Limit External Sharing in SharePoint Online

Possible Ways to Limit External Sharing in SharePoint Online

On Day 6 of Cybersecurity awareness month, learn to limit external sharing in SharePoint Online today. Stay tuned for more blogs in the Cybersecurity blog series.

Data security always holds the top when you run an organization. In recent times, technology has grown exponentially and so are security issues. When considering Office 365, the average organization shares documents with external domains, which include business partners and personal email addresses. So, we should always keep an eye on external sharing configurations in SharePoint Online and OneDrive. Because by default, it has the most permissive level configuration, which means that the data can be shared with anyone on the web. Also, they don’t need to sign in to access the content. Isn’t it risky? As we are collaborating with business partners or other organizations, we need to have external sharing enabled. But unwanted sharing permissions can be avoided to secure the data. 

“You can never protect yourself 100%. What you do is protect yourself as much as possible and mitigate risk to an acceptable degree. You can never remove all risks”. 

– Kevin Mitnick

As the quote goes, you should protect your externally shared content in SharePoint online by limiting access. There are many ways to protect the externally shared content in SharePoint Online such as 

  • Disable external sharing completely
  • Turning off Anyone Links 
  • Limiting external sharing by domain 
  • Limiting external sharing to specific security groups 

Let’s check them in detail. 

Disable External Sharing in SharePoint Online 

External sharing is required to achieve collaboration outside your organization for various purposes. But sometimes high privileges can lead to the unwanted sharing of data on the web. If your organization requires no external sharing, you can disable it and protect content shared externally. But, if you don’t want external collaboration for specific sites, you consider disabling it for them. 

To disable external sharing in your organization, move the indicator to the least permissive level. Thus, users can’t share files externally.  

Note: When you disable external sharing for your organization, sharing to guest users within your directory is also prohibited. 

disable-ext-sharing-at-tenant-level-1
Disable External Sharing at Tenant Level

If you want to disable external sharing for a specific site, you can select the ‘Only people in your organization’ option in the respective site sharing settings. 

disable-ext-sharing-at-site-level-1
Disable External Sharing at Site Level

When the user tries to share content in SharePoint Online after disabling external sharing in their organization, they receive the following error message “Your organization’s policies don’t allow you to share with these users. Go to External Sharing in the Office 365 Admin Center to enable it”. 

external-sharing-disabling-result
Result for disabling external sharing

Turn off Anyone Links  

To prevent users from unauthenticated sharing of content, you can turn off Anyone links. Thus, people outside your organization will be required to authenticate before they can access the shared content. It can be turned off both at the organization level and the site level. 

To turn off anyone links at the tenant level, just slide the indicator to New and existing guests as shown in the image below. 

Turn off Anyone links at Tenant level

You can turn off anyone links at the site level by selecting the ‘New and existing guests’ option from the external sharing setting for individual sites. 

Turn off Anyone links at Site level

Control Who Can Access the Content Externally by Limiting/Filtering Domains 

If you want to restrict your users to share the organization files or folders to a specific domain, you can allow the respective domain. Else, you can block a specific domain and allow all others to access your data. You can configure this setting for the entire organization or specific sites based on your needs. Remember that if you restrict any domain at the tenant level, it will apply to all the sites. If you want specific configuration for each site, you can go with site-level sharing settings. Let’s see how to allow/block a domain at both the tenant and site levels. 

Tenant Level Configuration 

Step 1: Visit SharePoint Admin Center

Step 2: Under Policies, Select Sharing. 

Step 3: Scroll down to More External Setting

Step 4: Check the ‘limit external sharing by domain’ check box and select Add domains 

A pop-up screen appears where you can toggle between allowing/blocking specific domains. 

Step 5: Enter the domain name such as gmail.com and then Save

Step 6: Make sure to hit the Save button at the bottom end of the Sharing page. Otherwise, your changes won’t be saved. 

Limit Domain at Tenant Level

Site Level Configuration 

Step 1: Go to Sites -> Active sites in SharePoint Admin Center. 

