By default, external sharing is enabled in SharePoint Online, allowing users to share documents and content with individuals outside the organization, such as third-party vendors, customers, or users from other domains.
To protect sensitive information stored in SharePoint sites, organizations can choose to disable external sharing. This setting can be managed at both the tenant (organization-wide) level and the Site collection level.
If external sharing is disabled at the tenant level, it cannot be enabled for specific site collections. However, if external sharing is allowed at the tenant level, you can control external sharing permissions on a per-site collection basis.
You need SharePoint admin rights to configure external sharing settings for individual site collections.
External sharing settings for individual site collections cannot be less restrictive than the organization-wide (tenant) settings, but they can be more restrictive. This rule also applies to external sharing settings for OneDrive for Business sites.
If you disable external sharing at the tenant level, any shared links will immediately stop working. If you re-enable it, the shared links will become active again. You also have the option to selectively disable specific links shared with external users.
Note
Contents
Disable External Sharing at Tenant Level
- Sign in to the SharePoint Online admin center > Policies > Sharing.
- Drag the External sharing slider bar to the bottom to select Only people in your organization, which will disable External sharing for all Sharepoint sites in your organization.
- Click Save to save the changes.
OneDrive content sharing settings can be more restrictive than SharePoint settings but not more permissive.
Note
Disable External Sharing at Site Level
If external sharing is disabled at the SharePoint tenant (organization) level, it will automatically be disabled for all SharePoint sites. Once the organization-level setting is turned off or set to the least permissive option (Only people in your organization), it is not possible to enable external sharing at the site level.
However, if the organization-level setting is configured to the most permissive (default) option, you can control external sharing at each site individually. With this permissive setting, When you create a new Sharepoint site, New and Existing guests permission is set as default, which can be changed to other External sharing settings (as shown in below screenshot).
Disable External sharing setting at the Site level
- Sign in to the SharePoint Online admin center > Sites > Active sites.
- Select the site and click on Sharing.
- Select Only people in your organization setting to disable External sharing at the site level.
Disable External Sharing at Tenant Level using PowerShell
You can use Set-SPOTenant or Set-PnPTenantSite cmdlets to disable External sharing at tenant level. These cmdlets are available in Sharepoint Online PowerShell module. You can download and install SharePoint Online Management Shell on your computer or use Install-Module cmdlet to install it directly from PowerShell console.
Check if Sharepoint Online PowerShell Module is Installed
Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,VersionInstall Sharepoint Online PowerShell module
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force -AllowClobberIf you are unable to open the PowerShell console as an administrator, install SharePoint Online Management Shell using the following PowerShell command on a non-administrator PowerShell console.
Install Sharepoint Online PowerShell module (If you are not an administrator)
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force -AllowClobber -Scope CurrentUserGet Sharepoint online admin URL. You can find the URL in the browser’s address bar of the SharePoint admin portal.
Connect to Sharepoint Online
Connect-SPOService -url <sharepoint site admin URL>
Example:
Connect-SPOService -url https://mylab000-admin.sharepoint.com Check the Current External Sharing Capability
Get-SPOtenant | fl sharingcapability
Disable External Sharing at tenant/organizational level
Set-SPOTenant -SharingCapability Disabled
Verify if the External sharing capability has been disabled. On SharePoint admin center > Policies > Sharing. You will find that the External sharing scroll bar is set to the least permissive level. External sharing is now disabled.
Disable External Sharing at the Tenant Level using Set-PnPTenantSite
You can also use the Set-PnPTenantSite command to disable external sharing. You will need to Install PnP.PowerShell module.
PnP.Powershell modules no longer works on Powershell 5.1 version. You will need to Install Powershell 7.2 or later version to work with this module. Refer to this link for downloading and Installing Powershell 7.x.
Note
- Open Powershell 7.2 or later console as an administrator and execute below command.
Install PnP.PowerShell module
Install-Module -Name PnP.PowerShell -Force -AllowClobber- For connecting with SharePoint Online using Connect-PnPOnline, you will need to create an app registration in Entra ID and use it to establish a connection. Refer to the Step-by-step guide for more details: Connect to Sharepoint Online using PowerShell and Entra App or use the link Connect using Connect-PnPOnline
Connect to Sharepoint Online
$props= @{
ClientId = "<ClientID>"
CertificatePath = "<CertificatePath>"
CertificatePassword = (ConvertTo-SecureString -AsPlainText "<Password>" -Force)
Url = "https://<SharepointSite URL>"
Tenant = "<Tenant Name>"
}
Connect-PnPOnline @propsDisable External Sharing at tenant Level
Set-PnPTenantSite -SharingCapability DisabledDisable External Sharing at Site Level using PowerShell
If you have allowed external sharing at the tenant/organizational level, you can control external sharing at the individual site level. You can either use Set-SPOSite or Set-PnPTenantSite to manage site-level external sharing settings.
- Ensure that the SharePoint Online PowerShell module is installed. Please refer to the previous section for Installation steps. Once the module is installed, use
Connect-SPOServiceto connect with SharePoint Online.
