As we espouse collaboration as the new way of getting things done, it is important to understand what sharing in Microsoft 365 is, and what exactly we are giving access to when we share with external people.

As we move towards cross-product collaboration in Microsoft 365, there are now more than one way to work with outside collaborators. External sharing and access can be enabled for:

  • SharePoint Online
  • OneDrive for Business
  • Office 365 Groups

Before you can grant external users access to SharePoint online, OneDrive for business or Office 365 groups, you should have enabled guest sharing from within Azure Active Directory.

To do so, log into the Office 365 portal, then click on Azure Active Directory. From there, select External Identities > External collaboration settings. 

There are two settings that you will need to verify within the collaboration settings. These are

  • Admins and Users in the Guest Inviter Role can invite.
  • Members can invite.

SharePoint Online

When it comes to external sharing, SharePoint Online lets you control settings at the:

Even if your organization-level setting allows external sharing, not all new sites allow it by default. The default sharing setting for Microsoft 365 group-connected team sites is “New and existing guests.” The default for communication sites and classic sites is “Only people in your organization.”

OneDrive for Business

External sharing for OneDrive is configured at the Organization level only. Sharing can be managed from the SharePoint admin page or OneDrive admin page.

Office 365 Groups

Office 365 groups is one of the prominent ways to collaborate now as Microsoft Teams becomes the hub of Microsoft 365. To collaborate with external users, you must add them to the group as guests.

Any group owner of an Office 365 Group can invite external users, and once the invitation is accepted, guest users are granted access to group’s conversations, files, calendar invitations, and the group notebook—although as an admin, you can also control that setting. However, this is only possible if guest access has been allowed at the organisation level.

By default, guest access for Microsoft 365 groups is turned on for your organization. Global Admins can control whether to allow guest access to groups for their whole organization or for individual groups.

If you want to enable or disable guest access in groups, you can do so in the Microsoft 365 admin center.

  1. In the admin center, go to the Settings > Settings and select Microsoft 365 groups.
  2. On the Microsoft 365 Groups page, choose whether you want to let people outside your organization access group resources or let group owners add people outside your organization to groups.

To manage settings for group access for specific groups, you have to use Azure Active Directory PowerShell for Graph.

Remember, guest users can also access an Office 365 Group’s team site in SharePoint.

Anonymous Vs Guest Access

If you collaborate with external users as guests, they will be required to sign in with their work or school account (if their organization uses Microsoft 365) or a Microsoft account, or provide a code to verify their identity when they receive the invitations.

Granting anonymous access however, will allow people in your organisation to share files and folders by using links that let anyone who has the link access the files or folders without authenticating.

For SharePoint and OneDrive, Anonymous and Guest access organization level settings can be configured from the SharePoint or OneDrive admin centers.

Selecting Anyone will allow users to grant anonymous access to files and folders. Remember that SharePoint site cannot be shared anonymously.

For Office 365 groups, external collaborators are always added as guests.

I hope this post was useful and you got a better understanding of external sharing in Microsoft 365.

The ultimate guide to Office 365 external sharing – ShareGate
How to share files and folders externally in SharePoint – SharePoint Maven
How to invite external users via Azure AD – SharePoint Maven