External sharing is switched on by default for the entire SharePoint environment and all sites. Users can share documents with third-party vendors, customers, or any external domain. Therefore, it’s a good security practice to disable external sharing globally and then later enable it when you are ready, ensuring the process of external sharing is documented for end-users.
If you have confidential information stored on a site that should never be shared with anyone outside your organization, you should set external sharing to ‘Off‘ for that site.
There are two places from which external sharing settings can be controlled. The first one is at the Organization level, sometimes referred to as the tenant level, and the second place is at the Site level, also known as the Site collection level.
Please note that if the external sharing option at the site level differs from the organization-level setting, the more restrictive option will be applied. However, if external sharing is disabled at the organizational level, then you cannot enable external sharing at the site level.
Table of Contents
1. Disable External Sharing at the Organizational Level
To disable external sharing at the organizational level, follow these steps:
- Log in to SharePoint Online:
- Use the credentials of a Global Administrator or an account with SharePoint administrator permissions.
- Navigate to Sharing Policies:
- From the left-hand side pane, select “Policies” and then choose “Sharing”.
- Adjust Permission Settings:
- Drag the bar to the bottom to select “Least permissive permission” (Only people in your organization).
- Save Changes:
- Click on the “Save” button at the bottom of the page to save the changes.
OneDrive settings can be more restrictive than SharePoint settings but not more permissive.
Note
2. Disable External Sharing at the Sharepoint Site Level
If external sharing is already disabled at the SharePoint organization level, it will automatically be disabled for all SharePoint sites as well. Once the organization level setting is disabled or set to the least permissive level (Only people in your organization), there is no way to allow external sharing at the site level.
If you have set the organization level setting to the most permissive or default setting, you can control external sharing at the individual site level. Please note that when you create a SharePoint site, the default setting at the site level is ‘New and Existing guests‘.
What’s the default External sharing setting at the Site level?
As shown in the screenshot below, the default external sharing setting is ‘New and existing guests‘. This requires individuals who receive invitations to sign in with their work or school account, or Microsoft account, or provide a code to verify their identity.
Disable External sharing setting at the Site level
You can easily disable the external sharing setting at the SharePoint site level. Please follow the steps below:
- Log in to SharePoint Online Admin Center:
- Access the SharePoint Online Admin Center using global administrator or SharePoint administrator permissions.
- Navigate to Active Sites:
- Click on “Sites” and then select “Active Sites” from the left-hand side pane.
- Select the Site:
- Choose the specific site for which you want to manage external sharing.
- Access Sharing Options:
- Click on the “Sharing” option from the top menu.
- Disable External Sharing:
- Under “External Sharing”, choose “Only people in your organization” to disable external sharing at the SharePoint site level.
More External Sharing Settings
If you decide to keep external sharing enabled at the organizational level, you will have more control over external sharing settings from this interface. However, please note that if external sharing is disabled at the organizational level, some external sharing settings options will be disabled.
- Log in to SharePoint Online Admin Center:
- Access the SharePoint Online Admin Center using global administrator or SharePoint administrator permissions.
- Navigate to Policies and Sharing:
- Go to “Policies” and then click on “Sharing”.
- Access External Sharing Settings:
- In the External Sharing section, under SharePoint and OneDrive settings, click on the dropdown for “More external sharing settings”.
- Adjust Sharing Control:
- It is highly recommended to disable or uncheck the setting “Allow guests to share items they do not own” to have control over the level of external sharing.
How to disable External Sharing using Powershell?
You can also use Powershell to disable External Sharing in Sharepoint Online. This can be done at the Organization level and also at Site Level.
Disable External Sharing at Organization Level using Powershell
Two PowerShell cmdlets can be used to disable external sharing in SharePoint Online: Set-SPOTenant and Set-PnPTenant. You can use either of them to achieve your goal. Before running any of these commands, ensure that the SharePoint Online Management Shell is installed on your computer.
1. Install Sharepoint Online Management Shell
You can either download the SharePoint Online Management Shell tool from the Microsoft website and Install it on your device, or you can use the PowerShell console to install the SharePoint PowerShell module directly. Let’s explore how to install the SharePoint PowerShell module from the PowerShell console.
- First, check and confirm if the SharePoint Online PowerShell module is already installed on your computer. If it’s not already installed, proceed to the next step to Install it.
Confirm if Sharepoint Online Powershell Module is already Installed
Get-Module -Name Microsoft.Online.SharePoint.PowerShell -ListAvailable | Select Name,Version- Install SharePoint Online Management Shell using the following PowerShell command in the PowerShell console (opened as an administrator).
Install Sharepoint Online Powershell module
Install-Module -Name Microsoft.Online.SharePoint.PowerShellIf you are unable to open the PowerShell console as an administrator, install SharePoint Online Management Shell using the following PowerShell command on a non-administrator Powershell console.
Install Sharepoint Online Powershell module (CurrentUser Scope)
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser2. Use Set-SPOTenant cmdlet to disable External Sharing
Now that you have installed the SharePoint Online PowerShell module, you can run PowerShell commands/cmdlets to disable SharePoint external sharing.
