External Sharing SHOULD be Set to “New and Existing Guests”
Description
SharePoint allows sharing with users who are outside the agency, which is convenient but may pose a data loss or other information security risk. This working group recommends allowlisting by domains and security groups per interagency collaboration needs. Note: Adjusting this setting will adjust external sharing for OneDrive and Teams to the same, selected level. OneDrive and Teams can be less permissive (not more permissive) than SharePoint Online. Adding approved domains and/or security groups will also be reflected in One Drive external sharing settings.
Policy
External sharing SHOULD be limited to approved domains and security groups per interagency collaboration needs.
Licensing Considerations
Any tenant with SharePoint online licensing can access this setting.
Set-Up Instructions
Manage sharing settings - SharePoint in Microsoft 365 | Microsoft Learn
To adjust sharing settings, in the SharePoint admin center:
Select Policies -> Sharing.
Adjust external sharing slider to New and Existing Guests.
Expand More external sharing settings.
Select Limit external sharing by domain.
Select Add domains.
Add domains.
Select Save.
Select Allow only users in specific security groups to share externally.
Select Manage security groups.
Add security groups.
Select Save.
End-User Impact
Level: High
With this setting enabled, users will not be able to share external links unless:
External users are added as guest to the organization
External user domains are added to the SharePoint setting
Users are added to the specified security groups so they can send to external users
Tips
• There should be a formal request process for adding domains and being added to a security group.
PowerShell Scripts
Set-SPOTenant (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn
Videos
Last updated
