External Publication

Ultimate Guide to External Sharing Security

StackRundown June 1, 2026

External sharing is a necessity for most organizations, but it comes with risks if not properly managed. This guide focuses on securing external sharing in platforms like Microsoft 365, SharePoint, and Teams. Key takeaways include:

Risks : Anonymous links, stale guest accounts, and poor governance can expose sensitive data.
Security Modes : Use controlled sharing options like "Specific people" or "New and existing guests" for better oversight.
Compliance : Regulatory standards like HIPAA and NIST demand auditability and access limitation.
Best Practices :
- Enable multi-factor authentication (MFA) for guest users.
- Set link expiration policies (30-90 days).
- Conduct regular access reviews to remove outdated permissions.
Governance : Assign clear roles (IT, Site Owners, Business Owners) and use tools like Microsoft Entra ID for streamlined management.
Tools : Implement sensitivity labels, Data Loss Prevention (DLP) policies, and configure tenant-level sharing controls for added security.

The goal isn't to block collaboration but to make it secure and intentional. Start by disabling anonymous links, enforcing MFA, and scheduling access reviews to protect your organization's data.

Managing External Sharing in SharePoint: Striking the Right Balance

External Sharing Basics and Risks

Microsoft 365 External Sharing Modes: Security & Risk Comparison

What Is External Sharing?

External sharing allows teams to share documents, folders, sites, or channels with individuals outside their organization. Unlike internal sharing, which is restricted to licensed users within the organization, external sharing provides controlled guest access. When this feature is used, Microsoft usually creates a guest account through Microsoft Entra B2B, granting limited and managed access to the shared content.

Microsoft 365 offers four distinct sharing modes, and the choice of mode directly impacts your organization's security stance:

Mode	Authentication Required	Auditability
Anyone links	No	None (anonymous)
New and existing guests	Yes	High
Existing guests only	Yes	High
Shared Channels (B2B Direct Connect)	Yes	High

By default, external sharing is turned on in SharePoint and OneDrive. Without specific restrictions in place, users might unknowingly share content more broadly than intended. Understanding these sharing modes is critical because each comes with its own set of security risks.

Key Risks of External Sharing

The real danger in external sharing isn’t the act itself but the lack of control and visibility over what is shared, with whom, and for how long.

"The biggest security risk is not external sharing itself - it is uncontrolled external sharing where organizations lack visibility into what is shared, with whom, and for how long." - SharePoint Support Team

Among the sharing modes, "Anyone links" are the riskiest because they do not require sign-in and leave no audit trail. Guest accounts created with personal email addresses often lack multi-factor authentication, increasing the risk of account compromise. Additionally, these accounts can become "stale" after a project ends, retaining access to sensitive information without ongoing reviews.

Overly restrictive sharing policies can backfire, pushing employees to use unauthorized tools like Dropbox or USB drives - commonly referred to as shadow IT - which fall outside the organization’s control.

On top of these operational challenges, external sharing must also comply with strict regulatory standards.

Regulatory and Compliance Requirements

For businesses in the United States, external sharing introduces compliance challenges alongside security concerns. For example, HIPAA requires that access to protected health information (PHI) adhere to the "minimum necessary" standard, meaning external users should only access what they need. Additionally, access logs must be maintained for six years. Similarly, the CCPA regulates how the personal data of California residents is handled, including conditions for sharing.

Compliance frameworks stress the importance of auditability. Organizations need to track who accessed content, when, and from where. Anonymous "Anyone" links undermine this requirement and are often banned under stringent security standards like NIST SP 800-53 and FedRAMP. Frameworks such as NIST also align with Microsoft 365 controls, including account management (AC-2) and access enforcement (AC-3).

To meet compliance requirements, organizations should implement guest access expiration policies - typically set between 90 and 180 days - and conduct periodic access reviews. These measures are essential for laying the groundwork for a secure and compliant external sharing strategy, which will be explored in upcoming sections.

How to Build a Secure External Sharing Strategy

When it comes to external sharing, balancing security with business needs is crucial. A well-thought-out strategy integrates technical safeguards with operational goals.

