How to Restrict OneDrive External Sharing to Security Groups

On Day 5 of Cybersecurity blog series, learn how to allow OneDrive external sharing only for specific security groups to ensure sensitive data isn’t exposed by over-permissive settings. Stay tuned for upcoming blogs in the Cybersecurity blog series.

External sharing in Microsoft OneDrive is valuable – but it needs boundaries. If you enable a tenant-wide policy in OneDrive that allows everyone to share files externally, it creates unnecessary risks because not every user should have that ability.

The smarter way is to provide external sharing only to the users who truly need it. One effective method is to allow only members of specific security groups to share OneDrive files and folders externally. This ensures controlled collaboration while minimizing the risk of accidental data exposure and maintains OneDrive security.

Next, let’s look the need for this approach with a real-time case and how to configure it in detail.

Let’s say a few members of your Sales team need to share files externally, such as brochures, drafts, videos, and documents, to collaborate with partners for campaigns and advertisements. At the same time, other Sales team members and employees from different departments should not be allowed to share files outside the organization.

If you enable a tenant-wide external sharing policy, everyone in the organization would have the ability to share OneDrive files outside, which increases the risk of accidental data leaks.

To strike the right balance between collaboration and security, you can configure a security group for the Sales team and allow only that group to share OneDrive files externally.

Now that you’ve understood the significance of restricting file sharing in OneDrive to specific security groups, let’s configure it.

1. Create a Microsoft Entra ID security group with trusted users
2. Apply OneDrive file sharing restrictions to the Microsoft Entra security group

To get started, the first step is to create a Microsoft Entra ID security group and add only the users who need to share files externally. In this example, we’ll set up a group for the Sales team and add only the members who require external sharing access. Follow the steps below to set it up:

1. Sign-in to the Microsoft Entra admin center.
2. Navigate to Entra ID → Groups and click New Group.
3. Select the Group Type as Security. Provide a name and an optional description for the group. Here, I call the group as ‘Sales Team Security Group’.
4. Then, choose the Membership type as Assigned. Instead, if you prefer, you can use a dynamic group, which automatically adds users based on categories like department, hire date, or other criteria.
5. Next, add Owners if needed, and then add the Members of the group. Once done, click Select and then Create to finish creating the security group.

With the security group in hand, the next step is to restrict OneDrive external sharing to security groups. Here’s how to do it.

1. Sign in to the SharePoint admin center.
2. Go to Policies → Sharing.
3. Next, under External sharing, drag the Content can be shared with to your desired permission level.
4. Once the permission setting is chosen, expand More external sharing settings. Note that this option is not available if the permissions are set to Only people in your organization.
   
5. Check the Allow only users in specific security groups to share externally box.
   
6. Then, click Manage security groups. In the Add a security group box, select the security group required (here, Sales Team Security Group). You can add up to 12 security groups.
   
7. From the Can share with dropdown, choose either Authenticated guests only (default) or Anyone as per your organization needs.
   • Authenticated guests only – External sharing is limited to verified guests only. This is best for sensitive files since guests must verify their identity before accessing the content.
   • Anyone – This enables the users in the security group to share files and folders externally without authentication, using Anyone in the Share dialog box. These links work both inside and outside the organization but don’t track who opens them. This option is best for non-sensitive content that requires simple sharing.
     👉 Note: You’ll see both options only if the SharePoint permission is set to ‘Anyone’. If not, the only available option will be ‘Authenticated guests only’. If your organization never requires external sharing, set both SharePoint and OneDrive permissions to the least permissive level ‘Only people in your organization’.
8. Finally, save the configurations.

How this Restriction Works?

Once the policy is applied, you can observe the following behaviour:

• When a security group member tries to share a file externally: When Alex, a member of the Sales Team Security Group, shares a OneDrive file with an external user (for example, sara@gmail.com), the file will be shared successfully. A small indicator shows that the file is shared outside the organization, but there are no restrictions for Alex since he belongs to the authorized group.
• When others try to share a file externally: In contrast, Christy, who is not part of the Sales Team Security Group, tries to share a file with Sara. Instead of being shared, an error appears with the message:

You can only share within your organization.

The image below illustrates the difference between sharing for a security group member versus a non-member.

This way, you can enforce tighter control over OneDrive file sharing for external members.

Pro Tip: For enhanced control, you can restrict OneDrive file sharing to specific external domains. This ensures that files are only shared with trusted or approved domains and adds an extra layer of security.

With this restriction in place, you can prevent unnecessary or unauthorized sharing of OneDrive files and folders externally. This not only strengthens security but also helps protect sensitive information from unauthorized users.

From this blog, we hope you’ve understood limiting external OneDrive file sharing to specific groups and its significance. Feel free to reach out in the comments section with any questions and share your thoughts. Stay tuned for more cybersecurity insights!