The Definitive Guide to Office 365 External Sharing

The Definitive Guide to Office 365 External Sharing


Part of my job at Sharegate is to analyze and answer all the great feedback we receive here. I have to say, I’m always pleased to read positive feedback, but I’m also very happy when we have great suggestions so I can discuss them with the team. It might end up as a new feature!

Recently, we received a lot of questions on how to manage the Office 365 external sharing of documents and list items. Questions like "How can I find all the objects with permissions given to external users", "How can I discern which users are internal or external users" or "How can it can be easier to be sure all the site collections are secure".

So I’ve decided to look at the external sharing on Office 365. I found the feature really powerful but very complex to understand.

How to deal with Office 365 External Sharing

Table of Contents

I’ve separated the content in multiple sections:

  1. How to configure External Sharing on Office 365
  2. How to share content
  3. How to manage External Sharing from Office 365 Administration
  4. How Sharegate can help you control external sharing

So clear up your mind, and let's dive into Office 365 External Sharing.

A Quick Overview

In Office 365, you'll find two different external user types:

  • Authenticated User
  • Anonymous Guest

The table below gives you a quick overview on what can be shared depending on the external user type:

 Authenticated UsersAnonymous Guests
  • Signing in is required before they can view content (Microsoft account or Office 365 user account)
  • Can access content from a shared link without signing in
What you can share
  • A complete site
  • Lists and Libraries
  • Documents
  • Only Documents
Who can share
  • Site owners and others with full control permissions can share site
  • All members as contributors can share lists, libraries and documents
  • All site users can share a document and generate a view or edit link for external sharing
What kind of sharing
  • Exactly the same you have with your internal users
  • View only link
  • Edit link
What are the security risks
  • If you give full control to an external user, he might be able to share content with other external users
  • It’s hard to make the link between the mail address you made the invite to and the Microsoft account associated.
  • Permission inheritance if you give access to a site
  • Anonymous guest links can be shared to other people who might be able to view or edit the content. You won’t be able to track any changes.

i. How to configure external sharing on Office 365

First of all, you need to be administrator of your Office 365 and manage the tenant options.

1. Go to the Administration from the Office 365 menu

How to deal with Office 365 External Sharing

2. From the settings menu, activate the External Sharing option. You can choose between 3 options:

  1. Don't allow sharing outside your organization
  2. Allow external users who accept sharing invitations and sign in as authenticated users (All external users must sign in to access your site collection. So you'll be able to track their activities. They will be considerate as users.)
  3. Allow both external users who accept sharing invitations and anonymous guest links (With the link generated, user can access to the content without signing in. It's easier to share content and to access to it, but much riskier for your organization for lack of tracking possibilities.)

How to deal with Office 365 External Sharing

You then have the options for all the different site collections you have inside your tenant. You can activate external sharing only at the site collection level. So be careful, all the sites and sub sites will have the option. I advise you to create a different site collection only dedicated to the external sharing. So you’ll be sure your content is secure.

How to deal with Office 365 External Sharing

3. For each site collection, you can set the external sharing from the Site Collections menu. You can select one or multiple site collections at once.

How to deal with Office 365 External Sharing

4. Apply the external sharing option you want for your site collection

How to deal with Office 365 External Sharing

ii. How to share content

There are a lot of different combinations that can confuse some persons (including myself) with external sharing. Pay close attention here!

1. Authenticated user

  1. Share a site

    Directly from the share button on the top right corner, you can invite new users. You just have to write the email address directly inside the pop-up window. Click on the “suggested” email address (which is clearly the same you just typed) so it would appear underlined.

    How to deal with Office 365 External Sharing

    If you then click on "Show options", you’ll get the option to change the group you want to add the external user to. By default, the external users are attributed to group members and have [Contribute] rights. This is where you have to be careful, be sure of the group permissions before adding an external user to a group.

    How to deal with Office 365 External Sharing

    Once you share something, the invitation is valid for 7 days only. After that, the invitation will expire and you’ll have to send another invite.

