.

Also really important if you are using the sharing with anyone permission, set an expiration on the links, 14 days for example. And set the permission level to view only.

Enable External Sharing with PowerShell

With PowerShell, you can easily set the correct sharing permission for a SharePoint site. We are going to use the PnP-PowerShell module for this. If you don’t have it installed yet, then you can install it in PowerShell with the following cmd:

Install-Module -Name PnP.PowerShell

If you have PnP PowerShell installed we can continue with setting the sharing permission for our team site. First, we are going to connect to our SharePoint admin site.

You can find the URL to connect to by opening the SharePoint Admin Center in your browser and get the URL from the addressbar.

# Connect to SharePoint Admin
Connect-PnPOnline https://contoso-admin.sharepoint.com -Interactive

# Set the sharing permission for the SharePoint site
# Replace the URL with the URL of your SharePoint site
Set-PnPTenantSite -Url https://contoso.sharepoint.com/teams/lab01 -SharingCapability ExternalUserAndGuestSharing

# Check the settings
# Replace the URL with the URL of your SharePoint site
Get-PnPTenantSite -Url https://contoso.sharepoint.com/teams/lab01 | select SharingCapability 

I prefer to use the -Interactive switch, because this way we can also connect to SharePoint with an MFA-enabled account (so we don’t need to use the app password).

To options for the -Sharing switch are:

  • Disabled – No external sharing
  • ExistingExternalUserSharingOnly – Only external users that are already in your Azure AD
  • ExternalUserAndGuestSharing – Sharing files and folders with an anonymous link
  • ExternalUserSharingOnly – External users need to log in or enter a verification code

Set sharing level on multiple sites

With PowerShell, we can easily set or change the sharing level on multiple SharePoint sites. This is really useful if you already have a couple of sites running and you want to change the permission for them.

It’s always a good idea to get first an overview of the current settings. With the following cmd, you can create a list of all the SharePoint sites and their current sharing permission

# List all permissions of the SharePoint sites
Get-PnPTenantSite | select Title, Url, SharingCapability | where {$_.SharingCapability -ne 'ExternalUserAndGuestSharingOnly'}

To change the permissions you can use the following script

# Get all sites that are not set to ExternalUserAndGuestSharingOnly
$sites = Get-PnPTenantSite | select Title, Url, SharingCapability | where {$_.SharingCapability -ne 'ExternalUserAndGuestSharingOnly'}

# Loop through each site
ForEach ($site in $sites)
{
    # Ask confirmation before changing the permissions
    Write-host $site.title " is set to " $site.SharingCapability
    $r = Read-Host 'Change to External and Guest user? y/n'
    if($r -eq 'y')
    {
        Set-PnPTenantSite -Url $site.Url -Sharing ExternalUserAndGuestSharing
    }
}

Enable Sharepoint External Sharing on Tenant Level

You can also enable external sharing in Sharepoint Online on tenant level with PowerShell. This will only change the default sharing capabilities and won’t change the settings for existing SharePoint sites.

# Connect to SharePoint Admin
Connect-PnPOnline https://contoso-admin.sharepoint.com -Interactive

# Enable External Sharing
Set-PnPTenant -SharingCapability ExternalUserAndGuestSharing

To verify the settings you can use:

Get-PnPTenant | Select SharingCapability

Sharing SharePoint Communication Site

By default, the SharePoint Communication site can only be shared internally. There also isn’t an option to change this in the SharePoint Admin Center or on the communication site itself.

But with PowerShell, we can change the sharing permissions just like any other SharePoint site. You can use the script above here, all you need to do is use the correct URL of the communication site.

Sharing is then done by clicking on Share on the top right side. You can then enter the email address of the guest user with who you want to share the site.

External Sharing Best Practice

Allowing your users to collaborate and share data is pretty much always a good idea. If you disable sharing in SharePoint, your users will probably email the files or use WeTransfer. It is better to give them the right tools and educate them on how to use the sharing options correctly.

If possible, set the permission level for New and Existing guests. This way the external users will need to log in, allowing you to track who has access to what. But also it gives you the tools to revoke permissions if necessary.

Make sure the permissions of your existing SharePoint sites are matching your policy. Use the PowerShell script to check the current settings.

If you are using anonymous links (sharing with Anyone), make sure you set an expiration on the links and limit the permissions.

Keep in mind that you will not only need to educate your users but also the external users in the beginning. Yes, anonymous links are easy to work with, but make a short guide for your external users, so they know how to log in or how create a Microsoft account. Training your users is the most important step when it comes to using the sharing capabilities of SharePoint.

You may also like the following articles:

4 thoughts on “How to Enable Sharepoint External Sharing”

  1. Hi Rudy,
    One thing that concerns me overall is that in order to enable this, one must set the parent option to be the least restrictive of all. Let’s say we have 120 SharePoint sites that should not be shared, and one that we want. What is to keep the owners of the other sites from sharing externally? Do we run a script daily to restrict all except the one?

    • You should be able to just change the permissions on a single site, using the PowerShell or in the SharePoint Admin Center (Active Sites > Select site > Settings tab)

      • Thx for the reply. I have done that- my concern is site owners can change permissions. I may just remove owner permissions from non-IT

  2. I like it, we recommend per site sharing settings for all of our customers, good to see it explained so we’ll.

    I also like to user the domain allowed list per site to set up dedicated sites for dedicated external domains.

Leave a Comment

0 Shares
Tweet
Pin
Share
Share