- Get Sharepoint Online Admin URL
- Retrieve the admin URL of your SharePoint organization. You can find the URL in the browser’s address bar of the SharePoint admin portal. For my organization, it’s https://mylab000-admin.sharepoint.com.
- Connect to Sharepoint Online
- Use the following commands to Connect to SharePoint online. Replace the URL with your organization’s Sharepoint Admin URL.
Connect to Sharepoint Online
Connect-SPOService -Url https://mylab000-admin.sharepoint.com -Credential [email protected]- Check the Current External Sharing Capability
- Check and confirm the current External sharing capability at the organizational level using
Get-SPOtenantcmdlet.
- Check and confirm the current External sharing capability at the organizational level using
- Disable External sharing at the Organizational level
- Use a Powershell cmdlet Set-SPOTenant to disable External Sharing at the Organizational level.
Disable External Sharing at Organizational Level
Set-SPOTenant -SharingCapability Disabled
- Verify if the External sharing capability has been disabled
- Log in to SharePoint Online:
- Use the credentials of a Global Administrator or a user with SharePoint administrator permissions.
- Access Sharing Policies:
- From the left-hand side pane, select “Policies” and then choose “Sharing“.
- Execute PowerShell Command:
- After successfully executing the command
Set-SPOTenant -SharingCapability Disabled.
- After successfully executing the command
- Observe Settings:
- You will find that both the bars for SharePoint and OneDrive are set to ‘Least permissive’.
- Log in to SharePoint Online:
Alternative Cmdlet to Disable External Sharing at the Organizational Level
You can also use the Set-PnPTenant command to disable external sharing. The steps are mostly similar to what has been performed while using the Set-SPOTenant command. First, get the admin URL of the SharePoint site and then use it to connect to SharePoint Online using Connect-PnPOnline.
Before running the commands below, please ensure that the SharePoint Online Management Shell is installed on your computer, and you have either global administrator or SharePoint administrator permissions.
We have already covered the steps to install SharePoint Online Management Shell earlier. Please refer to the previous sections of the blog post. After you have installed Sharepoint Online Management shell, execute following command to connect to the Sharepoint Online using Connect-PnPOnline.
Connect to Sharepoint Online
Connect-PnPOnline -Url "https://mylab000-admin.sharepoint.com" -InteractiveNow, We will disable External Sharing at Organization level using Set-PnPTenant cmdlet.
Disable External Sharing at Organizational Level
Set-PnPTenant -SharingCapability DisabledDisable External Sharing at Site Level using Powershell
If you have allowed external sharing at the organizational level, you can control external sharing at the individual site level. Let’s see how to disable external sharing in SharePoint Online at the site level using PowerShell.
There are two PowerShell commands/cmdlets available: Set-SPOSite and Set-PnPTenantSite. You can use either of these commands/methods to manage site-level external sharing settings.
Please ensure that the SharePoint Online Management Shell is installed on your computer and that you have either global administrator or SharePoint administrator permissions before executing the commands below.
- Obtain the admin URL of the SharePoint organization.
- Retrieve the site URL for the specific site you intend to manage external sharing for.
- Connect to SharePoint using either the
Connect-SPOServiceorConnect-PnPOnlinecmdlets. - Execute either
Set-SPOSiteorSet-PnPTenantsiteto disable external sharing.
Disable External Sharing at the Site Level Using Set-SPOSite
Use the commands below to disable External Sharing at the SharePoint Site level. I am using an example SharePoint site called https://mylab000.sharepoint.com/sites/Finance. You can replace this URL with your organization’s Site URL on which you want to disable External sharing.
Connect to Sharepoint Online
Connect-SPOService -url https://mylab000-admin.sharepoint.com -Credential (Get-Credential)Disable External Sharing at Site Level
Set-SPOSite -Identity https://mylab000.sharepoint.com/sites/Finance -SharingCapability DisabledVerify if External Sharing has been disabled
get-sposite -Identity https://mylab000.sharepoint.com/sites/Finance | fl Sharingcapability
Disable External Sharing at the Site Level Using Set-PnPTenantsite
This is an alternative cmdlet that can be used to disable External Sharing at the Site Level. This utilizes the Set-PnPTenantSite cmdlet. Replace the example Site URL with your organization’s Site URL on which you want to disable External sharing. Let’s check the commands.
Alternative way to Disable External Sharing at the Site Level using Set-PnPTenantSite
#Connect to Sharepoint Online
Connect-PnPOnline -url https://mylab000-admin.sharepoint.com -Interactive
#Set External Sharing to disabled at Site Level
Set-PnPTenantSite -Identity https://mylab000.sharepoint.com/sites/Finance -SharingCapability Disabled
#To Check External Sharing at Site Level
Get-PnPTenantSite -Identity https://mylab000.sharepoint.com/sites/Finance | fl SharingcapabilityConclusion
In this blog post, we have explored how to manage external sharing settings in SharePoint Online. To enhance the security posture of your SharePoint organization, it is crucial to regulate the external sharing of documents or SharePoint sites by end-users.
If there is no intention for anyone in your company to share documents externally, then disabling external sharing is the optimal decision. This measure significantly enhances the security of your SharePoint Online organization.