Step 2: Select any site to which you want to limit external sharing. 

Step 3: Open the Sharing tab. 

Step 4: Scroll till you reach Advanced settings for external sharing

Step 5: Choose Limit sharing by domain -> Add domains, then save. 

Limit Domain at Site level

The image given below shows the user impact when they try to share content to the blocked domain, they receive the following error “Your org doesn’t allow sharing with people who use this email domain. To continue sharing, remove the highlighted recipients”. 

Result of blocking domain

Points to Remember 

  • These limits will not apply to guest users from the same domain who are already in your directory. But you can’t share with the other users of the blocked domain. 
  • You can add up to 3000 domains at the tenant level and 500 domains at the site level. 

Control Who Can Share the Content Externally Using Security Groups 

You can allow only certain users in your organization to share files externally by adding the users to a security group. Configuring this setting lets the members of a selected Microsoft 365 security group share content externally in SharePoint Online. Follow the steps below to configure the setting. 

Note: This setting will not support site-level configuration. 

Step 1: Visit SharePoint Admin Center. 

Step 2: Under Policies, Select Sharing

Step 3: Scroll down to More External Setting

Step 4: Check Allow only users in specific groups to share externally check box and select Manage security groups

Step 5: Add any security group that you want to allow external sharing and then Save. 

Step 6: Now, set the sharing option for the security group by choosing between ‘Anyone’ and ‘Authenticated guests only’.  

Note: When you choose ‘Anyone’, members within the added security group can share the content externally with anyone outside the organization. On the other hand, if you choose ‘Authenticated Guests Only’, members can share only with guests who authenticate by verifying their identity. 

Step 7: Make sure to hit the Save button at the bottom of the Sharing page. Otherwise, your changes won’t be saved. 

Settings for Security Groups

Points to Remember 

  • You can add up to 12 security groups. 
  • Microsoft 365 groups are not supported for adding. 

The image given below shows the user impact when a user who is not a member of the security group tries to share content externally, they receive the following error “Your org doesn’t allow sharing with these people. To continue sharing, remove the highlighted recipients. 

Result for Sharing by a user who is not in the security group

More Ways to Protect Your Content Shared Externally 

You can also protect the externally shared content in SharePoint Online by configuring other external sharing settings from the SharePoint Admin Center as given below.

Configurations applicable for both tenant and site level 

These configurations can be set both at the tenant and the site level. If you configure these settings at the site level, it overrides the tenant level settings. 

Change the Default Sharing Link Type 

As the sharing link type has the most permissive level by default for communication sites, you can adjust the indicator from ‘Anyone’ to other permissive levels based on the organizations’ sharing requirements. For team sites, the default permissive level is ‘New and Existing Guests’.

External Sharing Settings

If you have set different permissive levels at the site level, it overrides the default organizational level settings. 

Expiration Policy 

If you don’t want your externally shared content to be accessed indefinitely, you can set an expiration policy for the link to limit access. Thus, external users can’t access your files once the link has expired. 

Configurations applicable for the tenant level only 

These settings are available to be configured at the tenant level only. You can’t do it for specific sites in the organization. 

People Who Use a Verification Code Must Reauthenticate After These Many Days 

You can set the number of days after which the user has to reauthenticate if the content has been shared using any permission levels except for the least permission level. If you share using ‘Anyone with the link’, no verification code is required. 

Guests Must Sign in Using the Same Account to Which Sharing Invitations are Sent 

If you want external users to sign in with the same account to which the invitation has been sent, you can enable this option. If you don’t enable this, the invited users can access the invitation and sign in using any preferred account.

Allow Guests to Share Items They Don’t Own  

By default, guests are allowed to share files even if they don’t have full access permissions. We can uncheck the checkbox to prevent guests from sharing items they don’t own. 

I hope this blog will help you to manage external sharing in SharePoint Online effectively. Feel free to reach us in the comments for any assistance! 


 

Leave a Reply

Your email address will not be published. Required fields are marked *

Possible Ways to Limit External Sharing in SharePoint Online

time to read: 7 min
Follow us!