As we espouse collaboration as the new way of getting things done, it is important to understand what sharing in Microsoft 365 is, and what exactly we are giving access to when we share with external people.

As we move towards cross-product collaboration in Microsoft 365, there are now more than one way to work with outside collaborators. External sharing and access can be enabled for:

  • SharePoint Online
  • OneDrive for Business
  • Office 365 Groups

Before you can grant external users access to SharePoint online, OneDrive for business or Office 365 groups, you should have enabled guest invite from within Azure Active Directory.

To do so, log into the Office 365 portal, then click on Azure Active Directory. From there, select External Identities > External collaboration settings. Then select who can invite guests under Guest invite settings.

How SharePoint Online external sharing works

SharePoint has external sharing settings at both the organization level and the site level (previously called the “site collection” level). To allow external sharing on any site, you must allow it at the organization level. You can then restrict external sharing for other sites. If a site’s external sharing option and the organization-level sharing option don’t match, the most restrictive value will always be applied.

You can change the organization-level external sharing setting from the SharePoint admin center.
Global or SharePoint admins in Office 365 can change the external sharing setting for a site—but site owners can’t.

Even if your organization-level setting allows external sharing, not all new sites allow it by default. The default sharing setting for Microsoft 365 group-connected team sites is “New and existing guests.” The default for communication sites and classic sites is “Only people in your organization.”

How OneDrive for Business Sharing works

External sharing for OneDrive is configured at the Organization level only. Sharing can be managed from the SharePoint admin page or OneDrive admin page.

How Office 365 Groups sharing works

External sharing for Office 365 groups has to be enabled at the organisational level first.

By default, guest access for Microsoft 365 groups is turned on for your organization. Global Admins can control whether to allow guest access to groups for their whole organization or for individual groups.

If you want to enable or disable guest access in groups, you can do so in the Microsoft 365 admin center.

  1. In the admin center, go to the Settings > Org Settings and select Microsoft 365 groups.
  2. On the Microsoft 365 Groups page, choose whether you want to let people outside your organization access group resources or let group owners add people outside your organization to groups.

To manage settings for group access for specific groups, you have to use Azure Active Directory PowerShell for Graph.

Any group owner of an Office 365 Group can invite external users, and once the invitation is accepted, guest users are granted access to group’s conversations, files, calendar invitations, and the group notebook—although as an admin, you can also control that setting.

Anonymous Vs Guest Access

If you collaborate with external users as guests, they will be required to sign in with their work or school account (if their organization uses Microsoft 365) or a Microsoft account, or provide a code to verify their identity when they receive the invitations.

Granting anonymous access (selecting Anyone) will allow people in your organisation to share files and folders by using links that let anyone who has the link access the files or folders without authenticating. Remember that sites cannot be shared anonymously.

For Office 365 groups, external collaborators are always added as guests.

I hope this post was useful and you got a better understanding of external sharing in Microsoft 365.

The ultimate guide to Office 365 external sharing – ShareGate
How to share files and folders externally in SharePoint – SharePoint Maven
How to invite external users via Azure AD – SharePoint Maven