3 ways to set up guest access for SharePoint Site or Teams

The ability to share externally is fundamental in today’s world of collaboration. We constantly need to share content with users outside our organization. These could be clients, vendors, contractors, board members, attorneys, and practically anyone who needs to collaborate with your employees outside of the company. When it comes to external sharing in SharePoint, there are a few ways to approach this. I wrote an article on this very topic back in 2016. However, that was when we still had Classic SharePoint, and we did not have the Teams application, which became the new front end of SharePoint. So, in this post, I will summarize all the available options when it comes to setting up guest access for SharePoint Sites and Teams.

Site/Teams guest access vs. File/Folder Access

The reason I titled this article as guest access to SharePoint Site and Teams is that the mechanism for inviting guest users to SharePoint Sites and Teams is quite different than just sharing a file or a folder from a Site or a Team. To be precise, it is what happens behind the scenes is drastically different. When you share a file or a folder, the process is pretty seamless and straightforward.

When sharing a SharePoint site or a Team externally, the recipient is added to the Microsoft Entra ID directory. I documented this in this article.

This little nuance is the reason I decided to write this post. As a result of this little fact, there are multiple ways to invite guests to your tenant. So, below, I would like to share several ways to set up guest access for SharePoint Site or Teams and document the pros and cons of each approach.

Option 1: Provision external users with a Company account (not recommended)

I see this option employed by some of my clients, but I don’t really recommend it. Essentially, what happens with this option is that external users/guests are provisioned a company Licensed or Unlicensed Microsoft 365 account, just like employees. The idea here is that companies do not need to explicitly enable external sharing at their tenant + the recipients do not potentially get lost with nuances of external sharing screens, etc. The process of accessing sites and teams for external users is the same as for internal ones.

However, I do not really recommend this option. Unless you have just a few trusted partners. Not because you need to set up all these additional accounts, but because it might be challenging for you to keep up with all those “external” accounts and later distinguish the difference.

Pros

• Least friction for guests
• Allows IT to completely disable external sharing at a tenant level

Cons

• This is a dangerous option as “guests” become part of Everyone except external users group – that means they can inadvertently access other sites and all Public groups.
• Recipients (guests) will need to remember and maintain a separate Microsoft 365 account provisioned for them

Option 2: Let Users invite

The second option is how SharePoint and Teams work out of the box – by allowing site members and owners to freely share sites and teams with anyone outside of the organization. I documented this option in this article.

Inviting external users to a SharePoint Site

Inviting external users to a Team in Teams

Pros

• Allows users the freedom of external sharing

Cons

• Despite improvements, users get lost in emails and instructions received and have trouble accessing the site or team (mostly due to user errors)
• Might be a hassle for IT to maintain

Option 3: Invite the external users via Microsoft Entra ID

The third option is somewhat of a middle ground between Options 1 & 2 above. The idea here is that external sharing is allowed, but only with the users who already exist within the User Directory.

The idea here is that IT will add external users to the User Directory (Microsoft Entra ID) first, and only after the external users accept the invite and end up in the directory can they be added by site members to the sites. I documented the whole process in this article.

Azure AD name has been changed to Microsoft Entra ID, and there were some UI changes, but the concept is still the same.

Pros

• Allows IT tighter control over external sharing

Cons

• Requires IT Involvement for all new external users