AD4.6 SharePoint External Sharing Controls

Configuring tenant-level sharing

Navigate to admin.microsoft.com → SharePoint → Sharing (or sharepoint.com/_layouts/15/online/AdminHome.aspx#/sharing).

External sharing level: Change from "Anyone" to "New and existing guests." This disables anonymous links and requires external recipients to authenticate with a Microsoft account, a work account, or a one-time passcode. Every external access is now associated with an identity and logged in the audit trail.

Default sharing link type: Change to "Only people in your organization." This means when a user clicks "Share" in SharePoint or OneDrive, the default link scope is internal-only. They can still change it to share externally, but they have to deliberately choose "Specific people" and enter the external email address. The accidental "share with everyone" scenario is eliminated.

Default link permissions: Change to "View" (read-only). External recipients get view-only access by default — they have to be explicitly granted edit access. This prevents accidental "anyone can edit" shares.

Expiration for guest access links: Set to 30 days. External sharing links expire after 30 days. If the vendor still needs access, the user must re-share — creating a natural review cycle for external access.

Apply these settings via PowerShell for documentation and repeatability:

Connect-SPOService -Url https://northgateeng-admin.sharepoint.com

Set-SPOTenant -SharingCapability ExternalUserSharingOnly `
    -DefaultSharingLinkType Internal `
    -DefaultLinkPermission View `
    -RequireAnonymousLinksExpireInDays 30 `
    -ExternalUserExpireInDays 30 `
    -RequireAcceptingAccountMatchInvitedAccount $true `
    -PreventExternalUsersFromResharing $true

The last two settings are important: RequireAcceptingAccountMatchInvitedAccount ensures the person accepting the share invitation is the same person who was invited (preventing share-link forwarding). PreventExternalUsersFromResharing prevents an external guest from sharing your content with additional external people — the share chain stops at one level.

Configuring site-level sharing restrictions

Tenant-level sharing sets the maximum. Individual sites can be MORE restrictive than the tenant, but never less. For sensitive sites (HR, Finance, Legal, Executive), disable external sharing entirely.

Navigate to admin.microsoft.com → SharePoint → Active sites → select the sensitive site → Sharing → change to "Only people in your organization."

In PowerShell:

# Disable external sharing for sensitive sites
Set-SPOSite -Identity "https://northgateeng.sharepoint.com/sites/HR" `
    -SharingCapability Disabled
Set-SPOSite -Identity "https://northgateeng.sharepoint.com/sites/Finance" `
    -SharingCapability Disabled
Set-SPOSite -Identity "https://northgateeng.sharepoint.com/sites/Legal" `
    -SharingCapability Disabled

Verify the settings:

Get-SPOSite -Identity "https://northgateeng.sharepoint.com/sites/HR" |
    Select-Object Url, SharingCapability
# Should show: Disabled

For sites that need controlled external sharing (a project collaboration site with a specific vendor), set the site-level sharing to "Existing guests only" and pre-add the vendor's guest accounts to Entra ID. This gives controlled external access to specific, pre-approved partners without allowing ad-hoc sharing with anyone.

Auditing current external sharing

Before tightening sharing controls, audit what's currently shared externally. You need to know what will break — just like the compliance audit in Module AD3.

# Find all externally shared content across your tenant
Get-SPOSite -Limit All | ForEach-Object {
    $extUsers = Get-SPOExternalUser -SiteUrl $_.Url -ErrorAction SilentlyContinue
    if ($extUsers.Count -gt 0) {
        Write-Host "$($_.Url): $($extUsers.Count) external users" -ForegroundColor Yellow
        $extUsers | Select-Object DisplayName, Email, AcceptedAs, WhenCreated |
            Format-Table -AutoSize
    }
}

This shows every site with external users and who those users are. Review the list: are these legitimate collaborations (vendor project sites, client portals) or stale sharing from years ago? Stale external shares are access that nobody needs anymore but nobody revoked — each one is a potential data exposure path. Remove stale external users before tightening the controls.

OneDrive sharing controls

OneDrive shares the tenant-level sharing settings, but you can also set OneDrive-specific restrictions. Navigate to admin.microsoft.com → SharePoint → Sharing → OneDrive.

The most important OneDrive setting: Sync restrictions. By default, users can sync any SharePoint or OneDrive content to their local machine using the OneDrive sync client. This creates local copies of corporate data — including Confidential documents — on the user's laptop. If the laptop is lost, the local copies are accessible (BitLocker protects the drive, but if BitLocker is bypassed or the user logs in and the drive is decrypted, the files are exposed).