    The email invitation looks like this:

    How to deal with Office 365 External Sharing

  2. Access to a site as an external user

    Now be careful when you click on the link, there's a complex behavior there. Depending on what's open on your browser or if you already have a Microsoft account or not, you might link the invitation with a wrong sign in authentication.

    Let me rephrase that! Let’s say is my professional Microsoft account, that I use for my OneDrive and to share some of my content with other people. I also have an Hotmail account which is my personal email address.

    Here's what can happen:

    • If I’m already logged in with my account and click on the "Go To Contoso" link, I’m going to link my account to the Contoso Site. So, as an external user, I’m going to authenticate myself with this account.
    • On the other hand, if I’m at home and my Hotmail account is open and I click to the same Contoso Site link, my Hotmail account will be linked to the site. This is definitely not something I want to happen!

    This is a huge security risk for your organization because, even if you send an invitation to your contact's professional account, he or she might end up accessing your documents with their personal Microsoft account. The name and email address you'll see in Office 365 might be different than the ones you've sent the invitation to.

    How to deal with Office 365 External Sharing

    Once a user has signed in, he can ask access to other sites or lists. The administrator will receive a notification and can manage requested access from Office 365.

    How to deal with Office 365 External Sharing

  3. Share a list or library

    Once you’re inside a list or library, you have the option accessible from the ribbon, the "Shared With" button.

    How to deal with Office 365 External Sharing

    The flow here is the same as sharing a site then, but instead of giving access to a site group, you grant permission to the external user.

    How to deal with Office 365 External Sharing

  4. Share a document

    To share a document with an external user, use the Document Menu Dialog and click on Share. Then you have the same popup as Site or List sharing option.

    How to deal with Office 365 External Sharing

    The only difference here is the “Can Edit” or “Can view” option you can see on the right.

    How to deal with Office 365 External Sharing

    If you uncheck the Require Sign-in check box, it'll send the external link (the same way as the Get A link Option described below). Confusing, I know!

2. Anonymous Guest

As I said at the beginning of the blog, anonymous guest link can only be done on a specific document. To share a link, just use the menu and select “Get a Link”.

How to deal with Office 365 External Sharing

Depending on if you have Office suite online, users with an Edit Guest link might edit online or directly in Word. The Modified By column would be “Guest Contributor”.

How to deal with Office 365 External Sharing

iii. How to manage external sharing from Office 365 Administration


1. Central administration


    1. Manage external user

From the Office 365 administration, go to the External Sharing options, then Sites. When selecting a site collection, you’ll see if there are some external users. From there, the only management you can do is view or delete them.

Office 365 External SharingHow to deal with Office 365 External Sharing

    1. How to disable all the external sharing

From the Settings menu, you can change Office 365 external sharing options on the site collection. If you chose the “Don't allow sharing outside your organization” option, the system might ask you if you’re sure. All the external sharing done inside the site collection would be disable.

How to deal with Office 365 External Sharing

2. External sharing at a Site Collection Level

On each site collection, you can see all the Access Requests from the Site Settings > Access Requests and invitations. There you can see all the pending request, the external user invitations and the history.

The only limitation here is that you can’t see the history of anonymous shared links.

How to deal with Office 365 External Sharing How to deal with Office 365 External Sharing

3. Limitations

As you can see from here, SharePoint Online doesn’t give you a lot of management options:

  • You can’t have a big picture on which objects are shared
  • You can’t see what are the permission access for an external user
  • You can’t see an anonymous guest link document list from the administration
  • A shared invitation won’t appear in the administration as long as the user isn't authenticated

For those reasons, we thought we could add new features inside Sharegate Management so you’ll have a complementary tool to help you keep control over your security.

Keep Control over External Sharing: Try Sharegate Online to monitor what is shared outside your organization.

iv. How will Sharegate help you control external sharing

I really like the power of Sharegate's Office 365 & SharePoint management features. Since I’ve been inside and learned the capabilities offered, I’m hooked and use it every day.

