On Day 6 of Cybersecurity awareness month, learn to limit external sharing in SharePoint Online today. Stay tuned for more blogs in the Cybersecurity blog series.
Data security always holds the top when you run an organization. In recent times, technology has grown exponentially and so are security issues. When considering Office 365, the average organization shares documents with external domains, which include business partners and personal email addresses. So, we should always keep an eye on external sharing configurations in SharePoint Online and OneDrive. Because by default, it has the most permissive level configuration, which means that the data can be shared with anyone on the web. Also, they don’t need to sign in to access the content. Isn’t it risky? As we are collaborating with business partners or other organizations, we need to have external sharing enabled. But unwanted sharing permissions can be avoided to secure the data.
“You can never protect yourself 100%. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risks”.
– Kevin Mitnick
As the quote goes, you should protect your externally shared content in SharePoint online by limiting access. There are many ways to protect the externally shared content in SharePoint Online such as
- Disable External Sharing in SharePoint Online
- Turning off Anyone Links
- Limiting External Sharing by Domain
- Limiting External Sharing to Specific Security Groups
Let’s check them in detail.
Disable External Sharing in SharePoint Online
External sharing is required to achieve collaboration outside your organization for various purposes. But sometimes high privileges can lead to the unwanted sharing of data on the web. If your organization requires no external sharing, you can disable it and protect content shared externally. But, if you don’t want external collaboration for specific sites, you consider disabling it for them.
To disable external sharing in your organization, move the indicator to the least permissive level. Thus, users can’t share files externally.
Note: When you disable external sharing for your organization, sharing to guest users within your directory is also prohibited.
If you want to disable external sharing for a specific site, you can select the ‘Only people in your organization’ option in the respective site sharing settings. If the site is intended for external collaboration, you can enable Anyone sharing for that particular SharePoint site.
When the user tries to share content in SharePoint Online after disabling external sharing in their organization, they receive the following error message “Your organization’s policies don’t allow you to share with these users. Go to External Sharing in the Office 365 Admin Center to enable it”.
Turn off Anyone Links
To prevent users from unauthenticated sharing of content, you can turn off Anyone links. Thus, people outside your organization will be required to authenticate before they can access the shared content. It can be turned off both at the organization level and the site level.
To turn off anyone links at the tenant level, just slide the indicator to New and existing guests as shown in the image below.
You can turn off anyone links at the site level by selecting the ‘New and existing guests’ option from the external sharing setting for individual sites.
Limiting External Sharing by Domain
If you want to restrict your users to share the organization files or folders to a specific domain, you can allow the respective domain. Else, you can block a specific domain and allow all others to access your data. You can configure this setting for the entire organization or specific sites based on your needs. Remember that if you restrict any domain at the tenant level, it will apply to all the sites. If you want specific configuration for each site, you can go with site-level sharing settings. Let’s see how to allow/block a domain at both the tenant and site levels.
Tip: Implementing this setting is also part of Microsoft’s Secure Score recommendation for SharePoint and can gain you an extra 3 points.
Tenant Level Configuration
Step 1: Visit SharePoint Admin Center
Step 2: Under Policies, Select Sharing.
Step 3: Scroll down to More External Setting.
Step 4: Check the ‘limit external sharing by domain’ check box and select Add domains
A pop-up screen appears where you can toggle between allowing/blocking specific domains.
Step 5: Enter the domain name such as gmail.com and then Save.
Step 6: Make sure to hit the Save button at the bottom end of the Sharing page. Otherwise, your changes won’t be saved.
Site Level Configuration
Step 1: Go to Sites -> Active sites in SharePoint Admin Center.
Step 2: Select any site to which you want to limit external sharing.
Step 3: Open the Sharing tab.
Step 4: Scroll till you reach Advanced settings for external sharing.
Step 5: Choose Limit sharing by domain -> Add domains, then save.
The image given below shows the user impact when they try to share content to the blocked domain, they receive the following error “Your org doesn’t allow sharing with people who use this email domain. To continue sharing, remove the highlighted recipients”.
Points to Remember
- These limits will not apply to guest users from the same domain who are already in your directory. But you can’t share with the other users of the blocked domain.
- You can add up to 3000 domains at the tenant level and 500 domains at the site level.