Core Principles of Secure Collaboration

Every external sharing decision should be guided by three key principles: zero trust , least privilege , and need-to-share.

Zero trust : Require multi-factor authentication (MFA) and ensure devices meet compliance standards for every guest.
Least privilege : Limit access to only what's necessary. For example, set default sharing links to "Specific people" and permissions to "View only" instead of "Edit".
Need-to-share : Grant access only when there's a clear business purpose for it.

Instead of relying on a single control, combine several layers of security like identity verification, device compliance, data classification, and continuous monitoring. This creates a more robust defense.

Governance Models and Roles

Effective governance begins with clear accountability. Without it, guest access can spiral out of control, often going unnoticed until problems arise.

A straightforward governance model is especially practical for small businesses or startups. Here's a simple three-role framework:

Role	Responsibility	Key Tools
IT/Global Admin	Manage organization-wide sharing policies and enforce Conditional Access rules	SharePoint Admin Center, Entra Admin Center
Resource/Site Owner	Approve guest access, handle site-level permissions, and conduct regular access reviews	SharePoint Site Settings, Teams Management
Business Owner	Define risk profiles and determine which external partners require access	Entitlement Management (Access Packages)

Site and group owners are closest to the data, making them the first line of defense. Assign them to perform quarterly access reviews to prevent outdated permissions. For businesses using Microsoft 365 E5 or Entra ID P2, Entitlement Management simplifies access by bundling related resources - such as Teams channels, SharePoint sites, and apps - into a single "access package" that project leads can manage.

Another effective governance step is requiring guests to accept a digital Terms of Use agreement before accessing shared resources. This small action reinforces accountability.

Data Classification and Sensitivity Labels

Tailoring protections to different types of data is essential. Start by classifying your data, as this simplifies every subsequent security decision.

A four-tier classification model works well:

Classification	External Sharing Policy	Link Expiration
Public	Allow new and existing guests	90 days
Internal	Allow existing guests only	30 days
Confidential	Restrict to internal users only	No external sharing
Highly Confidential	Restrict to internal users only	No download / Watermarked

Using Microsoft Purview, sensitivity labels enforce these policies automatically. For example, a container label applied to a SharePoint site or Teams channel controls access, while an item label protects individual files or emails, even if they are moved elsewhere.

For organizations on Microsoft 365 E5, auto-labeling can identify sensitive content - like credit card numbers or health records - and apply the right label without user involvement. Pairing these labels with Data Loss Prevention (DLP) policies adds another layer of security. A DLP rule can block the sharing of a "Confidential" file externally, even if the site’s sharing settings would normally permit it.

sbb-itb-fd683fe

Configuring External Sharing in Microsoft 365

Microsoft 365 uses a hierarchical approach to sharing controls. At the core is Microsoft Entra ID, which sets the baseline rules that apply across SharePoint, OneDrive, and Teams. If sharing is blocked at the Entra level, no setting within these services can override it. Starting with the right configuration ensures smoother operations down the line.

Tenant-Level Sharing Controls

The tenant-level settings establish the maximum level of external sharing allowed across your organization. Individual site settings can only be as permissive as these tenant-wide controls.

Microsoft 365 provides four main sharing settings at the tenant level:

Sharing Level	Authentication Required	Best For
Anyone	No	Public-facing, non-sensitive documents
New and existing guests	Yes (account or OTP)	Standard business collaboration
Existing guests	Yes	Pre-approved partner environments
Only people in your organization	Yes (internal only)	HR, Legal, Finance, or other secure teams

For most organizations, the "New and existing guests" setting offers a good balance. It requires identity verification - either through a Microsoft account or a one-time passcode (OTP) sent via email - while still supporting legitimate external collaboration.

To further strengthen security, consider two key configurations:

Domain allowlist : Restrict invitations to specific, trusted partner domains.
Security group restrictions : Limit external sharing permissions to a specific group of trained users instead of allowing everyone in the organization to invite guests.

The Cybersecurity and Infrastructure Security Agency (CISA) also advises setting "Anyone" link expirations to 30 days or less and requiring reauthentication for verification code users on the same schedule. Once these tenant-level policies are in place, you can refine the controls further at the SharePoint and OneDrive levels.

