Microsoft 365 Blog: Updates & News

How to Enable and Disable External Sharing in Microsoft 365

Written by Valerie Sergienko | Nov 23, 2022 8:00:00 AM

Updated May 2023

External collaboration options in Microsoft 365 are complex, to say the least.

Finding accurate information about adding external users to Teams and other M365 services is difficult. This is due to the various authorization checkpoints and configurations.

We have created a guide to help you configure external collaboration in Microsoft 365. We'll explore the available options and walk you through the process of adding external users to Teams and other collaboration applications.
Download our Microsoft Teams 101 Guide for more insights, best practices, and tips.

What Types of External Collaboration are Available in Microsoft 365?

  1. External Users: People outside your organization who access a shared resource using their own identity, not MS Teams guest access. This is enabled by Azure AD B2B direct connect through an organizational relationship configured by both organizations. 
  2. MS Teams Guest Users: People from outside your organization access shared resources by signing in to a Microsoft Teams Guest account in your directory. MS Teams Guest user account is created when you share a file, folder, or access to the SharePoint site, Microsoft Team.

External Users vs. Guest Users Access 

Below you can find the comparison of experiences available to Guest users and external users in Microsoft 365: 

Image: External collaboration settings in M365

There are great use cases for both types of external collaborators – external users and Guest accounts. We won't go into specifics of guests here, we do suggest reading blogs on guest account permissions and learning about Orchestry's Guest User Management Features. 

 

Business Applications for External Collaboration & MS Teams Guest access?

External sharing and collaboration policies fall under the umbrella of your Microsoft 365 governance. In this blog, we will explain the technical aspects of enabling and disabling external users and sharing in Microsoft 365. Below is a list of business applications used for external collaboration and Microsoft Teams external Guest Access:

  • Collaborating with people in chat:  1-to-1 and group chat in Teams with Teams accounts not managed by your organization.
  • Collaborating with people in meetings: Teams meetings with external users.
  • Collaborating with people on documents: sharing individual files or folders with external users.
  • Collaborating with people as a team: Inviting external users with Teams accounts to collaborate within Microsoft Teams, Groups & SharePoint sites
  • Collaborating with people in shared channels (Azure AD direct connect): External users access shared resources in your organization by using their own Azure AD or Microsoft 365 identity. 

What External Collaboration Options are Enabled in Microsoft 365 by Default?

By default, Microsoft 365 has certain external collaboration options already enabled. Our blog will show you where to find and control these settings: 

Image: External collaboration permissions in M365

These settings are on by default. However, external users won't be able to access your resources or apps unless someone from your organization adds external contact to Teams or other M365 services. You can disable any of these settings if you don’t want to allow that activity in your organization. 

 

Enabling, Configuring & Disabling External Collaboration Options in Microsoft 365

Enabling MS Teams Guest Access & external sharing in Azure AD Amin Center

External collaboration and sharing in Microsoft 365 are governed by the B2B external collaboration settings in Azure AD. If guest-sharing is restricted in Azure AD, it overrides any sharing settings in Microsoft 365. This setting is enabled by default but can be configured or disabled by following the steps below:

To set external collaboration settings:

  • Log in to Azure Active Directory at https://aad.portal.azure.com.
  • In the left navigation pane, click Azure Active Directory.
  • Click External Identities.
  • On the Get Started screen, in the left navigation pane, click External Collaboration settings.
  • Make sure to select either Member users or users assigned to specific admin roles who can invite guest users. This includes guests with member permissions, or anyone in the organization can add Guests to Teams.
  • If you made changes, click Save.

Image: Microsoft Teams Guest access settings in Admin Center

Check the Collaboration Restrictions settings to make sure the domains of the Guests you want to collaborate with are not blocked. You can also add specific domains to block them.

To limit guests from seeing directory data for other guests, go to the Guest user access restrictions section and choose either:

  • Guest users have limited access to properties and membership of directory object settings.
  • Guest user access is restricted to properties and memberships of their own directory objects.

 

Enabling Guest Access & External Collaboration in Microsoft 365 Admin Center

To allow Microsoft Teams guests to access your Microsoft 365 environment, enable the appropriate global settings. Once this option is enabled, users can start working with external users. How to add someone external to Microsoft Teams and other services:

  • Sharing files
  • Sharing folders
  • Add external contacts to Groups, or SharePoint sites.
  • Add external user to Teams

This will create a Guest account in your Azure AD, which is enabled by default in your Microsoft 365 Global Admin settings.