Connect to Sharepoint Online
Connect-SPOService -url <sharepoint site admin URL>
Example:
Connect-SPOService -url https://mylab000-admin.sharepoint.com Disable External Sharing at Site Level
Set-SPOSite -Identity https://mylab000.sharepoint.com/sites/Finance -SharingCapability DisabledVerify if External Sharing has been disabled
get-sposite -Identity https://mylab000.sharepoint.com/sites/Finance | fl Sharingcapability
Disable External Sharing at the Site Level Using Set-PnPTenantsite
You can also use Set-PnPTenantsite cmdlet to disable External sharing at the site level. Please make sure that you have Installed PnP Powershell module.
Connect to SharePoint Online
$props= @{
ClientId = "<ClientID>"
CertificatePath = "<CertificatePath>"
CertificatePassword = (ConvertTo-SecureString -AsPlainText "<Password>" -Force)
Url = "https://<SharepointSite URL>"
Tenant = "<Tenant Name>"
}
Connect-PnPOnline @propsDisable External Sharing for the given site
#Set External Sharing to disabled at Site Level
Set-PnPTenantSite -Identity https://mylab000.sharepoint.com/sites/Finance -SharingCapability Disabled
#To Check External Sharing at Site Level
Get-PnPTenantSite -Identity https://mylab000.sharepoint.com/sites/Finance | fl SharingcapabilityDisable External Sharing for all SharePoint sites
# Get all SharePoint sites in the tenant
$sites = Get-PnPTenantSite
foreach ($site in $sites) {
Write-Output "Disabling external sharing for site: $($site.Url)"
Set-PnPTenantSite -Identity $site.Url -SharingCapability Disabled
}
Write-Output "External sharing disabled on all sites."Disable External Sharing For a OneDrive Site using PowerShell
You can also disable external sharing for a OneDrive site using PowerShell. You can use the same cmdlets we used before Set-SPOSite or Set-PnPTenantSite for this.
- Ensure the SharePoint Online Powershell module and PnP Powershell module is Installed on your device.
- Get OneDrive Site URL for the user account. To get the list of users with their OneDrive URLs, you can use below Microsoft provided script from the link: OneDrive URLs.
$TenantUrl = Read-Host "Enter the SharePoint admin center URL"
$LogFile = [Environment]::GetFolderPath("Desktop") + "\OneDriveSites.log"
Connect-SPOService -Url $TenantUrl
Get-SPOSite -IncludePersonalSite $true -Limit all -Filter "Url -like '-my.sharepoint.com/personal/'" | Select -ExpandProperty Url | Out-File $LogFile -Force
Write-Host "Done! File saved as $($LogFile)."- Once you get a list of OneDrive URLs, you can connect to SharePoint Online using either
Connect-SPOServiceorConnect-PnPOnlinecmdlets and execute the following commands to disable External sharing for a OneDrive site.
When you are using SharePoint Online PowerShell module
Connect-SPOService -url <sharepoint site admin URL>
Example:
Connect-SPOService -url https://mylab000-admin.sharepoint.com When you are using PnP.PowerShell module [ More Info ]
$props= @{
ClientId = "<ClientID>"
CertificatePath = "<CertificatePath>"
CertificatePassword = (ConvertTo-SecureString -AsPlainText "<Password>" -Force)
Url = "https://<SharepointSite URL>"
Tenant = "<Tenant Name>"
}
Connect-PnPOnline @propsDisable External Sharing for OneDrive site (When you are using SharePoint Online PowerShell module)
$OneDriveSiteURL = "https://techpress-my.sharepoint.com/personal/jatin_makhija_techpress_net"
Set-SPOSite -Identity $OneDriveSiteURL -SharingCapability DisabledDisable External Sharing for OneDrive site (When you are using PnP.PowerShell module)
$OneDriveSiteURL = "https://techpress-my.sharepoint.com/personal/jatin_makhija_techpress_net"
Set-PnPTenantSite -Identity $OneDriveSiteURL -SharingCapability DisabledMore External Sharing Settings
If you decide to keep external sharing enabled at the organizational level, You will be able to manage more external sharing settings.
- Limit external sharing by domain: You can limit sharing documents and contents stored in SharePoint and OneDrive sites with specific domains by either creating an Allow List or Block List.
- Allow List: When you add domains in Allow list, Users will be able to share documents only with those domains in allow list and rest of the domains will be blocked.
- Block List: When you add domains in Block list, Users will be able to share documents only with all External domains except the ones in the block list.
Creating an Allow List using PowerShell
Set-SPOTenant -SharingDomainRestrictionMode "AllowList" -SharingAllowedDomainList "cloudinfra.net"Creating a Block List using PowerShell
Set-SPOTenant -SharingDomainRestrictionMode "BlockList" -SharingBlockedDomainList "cloudinfra.net"
- Allow only users in specific security groups to share externally: You can provide an Entra security group containing users who are allowed to share documents externally.
- Allow guests to share items they don’t own: You can keep this disable for not allowing guests for sharing the documents and content they don’t own.
- Guest access to a site or OneDrive will expire automatically after this many days: Set a value in days to expire External access to the content.
- People who use a verification code must reauthenticate after this many days: You can provide a value in number of days for users to reauthenticate for gaining access to the content.