SharePoint and OneDrive Security Settings

At the site level, sharing settings must adhere to the tenant-wide rules. The principle here is simple: "most restrictive wins". A site-level policy can be stricter than the tenant-level setting, but it can’t be more lenient.

Here’s how to enhance security for SharePoint and OneDrive:

Set the default sharing link to "Specific people" instead of "Anyone." This ensures users must intentionally choose who gets access, reducing accidental exposure.
If "Anyone" links are enabled for low-sensitivity content, enforce expiration dates and set the default permission to "View only" instead of "Edit".
For high-security sites (e.g., finance or legal departments), restrict guest access to web-only. This prevents files from being downloaded onto unmanaged devices, a common source of data leaks.

Starting in May 2026, Microsoft Entra B2B integration will be enabled by default for all tenants and cannot be turned off. This means all guest users will become managed directory objects, subject to Conditional Access and multi-factor authentication (MFA) policies, rather than relying on ad-hoc SharePoint authentication.

Teams Guest Access Configuration

Since Teams uses SharePoint for file storage, its external sharing settings align closely with those already configured. However, Teams adds its own layer of controls, managed through the Teams Admin Center , SharePoint , and Entra ID.

Key steps for configuring Teams guest access include:

In the Teams Admin Center , disable guest capabilities like editing or deleting messages if your organization requires an audit trail for compliance purposes.
In Entra ID , set guest user access to "limited access to properties and memberships of directory objects". This prevents guests from browsing your internal directory and viewing user or group memberships.
Use Shared Channels (B2B Direct Connect) for seamless collaboration with external partners. This allows external users to participate in a Teams channel without switching tenants or needing a guest account, reducing friction and minimizing shadow IT risks.
Enable idle session sign-out at the tenant level to warn and log out guests on unmanaged devices after inactivity.
Implement a Conditional Access policy that enforces MFA and requires daily reauthentication for B2B guest users.

Day-to-Day Practices for Keeping External Sharing Secure

After setting up strong configuration settings, maintaining security for external sharing requires consistent, daily attention. The SharePoint Support Team highlights this challenge:

"External sharing is where most enterprises have the biggest gap between policy and reality."

This gap often isn’t due to technical issues but rather a lack of ongoing maintenance. Here’s how to stay on top of it.

Monitoring and Auditing External Sharing

Keeping an eye on external sharing activities is crucial. Focus your monitoring efforts on high-risk areas like Finance, HR, Legal, and M&A sites, rather than trying to track everything at once.

Use the Microsoft 365 Unified Audit Log as your primary tool. Key operations to monitor include SharingSet, AnonymousLinkCreated, SecureLinkCreated, and AddedToSecureLink. Set up a weekly dashboard to track:

The number of external sharing events each week
Trends in active guest counts
Guest sign-in success rates

A steady increase in active guest accounts without corresponding cleanup efforts should raise concerns.

Pay special attention to unauthenticated links. Limit their expiration to a maximum of 14 days, and conduct monthly audits to remove any links that exceed this timeframe. OneDrive often has more permissive settings than SharePoint, making it a potential weak spot worth regular review.

In addition to monitoring, reviewing access privileges frequently is essential to prevent unnecessary or outdated guest access.

Access Reviews and Lifecycle Management

To manage guest access effectively, use time-bound links and automated expiration policies. For example, set sharing links to expire after 30 days by default to create natural review checkpoints. Similarly, configure guest accounts to expire after 90 to 180 days of inactivity to avoid "guest sprawl", which happens when unused guest accounts accumulate over time.

Automating this process can be done with PowerShell using the following command: Set-SPOTenant -ExternalUserExpireInDays 90.

For more structured reviews, leverage Microsoft Entra ID Governance to schedule periodic access reviews. Standard sites can be reviewed quarterly, while sensitive sites should be checked monthly. Assign these reviews to site or resource owners instead of central IT, as they have a better understanding of who genuinely needs access.

