Manage external sharing for your SharePoint online environment

If your organization performs work that involves sharing documents or collaborating directly with vendors, clients, or customers, then you might want to use the external sharing features of SharePoint Online to share content with people outside your organization who do not have licenses for your Office 365 operated by 21Vianet subscription.

Note: The information in this topic applies only to customers of Office 365 operated by 21Vianet.

Note: The SharePoint Online Public Website information in this article only applies if your organization purchased Office 365 prior to March 9, 2015.

Caution:  External sharing is turned off by default in Office 365 operated by 21Vianet. Administrators must enable external sharing in order to do the procedures in this article. It is important to note that files shared with external users may be accessible outside your country. If you enable external sharing any external users who previously had access to a site or document will regain their access.

*Microsoft accounts such as Outlook.com, are provided by Microsoft Corporation and are subject to Microsoft’s terms and conditions and privacy statements. The use of these accounts may result in customer data being transferred, stored and/or processed in the United States or any other country where Microsoft, its affiliates or service providers maintain facilities.

What are the external sharing features of SharePoint Online?

External sharing features include:

  • The ability to turn external sharing on or off globally for an entire SharePoint Online environment (or tenant).    External sharing is off by default at the tenant level, but can be turned on so that documents, sites, or site collections can be shared externally.

  • The ability to turn external sharing on or off for individual site collections.    This provides you with the ability to secure content on specific site collections that you do not want to be shared.

  • The ability to share sites and documents with authenticated users.    Authenticated users are those who are invited to sign in by using a Microsoft account* or a work account.

  • The ability to share sites and documents with guest users.    Guest users, also called anonymous users, don’t need a Microsoft account* or a work account to access your sites and documents. They access via guest links that you or your employees give to them.

Note: Only one person may log in to access your site or document using an invitation you send. However, the person who gets your invitation may decide to not use it, and instead forward the invitation to someone else who can then log in using their Microsoft account or work account to access the site or document.

Important: *Microsoft accounts such as Outlook.com and Hotmail.com, are provided by Microsoft Corporation and are subject to Microsoft’s terms and conditions and privacy statements. The use of these accounts may result in customer data being transferred, stored and/or processed in the United States or any other country where Microsoft, its affiliates or service providers maintain facilities.

What is an external user?

An external user is someone outside of your organization who can access your SharePoint Online sites and documents but does not have a license for your SharePoint Online or Office 365 operated by 21Vianet subscription. External users are not employees, contractors, or onsite agents for you or your affiliates.

External users inherit the use rights of the SharePoint Online customer who is inviting them to collaborate. That is, if an organization purchases an E3 Enterprise plan, and builds a site that uses enterprise features, the external user is granted rights to use and/or view the enterprise features within the site collection they are invited to. While external users can be invited as extended project members to perform a full range of actions on a site, they will not have the exact same capabilities as a full, paid, licensed member within your organization. The limitations are described in the table below.

External users can…

External users can’t…

Use Office Online for viewing and editing documents. If your plan includes Office Pro Plus, they will not have the licenses to install the desktop version of Office on their own computers.

Create their own personal sites (what used to be referred to as My Sites), edit their profile, change their photo, or see aggregated tasks. External users don’t get their own OneDrive for Business document library.

Perform tasks on a site consistent with the permission level that they are assigned. For example, if you add an external user to the Members group, they will have Edit permissions and they will be able to add, edit and delete lists; they will also be able to view, add, update and delete list items and documents.

Be an administrator for a site collection (except in scenarios where you’ve hired a partner to help manage Office 365. You can designate an external user as a designer for your Public Website.

See other types of content on sites. For example, they can navigate to different subsites within the site collection to which they were invited. They will also be able to do things like view site feeds.

See the company-wide newsfeed

Add storage to the overall tenant storage pool

Access the Search Center or execute searches against “everything.” Other search features that may not be available include: Advanced Content Processing, continuous crawls, and refiners.

Access site mailboxes

Use eDiscovery. This requires an Exchange Online license.

Deciding how to share

External sharing is turned off by default for your entire SharePoint Online environment (sometimes referred to as a tenant) and the site collections in it, but you may turn it on to enable external sharing.