For high-security environments, restrict OneDrive sync to managed devices only:

Set-SPOTenant -OneDriveRequestManagedDevice $true

This prevents users from syncing OneDrive content on personal, unmanaged devices. The content remains accessible through the browser (which doesn't create local copies) but can't be synced offline. For most organizations with device compliance (Module AD3), this setting is appropriate because all managed devices have BitLocker — the synced files are encrypted at rest.

Verifying sharing controls after configuration

After tightening sharing controls, run a verification check to confirm the settings are applied:

Connect-SPOService -Url https://northgateeng-admin.sharepoint.com

# Tenant-level verification
$tenant = Get-SPOTenant
Write-Host "=== TENANT SHARING ===" -ForegroundColor Cyan
Write-Host "Sharing level: $($tenant.SharingCapability)"
Write-Host "Default link type: $($tenant.DefaultSharingLinkType)"
Write-Host "Default permission: $($tenant.DefaultLinkPermission)"
Write-Host "Link expiration: $($tenant.RequireAnonymousLinksExpireInDays) days"
Write-Host "Require matching account: $($tenant.RequireAcceptingAccountMatchInvitedAccount)"
Write-Host "Prevent resharing: $($tenant.PreventExternalUsersFromResharing)"

# Site-level verification for restricted sites
foreach ($site in @("HR","Finance","Legal")) {
    $s = Get-SPOSite -Identity "https://northgateeng.sharepoint.com/sites/$site"
    Write-Host "`n$site site: $($s.SharingCapability)" -ForegroundColor Yellow
}

Every setting should match your configuration from this subsection. Run this verification quarterly as part of the sharing audit — settings can be inadvertently changed by other admins or by Microsoft updates.

Removing stale external access

For each stale external user identified in the audit, remove their access:

# Remove a specific external user from a site
Remove-SPOExternalUser -UniqueIDs (Get-SPOExternalUser -SiteUrl "https://northgateeng.sharepoint.com/sites/ProjectAlpha" |
    Where-Object { $_.Email -eq "vendor@oldpartner.com" }).UniqueId

For bulk removal of all external users from a site after a project ends:

$siteUrl = "https://northgateeng.sharepoint.com/sites/CompletedProject"
$externalUsers = Get-SPOExternalUser -SiteUrl $siteUrl
foreach ($user in $externalUsers) {
    Remove-SPOExternalUser -UniqueIDs $user.UniqueId
    Write-Host "Removed: $($user.Email)"
}

Document each removal with the audit trail demonstrates active access management — evidence for GDPR compliance and for any access review audit.

The quarterly sharing audit

Schedule a quarterly review of external sharing — add it to the same calendar entry as the quarterly security report (AD7.5). The audit has three parts:

Part 1: External user inventory (5 minutes). Run Get-SPOExternalUser across all sites. Count total external users. Compare to last quarter — a significant increase without corresponding business justification (new vendor project, partnership expansion) suggests uncontrolled sharing growth.

Part 2: Stale access removal (10-15 minutes). For each external user, check: is the project or relationship still active? If not, remove access. Common stale patterns: vendors from completed projects, former consultants, one-time collaborators who received access 6+ months ago. A healthy environment removes 10-20% of external users each quarter through natural project completion.

Part 3: Site-level setting verification (5 minutes). Run the verification script above to confirm tenant and site-level settings haven't drifted. Check that HR, Finance, and Legal sites still have external sharing disabled. Check that the tenant default is still "New and existing guests" and not "Anyone." Settings drift happens when another admin changes a setting during troubleshooting and forgets to revert it.

Record the quarterly audit results in a simple log:

SHAREPOINT SHARING AUDIT — Q2 2026
Date: [date]
External users: 47 (last quarter: 52)
Stale users removed: 8
Sites with sharing disabled: HR ✓, Finance ✓, Legal ✓
Tenant sharing level: ExistingExternalUserSharingOnly ✓
Default link type: Internal ✓
Settings drift detected: None

This log feeds into the quarterly security report (AD7.5, Section 5) and provides evidence for any data protection audit.

OneDrive sharing — the personal site risk

OneDrive for Business is a SharePoint site collection per user. Every sharing control that applies to SharePoint also applies to OneDrive — but users have more autonomy over their personal OneDrive. The risk: a user shares their entire OneDrive root folder externally, exposing every document they've stored.

The tenant-level OneDrive sharing setting inherits from the SharePoint setting you configured above. Verify it explicitly:

$tenant = Get-SPOTenant
Write-Host "OneDrive sharing: $($tenant.OneDriveDefaultShareLinkScope)"
Write-Host "OneDrive default link type: $($tenant.OneDriveDefaultLinkPermission)"

If these values show "Anyone" or "Edit," tighten them to match the tenant defaults — "Internal" and "View." Users can still share externally by choosing authenticated sharing, but the default protects against accidental oversharing.