We've added different reports and conditions. I want to link them as an answer to a business need so you see the value behind them.

Find a Site Collection List with external sharing enabled

My first business need is that I want to have the big picture on my Office 365 site collections. I also want to know which one has the external sharing activated and what type of external sharing is applied.

Achieving this with Sharegate is dead simple: Run a new "Find" query. Select Site Collection Object Type and add the column "Shared by Link" and "Shared by Email".

How to deal with Office 365 External Sharing

Then choose your target, you know you can target more than one Office 365 environment at once. And then see the results as below:

How to deal with Office 365 External Sharing

If the "Share by Email" is enabled, it means that the site Collection allows external users who accept sharing invitations and sign in as authenticated users.

If the "Share by link" is enabled, it means that the site Collection allows both external users who accept sharing invitations and anonymous guest links.

Find the list of all Office 365 External Users

My second business need is that I want to know who are the external users (all authenticated) so I can control Office 365 security and check their access and permissions.

From Sharegate, you can run a built-in Security Report called "External Users". You just have to select your target and run the report. I do like to add the email, and the account as columns I want to see in the report.

How to deal with Office 365 External Sharing

As a result, you have the list of all external users in Office 365: their names, the sites they have access to, their accounts and email addresses. You can see on the picture below the purpose of connecting to Office 365 with a different email than the one the invitation was sent to.

How to deal with Office 365 External Sharing

From there, you can use Sharegate's Check Permission security action to view the permissions linked to a user.

Find document lists with anonymous guest link enabled (edit or view)

It's impossible to have the list of anonymous users because they are anonymous! So as a user, I want to know the list of documents that have been shared by link. And then I'll want to know if it's either a view or an edit link.

You can run the built-in security report Documents with anonymous guest links enabled. You can add the Last Modified By column if you want to see if an anonymous guest has modified a document.

How to deal with Office 365 External Sharing

Find Externally Shared Objects in Office 365

Finally, I need to know what are the different objects that have a real external sharing. What I mean by "real" is that someone has invited an external user, or shared a document with a link. Since it's easy to see if the feature is enabled, but it's hard to control the sharing of the object, there's a risk here! Maybe someone added an external user to a site group and gave full access to the complete site. You probably want to manage that!

What I like with this report is the fact that I can see all external users as well as all the users who have been invited but not yet authenticated. I'm now sure I can secure my whole Office 365 environments!

How to deal with Office 365 External Sharing

What's next for Sharegate

Powerful isn't it? But it's only the first part of what we've got planned to manage External User in Office 365. We want to add more related fixing features such as:

  • Enabling or Disabling an external user on Site Collections
  • Directly check permissions from the External Users List
  • Directly add or remove permissions from the External Users list
  • Delete all anonymous guest links generated
  • Remove permissions from a site, list, or libraries directly from the Externally Shared Objects reports.

If you have more ideas, don't hesitate to send us feedback.

I hope you're now more comfortable with the external sharing on Office 365. This feature is so powerful. I love it! It's easier for me to share content with different companies we collaborate with here at Sharegate. I don't have to ask IT to add a user inside the Active Directory. I can share content by myself, it's quick and very powerful. Once collaboration is done, I remove the user from the site. It's as simple as that.

But for Office 365 security, it's risky. Make sure all your site collections aren't opened, and manage your security by checking reports every day. You don’t want official (and secret) documentation to be open and accessible to the world. I'd advise you to plan how you'll deal with the external sharing: add new rules inside your governance plan and make sure all users have the training and knowledge so they would do it right. Don't be afraid of Office 365, it's secure. You just need to understand how it works and find great tools that will help you to manage its access.

What are your plans to control Office 365 External Sharing?

Nathalie Jard
Nathalie Jard @sharegatetools

After many years of experience as a ScrumMaster, Nathalie is still a real passionate. She has been part of many projects involving SharePoint such as creating and managing governance plan, SharePoint migration and platform implementation. She also provides awesome SharePoint training.  Nathalie contributed to the development of Sharegate by ensuring the highest quality level.