You have a lot of flexibility when enabling external sharing so you’ll want to spend some time considering your options. For example, you can enable sharing across the tenant, which gives all users the ability to share. You can limit sharing to certain site collections so only those site collection administrators and administrators of sites within those collections can invite external users. You can also limit the ability to share sites and documents to a select group of users.

When considering if and how you want to share content externally, think about the following:

  • To whom do you want to grant access to content on your team site and any subsites, and what do you want them to be able to do?

  • To whom in your organization do you want to grant permission to share content externally?

  • Is there content you want to ensure is never available to be viewed by people external to your organization?

The answers to these questions will help you plan your strategy for content sharing.

Try this:

If you need to:

Share a site

If you want to share a site, but you also want to restrict external users from gaining access to some of your organization’s internal content, consider creating a subsite with unique permissions that you use exclusively for the purpose of external sharing. Similarly, if you want to share a subsite that you’ve created on your OneDrive for Business location, you might want to ensure that it also has unique permissions so that you do not accidentally grant users permission to additional sites or content on your OneDrive for Business site.

SharePoint uses a permissions inheritance model where new sites automatically inherit permissions from their parent sites. By assigning unique permissions to subsites you are “breaking” the inheritance chain. To learn more about permissions, see Introduction: Control user access with permissions

Provide someone outside your organization with ongoing access to information and content on a site. They need the ability to perform like a full user of your site and create, edit, and view content.

Share a document and require sign-in.

Provide one or several people outside your organization with secure access to a specific document for review or collaboration, but these people do not require ongoing access to other content on your internal site.

Share a document, but don’t require sign-in.

Share a link to a non-sensitive or non-confidential document with people outside your organization so that they can either view it or update it with feedback. These people do not require ongoing access to content on your internal site.

Note that if you share documents using anonymous guest links, then it’s possible for invitation recipients to share those guest links with others who could use them to view content.

You should include planning for external sharing as part of your overall permissions planning for SharePoint Online. In general, it’s a best practice to operate on the “principle of least privilege” and grant external users minimal and limited access to your environment. You may even want to create a special permissions group to which external users are assigned when they receive invitations. You should also consider segmenting your content by security levels, so that sensitive content is centrally located and can be tightly secured. If you anticipate an ongoing need to have external users log in to your site and perform specific tasks consider creating a site collection that is dedicated to the purpose of external sharing. This way, you can allow external users access to specific content without opening up your entire environment to them.

Top of Page

Turn external sharing on or off for a SharePoint Online environment (tenant)

You must be a SharePoint Online administrator to configure external sharing.

  1. From the SharePoint admin center, click settings.

  2. In the External sharing section do one of the following:

If you want to:

Select this option:

For this result:

Prevent all users on all sites from sharing sites or content with external users.

Don’t allow sharing outside your organization

  • Users will not be able to share sites or content with users who do not have licenses to your Office 365 subscription.

  • External sharing cannot be turned on for any individual site collections.

Require external users who have received invitations to view sites or content to sign-in with a Microsoft account before they can access the content.

Allow external users who accept sharing invitations and sign in as authenticated users

  • Site owners or others with full control permission can share sites with external users.

  • All external users will be required to sign in before they can view content.

  • Invitations to view content can be redeemed only once. After an invitation has been accepted, it cannot be shared or used by others to gain access.

Allow site users to share sites with people who sign in as authenticated users, but you also want to allow site users to be able to share documents through the use of anonymous guest links, which do not require invited recipients to sign in.

Allow both external users who accept sharing invitations and guest links

  • Site owners or others with full control permissions can share sites with external users.

  • All external users will be required to sign in before they can view content on a site that has been shared.

  • Site owners or others with full control permissions can share documents and opt to require sign-in, or send an anonymous guest link for documents.

  • When site users share a document, they can grant external users either view or edit permissions to the document.

  • External users who receive anonymous guest links can view or edit that content without signing in.

  • Anonymous guest links could potentially be forwarded or shared with other people, who might also be able to view or edit the content without signing in.

Notes: 

  • If you turn on external sharing for your entire environment, then turn it off, and later turn it back on, external users who previously had access to content or documents on sites will regain access to them. If you know that external sharing was previously turned on and in use for specific site collections and you do not want external users to be able to regain access if external sharing is ever turned on again globally, we recommend that you first turn off external sharing for those specific site collections.

