Securing a SharePoint Online extranet site

Depending on your business needs, there are different approaches you can take to secure and restrict access to your SharePoint Online B2B extranet site. In SharePoint Online, you can control how and if invitations are sent to external users. These settings can be set at the tenant level, globally controlling all sites. Some settings can also be set at the individual site collection level, allowing you tailor the settings based on the unique requirements for your partner relationship while keeping control on sites intended for internal corporate use only.

For information about how to configure the sharing settings discussed in this article, see Manage external sharing for your SharePoint Online environment.

Important: Any tenant-level sharing settings that you configure also affect OneDrive for Business.

Restricting sharing in SharePoint site collections

The following table shows a series of options for sharing SharePoint site collections. Option 1 is the most restrictive, with external sharing turned off entirely, and option 6 is the least restrictive, with users able to access content by using anonymous links.

Options 2 thru 5 are the primary options for use in configuring a B2B extranet site. Option 2 restricts sharing to only those external users who are already in your Office 365 directory, while options 3 and 4 use domain filtering to allow or deny sharing with specified email domains. Option 5 requires external users to authenticate, but doesn't otherwise restrict external sharing.

With any of these options, you can also choose to require that sharing invitations be sent only by the site owner.

1

2

3

4

5

6

Sharing setting   

Don't allow sharing outside your organization

Allow sharing only with the external users that already exist in your organization's directory

Allow users to invite and share with authenticated external users

Allow users to invite and share with authenticated external users

Allow users to invite and share with authenticated external users

Allow sharing to authenticated external users and using anonymous access links

Domain filtering (allow/deny list)   

N/A

N/A

Allow list

Deny list

None

None

Notes   

No external sharing – used for intranet sites.

Sharing only allowed with existing users in the directory

Sharing only allowed with users who are from the specified Microsoft-hosted domains.

Sharing allowed with users who are from all but the specified domains.

Sharing allowed with users who are from all Microsoft-hosted domains.

No restrictions on sharing.

Most restricted

Least restricted

The following sections look more closely at these options.

Restrict sharing only to existing guests in the directory

In option 2, the sharing setting Allow sharing only with the external users that already exist in your organization's directory allows sharing only with existing users in your Office 365 directory. This turns off the user-based invitations approach within SharePoint Online.

If you're partnering with another organization that uses Office 365 or has an Azure AD, you can import users from their tenant into your tenant, and then grant them access to your extranet site. For complete instructions, see Create an extranet site for external Azure AD users.

Sharing with authenticated users

Options 3, 4, and 5 all use the Allow external users who accept sharing invitations and sign in as authenticated users sharing option for the site collection. With this option, the site can be shared with any account that can authenticate through a Microsoft-hosted domain (such as Outlook.com or any Office 365 or Azure AD tenant).

Options 4 and 5 use domain filtering:

  • Allow list    - Allows sharing invitations to be sent only to those domains listed. This is the best way to narrow down the scope of who can be invited to a site.

  • Deny list    - Allows sharing invitations to be sent to any domain except those listed.

To set up domain filtering, see Restricted Domains Sharing in Office 365 SharePoint Online and OneDrive for Business.

Controlling who can add users to a site

An important feature to consider in your access security is controlling who can share a site with new users. To tightly control a high business impact site collection, you can allow only the site owner the ability to invite new users.

Owner-only sharing can be used with any of the sharing options in the table above to help control access to your extranet site.

To configure this option, on the Sharing tab at the site collection level, select Turn off sharing for non-members in all sites in the site collection   

Warning: This is a one-way switch. You cannot reenable sharing permissions for non-site owners.

See Also

Onboarding to SharePoint Hybrid Extranet Sites

Extranet for Partners with Office 365

Restricted Domains Sharing in O365 SharePoint Online and OneDrive for Business

Set-SPOSite

Set-SPOTenant

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×