Allow External Sharing for Specific SharePoint Sites

On Day 21 of Cybersecurity Awareness Month, learn how to easily configure Anyone sharing for specific SharePoint sites. Stay tuned for more tips in our Microsoft 365 Cybersecurity blog series!

There are instances when you need to enable “Anyone” sharing for specific SharePoint sites. For example, when you need to share documents or collaborate with external individuals like clients, vendors, or partners who don’t have a Microsoft account, “Anyone” links simplify the process. They allow easy access to content without requiring a sign-in.

So, let’s walk through how to configure external sharing for specific sites in SharePoint.

There are three ways to enable external sharing (setting it to “Anyone”) for individual SharePoint sites. Before diving into those methods, here’s an important fact: to allow sharing with “Anyone” at the site level, the tenant-wide external sharing setting must also be set to “Anyone.”

Let’s configure this by navigating to:

SharePoint admin center > Policies > Sharing > External sharing > Adjust the SharePoint slider and set it to “Anyone.”

Done with the above configuration? Now, let’s look at the three methods to set Anyone sharing for specific sites.

1.Enable external sharing using SPO admin center

2.Enable external sharing using PnP PowerShell

3. Enable External sharing using PowerShell Script (Recommended)

1. Sign in to the SharePoint admin center and navigate to the Active sites option under Sites.
2. Select the desired site and click the Sharing option that appears above.
3. Select the Anyone option under External sharing.
4. Finally, proceed to save the policy.

1. Open Windows PowerShell as an administrator and connect to SharePoint PnP PowerShell.

2. Run the following cmdlet to set the site-level external sharing settings for a specific site to “Anyone”:

Drawback of these two methods:

• You can use these methods to enable external sharing for a single site. However, this approach isn’t efficient for multiple sites. Because, you’ll have to do the same process for each site.

• Also, changes to tenant-wide external sharing settings in SharePoint Online can significantly impact how individual site settings behave. For example, if a site is initially set to allow “Anyone” sharing but you later adjust the tenant-wide setting to “Only people in the organization,” that site will automatically inherit the more restrictive setting. Conversely, if you later change the tenant-wide sharing settings back to “Anyone,” any sites that were previously restricted will revert to allowing “Anyone” sharing as well. This means you may have to manually restrict external sharing settings for each affected site one by one, which can be a cumbersome process.

To simplify this task, we’ve prepared a PowerShell script! Let’s dive in and explore how it works!

We have developed a one-stop solution script that comes with different use cases to lessen your navigation hassle!

Here’s a quick preview: the script checks if the tenant-wide sharing setting is set to ‘Anyone,’ and if it is not, the script will enable the setting after getting confirmation from you. After that, it can handle two main scenarios: configuring external sharing (Anyone)for a single site and configuring for multiple sites. Bonus feature—this script also helps you restrict external sharing for remaining sites!

Download Script : EnableExternalSharingInSPOSites.ps1

Let’s see the three main use cases of this PowerShell script in detail now.

1. Allow external sharing for a specific SharePoint site.

2. Enable external sharing for multiple SharePoint sites.

3. Restrict sharing for remaining SharePoint sites. (Optional)

Sample Log File:

After running the script, a detailed log file will be generated, outlining the changes made to the external sharing settings for each site.

Note:

• If a specified site already has Anyone sharing enabled, the script will skip that site.
• If a sensitivity label is applied to a site, the script will not change the existing sharing configuration.
• The script will configure external sharing for SharePoint sites only. So, if you specify a OneDrive site URL, the script will skip it.
• Also, you need to use PowerShell 7 to execute the script.

You can enable Anyone sharing for a specific site that is designated for collaboration with external partners. To enable external sharing for such a site, you can run the script as follows.

During execution, you will be prompted to enter your Tenant ID, Client ID, and site Url. Alternatively, you can streamline this by specifying them in the “-TenantName”, “-SiteUrl”, and “-ClientId” parameters respectively.

Example:

The above cmdlet will enable Anyone sharing for the SharePoint site “Sales”.

The need to enable external sharing for multiple SharePoint sites arises when your organization handles several projects that involve collaboration with different external partners. To achieve this, you first need to prepare a sample input CSV file with the column name “SiteUrl” containing the site URLs as shown below. Once the file is ready, you can run the script by specifying the CSV file path in the “-ImportCSV” parameter.

CSV Sample:

Cmdlet:

Example:

The above example will enable Anyone sharing settings for the following sites in Contoso: Sales, Software, Frontline, Marketing, Developer, ContentWriter.

Now, you might be wondering, “If tenant-wide external sharing is set to ‘Anyone,’ how do I protect other sites from external access?” That’s where this script really stands out!

This PowerShell script not only allows external sharing for specific sites, but it also identifies all other sites in your environment, giving you the ability to manage their external sharing settings. You can choose from four sharing options to apply the right level of access to the remaining sites.

To execute, simply run the PowerShell script with the “SharingConfigForRemainingSites “ parameter. You can choose from the following four sharing options for the remaining sites: Only people in your org, Existing guests, New and existing guests, or Anyone.

The script will automatically retrieve all remaining sites and adjust the sharing settings accordingly.

Example:

The above cmdlet will enable ‘Anyone’ sharing for the Marketing site while restricting external sharing for other sites by configuring the permission to ‘Only people in your org”.

You can also run the script using Certificate-based Authentication as shown below.

You can create a self-signed certificate or CA certificate based on your requirement. Also, this script is scheduler friendly.

Important: Register an Entra ID Application to Use with PnP PowerShell

Microsoft recently made a change to the PnP PowerShell by deleting the multi-tenant PnP Management Shell Entra ID app. As a result, you may encounter the following error while using PnP PowerShell: “Message: AADSTS700016: Application with identifier ‘31359c7f-bd7e-475c-86db-fdb8c937548e’ was not found in the directory ‘[companyname].'”

To resolve this issue, administrators need to register their own Entra ID applications for use with PnP PowerShell, which applies to both interactive logins and app-only access.

As we’ll be using PnP PowerShell to configure external sharing, you’ll be prompted for a client ID. If you haven’t registered an application in Entra ID and have no client ID to proceed with the above script, don’t worry! The script can handle that for you. By using the “RegisterNewApp” parameter, it will register an app and provide you with the Client ID needed for further configuration.

Once done, it will automatically use the client and enable Anyone sharing for the configured site.

I hope this blog helps you allow external sharing for specific SharePoint sites. If you have any questions, please feel free to reach out through the comments section.