This setting is enabled by default, but if you are looking to disable it, or configure it, follow the steps below:

  Image: MS Teams Guest access sharing options

Enable or Disable Guest Access in Teams

If someone has already been invited to collaborate in your Microsoft 365 environment, they can join 1:1 chats or group conversations. If they haven't been invited yet, they need to be added as a Guest to a Team first before they can communicate with Teams users.

By default, Guest access in Microsoft Teams is enabled, but if you were looking to disable it, follow the steps below:

Image: Guest access in Teams enablement

 

To control what Guests can and cannot do in chats and channel conversations:

Image: Guest access in Teams enablement

Note: default Guest permissions in Microsoft Teams cannot supersede the permissions set for the members of your Team. For example, if your default member permissions restrict channel creation or updating, or message deletion, your Guests also won’t be able to perform these actions. 

 

To control what Guests can and cannot do when it comes to Teams calling:

Image: Guest access in Teams enablement for calling. 

 

To control what Guests can and cannot do when it comes to Teams meetings:

 Image: Guest access in Teams enablement for meeting. 

How to Enable or Disable External Collaboration & Sharing with External Users on Documents & Folders

To allow external users to access documents in SharePoint or OneDrive, you need to enable external sharing in the organization-level settings. The settings you choose will apply to all individual SharePoint sites, and the organization-level setting for OneDrive will affect the level of sharing in users' libraries.

To allow unauthenticated sharing of files and folders, choose the Anyone option. If you want people to log in using their Guest account before accessing documents or folders, choose New and existing guests.

Anyone links are the simplest way to share documents, but they don't require authentication and can be easily passed on to others. For SharePoint, choose the most permissive setting needed by any site in your organization.

How to set SharePoint Organization-Level External Sharing Settings

  • In the Microsoft 365 admin center, in the left navigation pane, under Admin centers, click SharePoint.
  • In the SharePoint admin center, in the left navigation pane, under Policies, select Sharing.
  • Ensure that external sharing for SharePoint or OneDrive is set to Anyone or New and existing guests. (Note that the OneDrive setting cannot be more permissive than the SharePoint setting.)
  • If you made changes, select Save.

Image: External collaboration sharing settings in M365 admin center

SharePoint & OneDrive advanced sharing settings

  • Navigate to SharePoint Admin Center > Policies > Sharing

SharePoint Organization-Level Default Link Settings

The default file and folder link settings determine the link option that will be shown to users by default when they share a file or folder. Users can change the link type to one of the other options before sharing if desired.

Keep in mind that this setting affects SharePoint sites in your organization, as well as OneDrive.

Choose a link from any of the following types which are then selected by default when users share files and folders:

  • Anyone with the link: Choose this option if you expect to do a lot of unauthenticated files and folder sharing. If you want to allow Anyone links but are concerned about accidental unauthenticated sharing, consider one of the other options as the default. This link type is only available if you’ve enabled Anyone sharing.
  • Only people in your organization: Choose this option if you expect most file and folder sharing to be with people inside your organization.
  • Specific people: Consider this option if you expect to do a lot of file and folder sharing with guests. This type of link works with guests and requires them to authenticate.

 

To set the SharePoint and OneDrive organization-level default link settings

  • Go to Sharing in the SharePoint admin center.
  • Under File and Folder links, select the default sharing link that you want to use.
  • If you made changes, click Save.

To set the permission for the sharing link, under Choose the permission that’s selected by default for sharing links:

  • Select View if you do not want unauthenticated users to change the files and folders.
  • Select Edit if you want to allow unauthenticated users to change the files and folders.
  • Note: The above two permission options can be applied not only for guests/external users but also for internal users. The permission option you choose is determined by self-discretion.

 

To set permissions for links that allow sharing with anyone:

These links can give these permissions: sub-pane,

From the Files drop-down list:

  • Select View and Edit if you want to allow unauthenticated users to change the files.
  • Select View if you do not want unauthenticated users to change the files.

From the Folders drop-down list:

  • Select View, Edit, and Upload if you want to allow unauthenticated users to change the folders.
  • Select View if you do not want unauthenticated users to change the folders.

Image: SharePoint external sharing and collaboration settings for files and folders

 

SharePoint site-level external sharing settings

To edit the file and folder-sharing settings specific to each SharePoint site, you also need to check the site-level sharing settings for that site.

To set site-level sharing settings navigate to Share Point Admin Center:

  • In the left navigation pane, expand Sites and select Active Sites.
  • Select the site on which you want to share files and folders with guests.
  • Scroll right across the row (in which the selected site is present) and click anywhere in the External Sharing column.
  • From the page that pops up, click the Policies tab.
  • Under the External sharing pane, click Edit.
  • Ensure that sharing is set to Anyone or New and existing guests.
  • If you made changes, click Save.