"Resource owners... are in most cases your best audience to drive decisions around access to their resources and are closer to the users who access them than central IT." - Microsoft Learn

A practical approach: notify site owners to verify guest access and automatically remove any unconfirmed accounts after 14 days. For denied guests, implement a "disable and delete" workflow - block their sign-ins for 30 days before permanently deleting the accounts. This provides a safety net for accidental removals.

User Training and Awareness

Even with automated controls in place, user behavior plays a huge role in maintaining security. Excessive use of anonymous links often stems from a lack of awareness, not technical misconfigurations.

Educate users to default to "Specific People" links , which require authentication and limit access to intended recipients only. Training should also cover sensitivity labels, helping users distinguish between documents marked as Internal versus Confidential , so they know what’s safe to share externally.

"In 2026, the challenge for CIOs and CISOs is moving from a model of enforced control to one of shared governance." - Caroline Bourgoin, Author, IDECSI

Teach users to recognize external sharing indicators in Teams and OneDrive, enabling them to quickly spot potential exposure risks. Additionally, highlight the "Request Files" feature, which allows users to collect files from external parties without granting access to other folder contents. This feature can help reduce reliance on personal file-sharing tools, which often introduce unnecessary risks.

Conclusion and Next Steps

Securing external sharing is an ongoing effort that requires constant attention. The biggest challenge lies in uncontrolled sharing - when organizations don’t know what’s being shared, with whom, or for how long. Addressing this is key to reducing risk.

The layered approach outlined in this guide - tenant controls, site settings, and sensitivity labels - creates a strong security framework. Each layer works together to build a more secure system. Now, it’s time to take actionable steps to ensure external sharing is both secure and effective.

Blocking external sharing entirely isn’t the answer. As Sequentur's IT engineers explain, "Properly configured guest access is more secure than the workarounds people use when it is unavailable." If users are pushed to alternatives like personal Google Drives or Dropbox accounts, a manageable risk is replaced by one that’s harder to detect or control.

To put these strategies into practice, focus on these key actions:

Disable "Anyone" links at the tenant level.
Enforce MFA (multi-factor authentication) for all guest users using Conditional Access policies.
Set mandatory link expiration periods, ideally between 30 and 90 days.
Schedule quarterly access reviews through Microsoft Entra ID to ensure ongoing visibility and control.

Automating these processes not only enhances security but also saves time for IT teams.

As C A Thomas, Infrastructure Analyst, puts it:

"The goal is not to block collaboration, but to make it safe, intentional, and well managed."

Start by refining tenant default settings, establish clear governance policies, and keep improving your approach to external sharing.

FAQs

Which external sharing setting is safest for most organizations?

When it comes to external sharing, the New and existing guests setting is often the best choice for organizations. It strikes a balance between keeping things secure and allowing for collaboration. With this option, recipients must verify their identity, ensuring that all external users are accounted for in your directory.

If security is your top priority, go with Only people in your organization to completely block external sharing. However, if you decide to enable external sharing, you can tighten security further by restricting it to specific groups or pre-approved domains.

How do I enforce MFA for guest users in Microsoft 365?

To ensure guest users in Microsoft 365 use Multi-Factor Authentication (MFA), you’ll need to set up a Microsoft Entra Conditional Access policy specifically for external users. Here's how you can do it:

Open the Microsoft Entra admin center.
Navigate to Protection → Conditional Access → and select Create new policy.
In the Assignments section, choose Guest or external users as the target audience.
Specify the apps or resources you want to protect.
Under Access controls , go to Grant and check the option for Require multifactor authentication.
Enable the policy. It’s a good idea to start with Report-only mode to monitor its impact before fully enabling it by switching to On.

These steps ensure that external users accessing your resources are required to verify their identity with MFA, adding an extra layer of security.

What’s the best way to prevent stale guest access over time?

To keep guest access fresh and secure, schedule regular access reviews using Microsoft Entra. For example, conduct reviews quarterly for standard sites and monthly for sensitive ones. This process helps identify and remove inactive guests automatically.

Pair these reviews with lifecycle controls, such as setting expiration dates for guest access or shared links, to prevent indefinite access. Additionally, enforce multi-factor authentication (MFA) for guests to create a more secure environment.