Limiting External Sharing to Specific Security Groups
You can allow only certain users in your organization to share files externally by adding the users to a security group. Configuring this setting lets the members of a selected Microsoft 365 security group share content externally in SharePoint Online. Follow the steps below to configure the setting.
Note: This setting will not support site-level configuration.
Step 1: Visit SharePoint Admin Center.
Step 2: Under Policies, Select Sharing.
Step 3: Scroll down to More External Setting.
Step 4: Check Allow only users in specific groups to share externally check box and select Manage security groups.
Step 5: Add any security group that you want to allow external sharing and then Save.
Step 6: Now, set the sharing option for the security group by choosing between ‘Anyone’ and ‘Authenticated guests only’.
Note: When you choose ‘Anyone’, members within the added security group can share the content externally with anyone outside the organization. On the other hand, if you choose ‘Authenticated Guests Only’, members can share only with guests who authenticate by verifying their identity.
Step 7: Make sure to hit the Save button at the bottom of the Sharing page. Otherwise, your changes won’t be saved.
Points to Remember
- You can add up to 12 security groups.
- Microsoft 365 groups are not supported for adding.
The image given below shows the user impact when a user who is not a member of the security group tries to share content externally, they receive the following error “Your org doesn’t allow sharing with these people. To continue sharing, remove the highlighted recipients.
More Ways to Protect Your Content Shared Externally
You can also protect the externally shared content in SharePoint Online by configuring other external sharing settings from the SharePoint Admin Center as given below.
Configurations applicable for both tenant and site level
These configurations can be set both at the tenant and the site level. If you configure these settings at the site level, it overrides the tenant level settings.
Change the Default Sharing Link Type
As the sharing link type has the most permissive level by default for communication sites, you can adjust the indicator from ‘Anyone’ to other permissive levels based on the organizations’ sharing requirements. For team sites, the default permissive level is ‘New and Existing Guests’.
If you have set different permissive levels at the site level, it overrides the default organizational level settings.
Expiration Policy
If you don’t want your externally shared content to be accessed indefinitely, you can set an expiration policy for the link to limit access. Thus, external users can’t access your files once the link has expired.
Configurations applicable for the tenant level only
These settings are available to be configured at the tenant level only. You can’t do it for specific sites in the organization.
People Who Use a Verification Code Must Reauthenticate After These Many Days
You can set the number of days after which the user has to reauthenticate if the content has been shared using any permission levels except for the least permission level. If you share using ‘Anyone with the link’, no verification code is required.
Guests Must Sign in Using the Same Account to Which Sharing Invitations are Sent
If you want external users to sign in with the same account to which the invitation has been sent, you can enable this option. If you don’t enable this, the invited users can access the invitation and sign in using any preferred account.
Allow Guests to Share Items They Don’t Own
By default, guests are allowed to share files even if they don’t have full access permissions. We can uncheck the checkbox to prevent guests from sharing items they don’t own.
I hope this blog helps you manage external sharing in SharePoint Online effectively. But don’t stop here—be sure to explore and address other potential vulnerabilities in your Microsoft 365 environment. Feel free to reach out in the comments for any assistance!
Track External Sharing in SharePoint Online with AdminDroid’s Comprehensive Reports
Say goodbye to native auditing and welcome a new era of detailed insights, visually stunning charts, real-time alerts, customizable reports, and intuitive dashboards for SharePoint sharing configurations. Monitor external sharing in SharePoint Online with AdminDroid, which offers a comprehensive solution surpassing the traditional PowerShell method.
Moreover, the AdminDroid SharePoint Online reporting tool will be your go-to solution for monitoring and controlling external file-sharing activities effortlessly. It offers separate reports for the sharing settings, such as,
- Link-enabled sharing
- External sharing capability for each site collection,
- Sharing allowed domain list, and
- Sharing blocked list
AdminDroid simplifies SharePoint Online management with comprehensive dashboards that offer widespread visibility into site permissions, external file sharing, site storage, group memberships, SharePoint Online sharing auditing, etc. Enjoy advanced features such as delegation, advanced scheduling, and advanced filtering, all designed to streamline your SharePoint Online management tasks.
If you’re seeking a comprehensive understanding of your SharePoint Online environment while ensuring compliance with legal requirements, look no further than AdminDroid!
Try AdminDroid’s free 15-day premium edition and unlock a world of Office 365 reporting, auditing, enhanced monitoring, usage analysis & security, and compliance.🔓.