  • When you turn off external sharing at the site collection level, all previous external user permissions for that site collection will be permanently deleted.

  • If you disable external access, or limit external access to a more restrictive form, previous external users will typically lose access within one hour of the change.

Top of Page

Turn external sharing on or off for individual site collections

You must be a SharePoint Online admin to configure external sharing for individual site collections. Site collection administrators are not allowed to change external sharing configurations.

  1. From the SharePoint admin center, click site collections.

  2. Check the box next to those site collections whose sharing settings you want to turn on or off.

  3. In the ribbon, click Sharing.

    ribbon from SharePoint Online admin center with Sharing button highlighted

  4. Do one of the following:

If you want to:

Select this option:

For this result:

Prevent all users on all sites from sharing sites or sharing content on sites with external users.

Don’t allow sharing outside your organization

  • Users will not be able to share sites or content in this site collection with users who do not have licenses to your Office 365 subscription.

  • If sharing was previously turned on for this site collection, any external users who were invited to sign-in and view content on sites in this site collection will be permanently deleted.

  • If you ever plan to turn on external sharing for this site collection again, these external users would need to be re-invited.

Require external users who have received invitations to view sites or content to sign-in with a Microsoft account before they can access the content.

Allow external users who accept sharing invitations and sign in as authenticated users

  • Site owners or others with full control permission can share sites with external users.

  • Site owners or others with full control permissions on a site can share documents with external users by requiring sign-in.

  • All external users will be required to sign in before they can view content.

  • Invitations to view content can be redeemed only once. After an invitation has been accepted, it cannot be shared or used by others to gain access.

Allow site users to share sites with people who sign in as authenticated users, but you also want to allow site users to share documents through the use of anonymous guest links, which do not require invited recipients to sign in.

Allow both external users who accept sharing invitations and guest links

  • Site owners or others with full control permissions can share sites with external users.

  • All external users will be required to sign in before they can view content on a site that has been shared.

  • Site owners or others with full control permissions can also share documents externally opt to require sign-in, or send an anonymous guest link for documents.

  • When users share a document, they can grant external users either view or edit permissions to the document.

  • External users who receive anonymous guest links can view or edit that content without signing in.

  • Anonymous guest links could potentially be forwarded or shared with other people, who might also be able to view or edit the content without signing in.

Notes: 

  • When external sharing is turned off for the entire SharePoint Online environment, you will not be able to turn it on for specific site collections.

  • The external sharing settings for individual site collections cannot be less restrictive than whatever is allowed for the entire SharePoint Online environment, but these settings can be more restrictive. For example, if external sharing is turned on for the entire SharePoint Online environment, but it is limited to allowing only authenticated users, then that will be the only kind of external sharing you can allow in a specific site collection. If external sharing through both sign-in and anonymous guest links is allowed for the entire SharePoint Online environment, you can opt to turn off external sharing entirely for a specific site collection or you can limit external sharing to authenticated users (no guest links).

  • When external sharing is turned off globally in the SharePoint Online Admin center, any shared links will stop working. If the feature is later reactivated, these links will resume working. It is also possible to disable individual links that have been shared if you want to permanently revoke access to a specific document.

  • If you change the external sharing settings for the My Site site collection, these changes will also apply to any existing or newly created personal sites (formerly called My Sites).

  • Sharing settings on the –my site site collection will apply to the OneDrive for Business sites for all users of the organization. You cannot selectively manage sharing for a particular user’s OneDrive for Business site.

Top of Page

View external sharing settings for site collections

To quickly view the external sharing settings for a group of site collections:

  1. From the SharePoint admin center, click site collections.

  2. Check the box next to those site collections whose sharing settings you want to check.

  3. In the ribbon, click Sharing.

  4. Scroll through the list of URLs to see sharing settings for each site collection.

    sharing dialog showing settings for two site collections

Top of Page

Manage external user accounts and invitations

Once external sharing has been enabled for the tenant and/or site collection and sharing permissions established, authorized users can send invitations, create guest links, and revoke access, and so on. For complete instructions, see Share sites or documents with people outside your organization.

Notes: 

  • There is no way to see a list of all the sites or all documents to which an external user has access. You need to go to the individual sites to determine whether a specific user has access to it.

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×