External sharing and guest access under control
Collaborate with clients and partners without leaking data. Govern external sharing and guest access across SharePoint, OneDrive and Teams.
Collaborating with people outside the company — clients, suppliers, partners, auditors — is a real need. The problem appears when that sharing happens without control: "anyone" links scattered over email, forgotten guests with access to confidential folders, sensitive documents one click from leaking. Governing external sharing in SharePoint Online, OneDrive and Teams is about balancing fluid collaboration with data protection.
The external sharing levels
SharePoint Online offers four levels, from most open to most closed, set at the organization level and adjustable per site:
| Level | Meaning |
|---|---|
| Anyone | Anonymous links, no sign-in (riskiest) |
| New and existing guests | Externals must authenticate |
| Existing guests | Only those already in the directory |
| Only people in the org | No external sharing |
The recommendation for most companies is new and existing guests: it allows collaborating with externals but requires them to authenticate, giving traceability and control. "Anyone" links should be avoided or limited to very specific scenarios with short expiration.
Governance per site, not just global
A common mistake is treating external sharing as a single switch for the whole company. The right way is granular:
- Client-collaboration sites can allow guests.
- HR, legal and finance sites should be internal only.
- Purview sensitivity labels can enforce these rules automatically: a site marked Confidential blocks guests, regardless of the global setting.
Guest lifecycle
A guest who comes in must, one day, go out. Without that, the access list becomes a security liability. Essential tools:
- Access reviews (Entra ID Governance) — periodically, an owner confirms each guest still needs access; anyone not confirmed is removed.
- Guest access expiration — invitations that lapse automatically after a period.
- Guest reports — a view of who has access to what.
Links: types and best practices
When sharing a file, the link type matters:
- Specific people — only those you name can open it. The safest default.
- People in the organization — any internal employee.
- Anyone with the link — anonymous; use sparingly and always with expiration and, where possible, a password.
Setting "specific people" as the sharing default drastically reduces the risk of accidental leaks.
Data loss prevention (DLP)
Beyond access control, Purview DLP inspects the content. It can:
- Prevent external sharing of documents containing tax IDs, credit cards or classified data.
- Show educational warnings to the user at the moment of action.
- Generate reports of inappropriate sharing attempts.
Modern B2B collaboration
Entra External ID (B2B collaboration) is the engine that manages external identities. It lets you apply Conditional Access to guests — requiring MFA, for example — and integrates with cross-tenant access policies, controlling which other organizations your company can collaborate with.
External sharing checklist
- Set the sharing level per organization and per site.
- Default link type to "specific people."
- Block guests on sensitive sites via labels.
- Enable access reviews and guest expiration.
- Apply DLP for sensitive content.
- Require MFA for guests via Conditional Access.
- Review sharing reports periodically.
Key takeaways
- Choose the external sharing level per site, not just globally.
- Prefer "guests who authenticate" and avoid anonymous links without expiration.
- Use access reviews and expiration to close the guest lifecycle.
- Sensitivity labels and DLP protect confidential content automatically.
- Require MFA for guests and control cross-tenant collaboration.
As a Microsoft Solutions Partner, RHC structures external sharing and guest governance policies in Microsoft 365, balancing collaboration with clients and partners against the protection of sensitive data.
Frequently asked questions
Read next
Ready to do more with Microsoft?
Talk to an expert and discover how to optimize licensing, security and productivity.