External sharing is switched on by default for entire sharepoint enviornment and all the sites. Users can share the documents with third party vendors, customers or any external domain. Therefore, its a good security practice to disable External sharing globally and then later enable it when you are ready and process of external sharing is documented for the end users.
If you have confidential information stored in a site that should never be shared to anyone outside your organization, you should set the external sharing to off for that site.
There are two places from where external sharing setting can be controlled. First one is Organization level which is also sometimes called as tenant level and second place is at the Site level also sometimes called as site collection level.
To allow external sharing on any site, organization level sharing must be enabled. If site’s external sharing option is different from organization-level sharing option then most restrictive setting will be applied.
- Disable External Sharing at Organizational Level
- Disable External Sharing at Sharepoint Site Level
- More External sharing settings
- Disable External sharing in Sharepoint online at Organization level using Powershell
- Disable External sharing in Sharepoint online at Site level using Powershell
- Conclusion
Disable External Sharing at Organizational Level
To disable external sharing at organizational level, follow below steps:
- Login on Sharepoint online as Global Administrator or Sharepoint administrator permission.
- From the left hand side pane, Select Policies -> Sharing.
- Drag the bar to the bottom to select Least permissive permission (Only people in your organization).
- Click on Save button at the bottom of the page to save the change.
Please note that Onedrive setting can be more restrictive than sharepoint setting but not more permissive.
Disable External Sharing at Sharepoint Site Level
If you have already disabled External sharing at sharepoint organization level then it will be automatically disabled for all sharepoint sites as well. There is no way to allow external sharing at site level once organization level setting has been disabled or selected at Least permissive level (Only people in your organization).
If you have set the organization level setting to most permissive or default setting then you can control external sharing at individual site level. Please note when you create a sharepoint site, the default setting at the site level is “New and Existing guests“.
Default External sharing setting at Site level
As you can see from below screenshot, the default external sharing setting is “New and existing guests“. This will require people who have got the invitation to sign in with their work or school account or Microsoft account or provide a code to verify their identity.
Disable External sharing setting at Site level
You can easily disable external sharing setting at sharepoint site level. Please follow below steps:
- Login on Sharepoint Online admin center using global administrator or sharepoint administrator permission.
- Click on Sites and then Active Sites from the left hand side pane.
- Select the Site for which you want to manage external sharing.
- Click on Sharing option from the top menu.
- From External sharing select “Only people in your organization” to disable external sharing on the sharepoint site level.
More External sharing settings
You can manage more external sharing settings by following below steps:
You will be able to control more external sharing settings from here if you decide to keep the external sharing enabled at organization level. However, more external sharing settings options will be disabled if external sharing is disabled at organizational level.
- Login on sharepoint online admin center using global administrator or sharepoint administrator permission.
- Go to Policies and then click on Sharing.
- From External Sharing sections under the sharepoint and Onedrive setting, you can click on More external sharing settings drop down.
- Its highly recommended to disable or uncheck the setting “Allow guests to share items they down own” to control the level of external sharing.
Disable External sharing in Sharepoint online at Organization level using Powershell
There are two powershell cmdlets which will disable external sharing in sharepoint online. You can use either one to acheive your goal. First one is Set-SPOTenant and second one is Set-PnPTenant. Before you run any of these commands you will need to make sure that Sharepoint online management shell is installed on your computer.
Install Sharepoint online management shell
You can either Download and Install sharepoint online management shell tool from microsoft website or you can use powershell console to Install sharepoint powershell module directly. Let’s check how to install sharepoint powershell module from powershell console.
Check to confirm Sharepoint online powershell module is already Installed on your computer.
Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,VersionInstall Sharepoint online management shell using below powershell command from Powershell console (opened as administrator).
Install-Module -Name Microsoft.Online.SharePoint.PowerShellInstall Sharepoint online management shell using below powershell command from Powershell console (opened as normal user).
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUserUsing Set-SPOTenant
Now once you have installed sharepoint online powershell module, you will be able to run powershell commands / cmdlets to disable sharepoint external sharing.
- Connect to sharepoint online
Get the admin url of your sharepoint organization. You can find the url from the browser address bar of sharepoint admin portal. For my organization, its https://mylab000-admin.sharepoint.com.
#Connect to sharepoint online
Connect-SPOService -Url https://mylab000-admin.sharepoint.com -Credential spoadmin@techpress.net- Check the current external sharing capability at organization level using
Get-SPOtenantcommand.
- Use
Set-SPOTenantcommand to disable external sharing at Organization level.
#Disable External Sharing at Org Level
Set-SPOTenant -SharingCapability Disabled
- Verify if the External sharing capability has been disabled at organization level.
- Login on Sharepoint online as Global Administrator or Sharepoint administrator permission.
- From the left hand side pane, Select Policies -> Sharing.
- After successfully executing command
Set-SPOTenant -SharingCapability Disabled. You will find that both the bars for sharepoint and onedrive are set to Least permissive.
Using Set-PnPTenant
You can also use Set-PnPTenant command to disable external sharing. The steps are mostly similar to what has been performed while using Set-SPOTenant command. First get the admin URL of the sharepoint site and then use it to connect to sharepoint online using Connect-PnPOnline.
Please make sure that sharepoint online management shell is installed on your computer and you have either global administrator or sharepoint administrator permissions before running below commands:
#Connect to Sharepoint Online
Connect-PnPOnline -Url "https://mylab000-admin.sharepoint.com" -Interactive#Disable External Sharing at Org Level
Set-PnPTenant -SharingCapability DisabledDisable External sharing in Sharepoint online at Site level using Powershell
If you have allowed external sharing at organizational level then you can control the external sharing at individual site level. Let’s see how to disable External sharing in sharepoint online at site level using powershell.
There are two powershell commands / cmdlets available Set-SPOSite and Set-PnPTenantSite. You can use either of the two commands or methods to manage site level external sharing settings.
Please make sure that sharepoint online management shell is installed on your computer and you have either global administrator or sharepoint administrator permissions before running below commands.
- Get the admin URL of sharepoint organization
- Get the site URL for which you want to manage the external sharing
- Connect to Sharepoint using either
Connect-SPOServiceorConnect-PnPOnlinecmdlets. - Run either
Set-SPOSiteorSet-PnPTenantsiteto disable external sharing.
Using Set-SPOSite
#Connect to Sharepoint Online
Connect-SPOService -url https://mylab000-admin.sharepoint.com -Credential (Get-Credential)
#Set External Sharing to disabled at Site Level
Set-SPOSite -Identity https://mylab000.sharepoint.com/sites/Finance -SharingCapability Disabled
#To Check External Sharing at Site Level
get-sposite -Identity https://mylab000.sharepoint.com/sites/Finance | fl Sharingcapability
Using Set-PnPTenantsite
#Connect to Sharepoint Online
Connect-PnPOnline -url https://mylab000-admin.sharepoint.com -Interactive
#Set External Sharing to disabled at Site Level
Set-PnPTenantSite -Identity https://mylab000.sharepoint.com/sites/Finance -SharingCapability Disabled
#To Check External Sharing at Site Level
Get-PnPTenantSite -Identity https://mylab000.sharepoint.com/sites/Finance | fl SharingcapabilityConclusion
In this blog post, we have seen how to manage external sharing setting in sharepoint online. To improve the security posture of your sharepoint organization, you need to control the external sharing of documents or sharepoint sites by end users. If no one in your company is going to share any documents externally then disabling external sharing is the best decision and will greatly increase security of your sharepoint online organization.