Image: SharePoint external sharing and collaboration settings

Note: You can set defaults for link type and permissions and expiration settings for Anyone links for each site. When set at the site level, these settings override the organization-level settings. If Anyone links are disabled at the organization level, Anyone will not be an available link type at the site level.  

Image: SharePoint online external sharing advanced options for external collaboration

 

Enable or Disable Guest External Collaboration in Teams, SharePoint Sites, & Groups

How to Enable or Disable External Sharing & Guest Access in Individual SharePoint Sites

If your organization is in need of sharing more than just a file or a folder within OneDrive or SharePoint, you may choose to allow external collaboration with Guests within entire SharePoint sites.

The default site-sharing options are listed below:

Image: SharePoint online site sharing options

SharePoint site sharing is affected by the organization-wide SharePoint settings. If the organization-wide settings change, the practical sharing setting for the site may also change. So, if you select a less restrictive setting for the site, and later the organization-level setting is changed to a more restrictive one, the site will operate at the new, more restrictive level.

For instance, if you select Anyone, but the organization-level setting is later changed to New and existing guests, the site will only allow new and existing guests. But if the organization-level setting is set back to Anyone again, the site will allow Anyone links again.

These settings described below apply to both site sharing and file and folder sharing. (Anyone sharing is not available for site sharing. If you choose Anyone, users will be able to share files and folders by using Anyone links, and the site itself with new and existing guests.) If the site has a sensitivity label applied, that label may control the external sharing settings.

Note: Only SharePoint administrator roles can edit these settings. Sharing settings for channel sites can only be changed by using the Set-SPOSite PowerShell cmdlet.

  • Navigate to SharePoint Admin Center >Active sites > select the site > Policies tab > Edit External sharing

 

How to enable and disable external sharing & Guest access in Office 365 Groups

Guest access in Microsoft 365 Groups allows external partners, suppliers, vendors, and consultants to collaborate with your team by accessing group conversations, files, calendar invitations, and the group notebook.

To effectively collaborate with Guests, it's recommended to use Microsoft Teams, which offers a unified experience for both internal and external collaboration. However, before inviting guests to Teams, Guest access must be enabled and configured in the admin center, as Teams membership is governed by Microsoft Groups.

Navigate to Microsoft 365 admin center > Settings > Org settings > Microsoft 365 Groups

Image: SharePoint online external collaboration and site-sharing options

It's important to know that organizations with certain licenses like E3 or higher can use Azure Dynamic Security Groups. This means Azure creates an All Users group that automatically updates as new members join the tenant, including Guest accounts. This feature is included with Azure Premium P1.

Image: SharePoint online external collaboration external sharing configuration

Organizations may be concerned that Guests can view the entire group's membership, including names and emails, by being a member of the All Users Security Group generated by Azure. If you do not want this to happen, follow the steps below to remove Guests from the group.

Below is what a Guest may see with the default settings:

Image: What a guest may see with the default settings. 

Edit the Rule syntax to follow the pattern below (see here for more on rules)

Image: Microsoft 365 group external sharing

Once the Dynamic Group refreshes its membership, the number will update to reflect only accounts from within your organization. 

Following this change, Guests will only be able to see and find Groups they are explicitly added to (assuming there are no other non-standard dynamic groups granting them access). Below is the updated view for a Guest: 

 

How to Enable & Disable Microsoft Teams External Access for Guests

To allow Guests Access to Microsoft Teams and its associated SharePoint site, and view files in the Files tab, you need to enable Guest access in Azure AD Admin Center and permit adding external users to Teams in Microsoft 365 Admin Center.

Configure Guest sharing in organization-wide and site-specific settings via SharePoint Admin Center. Microsoft Teams membership is governed by Microsoft Groups settings, so ensure Guest access is enabled and configured via Microsoft 365 Groups in the Microsoft Admin center.

You can control Microsoft Teams Guest Access limitations once these settings are enabled.

Check out our blog to learn more about Microsoft Teams' default Guest settings and how to change them.

Unleash the Full Power of Microsoft 365 with Orchestry

Most organizations are not using Microsoft 365 to its full potential.

Orchestry makes Microsoft 365 simple for all users.

Orchestry  is an adoption and governance platform that allows End Users, Workspace Owners, IT admins, and organizations to take full advantage of Microsoft 365.

To see Orchestry in action, request a demo and download our Features Sheet to learn more!