As I stated in one of my previous blog posts, External sharing in SharePoint is one big matzo ball. Trying to understand external sharing requires lots of patience and alcohol consumption. I tried to explain the concept many times on my blog, and you can find a summary of all the options here. One of the recent additions to the external sharing capabilities was the way to limit the duration of the externally shared content. This might be handy for many reasons, including governance. So in this article, I would like to explain the new feature that will allow IT and SharePoint admins to set up an expiration for guest access to SharePoint and OneDrive.
Default External Sharing experience
By default, when you enable external sharing on a site or OneDrive, external sharing invitations have no limits. In other words, once the recipient accepts the invitation, they will have access to the content until the access is manually revoked by the owner.
Let’s face it – with everything going on at work and your personal life, you will never remember to do the above. Hence – this article!
How to set up expiration for guest access
Luckily now, we can set up expiration limits for the external users (guests). You can set up an expiration limit in two places:
- Globally – for the whole tenant, and
- Locally at the site level
For both options, you need to be a SharePoint Admin and have access to the SharePoint Admin Center.
Globally, within the SharePoint Admin Center, you can set up expiration limits for both SharePoint and OneDrive. To do this:
- Click on Office 365 App Launcher > Admin
- Under Admin Centers, choose SharePoint
- Under Policies, select Sharing
- Expand More external sharing settings drop-down, and you will see two options at the very bottom
Guest access to a site or OneDrive will expire automatically after this many days
This option sets the threshold for external access to the whole SharePoint site or individual files and folders located on the SharePoint site or OneDrive for Business. You can set it to be any number between 30 and 730 days (2 years).
People who use a verification code must authenticate after this many days
This is an extra option you can set for authentication via passcode. This mainly applies to situations when you share files and folders from a site or OneDrive and when the recipient does not have an Office 365 account of its own. In those cases, they will access the content via temporary passcode. I documented this process here. The threshold here can be anywhere between 1 and 365 days (1 year).
Likewise, you can specify external sharing limits at a site level as well. This allows the SharePoint admins to set different limits to different sites (i.e., 30 days to HR sites and 90 days to Operations sites) or eliminate the expiration limit. To set the expiration limit at a site level:
- Under Sites, click Active Sites
- Click the checkbox next to a site whose limit you want to alter, click Sharing
- Scroll down to the Expiration of Guest Access section. You will see a checkbox next to Same as organization-level setting checked.
- Uncheck that checkbox above. You will either set a different limit for the site or eliminate the expiration of access.
Experience for those who share
Once the expiration limits have been out in place, both site owners and guests will “feel” the consequences. Since the above settings impact SharePoint and OneDrive externally shared content, I will describe the corresponding impact below.
Experience for SharePoint Site Owners
- If you are a site owner, click Gear Icon > Site Permissions
- You will notice a message/warning displaying a notice about the set limit and the ability to manage it. Click Manage.
- On the next screen, it will list all the external users (guests) and advise you on the date their access will expire. You will have a chance to either extend it or remove it altogether.
- If you decide to extend it, it will automatically extend to the maximum period allowed/set within the SharePoint Admin Center. For example, if your limit is 30 days, it will add 30 days to today’s date and will extend access for the user until that future date.
- In addition, 21 before the expiration date, Site Owners will receive an email warning them about the soon to be expired guests
- And they will also see a similar warning message on their SharePoint sites, warning them about pending expiration for guest users. By clicking Manage they will be able to extend access as shown above.
Experience for OneDrive users
You will also be able to control similar settings on your own OneDrive for Business. To do this:
- From within OneDrive, click Gear Icon > OneDrive Settings
- Click More Settings, Manage guest expiration, and then you will be able to manage Access Expiration for your guests in OneDrive!
Experience for Guests
Guests will lose access to the content when the guest access limit is reached and will need to receive a new invitation from the Site Owners or OneDrive users to the content.
Limitations of the Expiration for guest access feature
It is imperative to note that everything described in the above posts only impacts external sharing of a SharePoint site itself and files/folders within the site. It does not impact guest access to Microsoft 365 Groups/Teams. In other words, if you shared your MS Team externally with a guest by inviting them to the Team in Teams, everything I described above won’t impact yours or their experience.
The expiration for guest access settings I described above only apply when you:
- Have a standalone SharePoint Site without a group connected (Communication Site or a Team Site without a Microsoft 365 Group attached) and share the whole site with external users (guests)
- Have a SharePoint site that is connected to the Microsoft 365 Group, but only share the site itself
- Just share files and folders from a SharePoint site with external users
- Share files and folders from your OneDrive with external users