SharePoint Online External Sharing Best Practices

External Sharing in SharePoint is like your spouse snoring at night. It can spoil or even break your relationship. As such, external sharing policies can become a pretty hot and contested topic between business users and IT. So, I thought of summarizing here what, in my opinion, are the top 10 Best Practices related to SharePoint external sharing. These are the tips and recommendations based on my SharePoint consulting experience and observing my clients, large and small, dealing with the issue.

Best Practice # 1: Do not turn off external sharing

Never completely disable external sharing! Your users already email attachments externally anyway, so what’s the benefit? Moreover, when you create unnecessary roadblocks to collaboration, this will lead to shadow IT – business users relying on their own tools like Google Drive and Dropbox to share externally. This article provides some additional arguments in defense of this point.

Best Practice # 2: Limit external sharing by site

Now, I am not saying you should completely make it loose, either. The beauty of SharePoint configuration is that you can enable or disable external sharing on a site-by-site basis and even choose the level of site “openness” as well. This is done in the SharePoint Admin Center. So, if you have certain sites containing confidential information, you might want to restrict external sharing.

Best Practice # 3: Limit external sharing by Domain

Another technique to consider is to limit external sharing by domain. You can either specify domains users cannot share to (e.g., yahoo.com, gmail.com) or the opposite — specify the trusted domains. You can also limit by domain at the global or site levels! I explained this mechanism in this article.

Best Practice # 4: Decide on the external sharing approach

Another pretty powerful thing to consider is the overall external sharing approach. You can choose from one of the two methods:

1. Let users share externally on the fly
2. Let users share externally to users already in the system (Entra ID)

The reason why you would choose one method over the other depends on whether you want to control who users share with externally. I explained the two approaches in this article.

Best Practice # 5: Adjust expiration of Links

Your SharePoint Administrator(s) can also specify the duration after which external links will expire. Since files and folders need to be shared externally for a short period of time anyway, adding a standard threshold will help reduce the risk of inadvertent data loss. You can read more about this feature here.

Best Practice # 6: Adjust Site Sharing Settings

The above recommendations focused on SharePoint Admin decisions and settings. If you are a Site Owner, you can also take matters into your own hands and adjust site sharing settings, which will prevent site members from sharing an entire site, for example. A word of caution — these settings will also affect internal sharing. I explained what this is all about here.

Best Practice # 7: Avoid Anyone Links

This is also a big IT/Business decision to make. When sharing externally, users need to authenticate using their email and one-time passcode by default. Sometimes (mostly due to user error), these processes do not always work as intended. To alleviate the issue, some companies allow anonymous sharing. This means you will never know who clicked on your link and accessed and even edited your content. Bad idea! Unless you put some additional restrictions on those links, I do not recommend this option!

Best Practice # 8: Set up Anyone Links with password or expiration

I guess if you do have to use Anyone links, I would recommend adding additional restrictions to make them “safer” and “more secure.” This will put additional restrictions on the Anyone link and might prevent unauthorized access. I provided a few tricks in this article.

Best Practice # 9: Add Expiration date when sharing

This is somewhat related to Tip # 5. That advice related to the setting in the SharePoint Admin Center that applied to the whole tenant. There is also an expiration date users can add to when they generate individual sharing links to files and folders. I documented this amazing capability in this article. The ability to expire links applies to both internal and external sharing, so in the case of external sharing, you would add an expiration date to the People you choose link type.

Best Practice # 10: Use Request Files instead of sharing

Sometimes, you don’t really need to share files and folders, but rather request information from the users. In this case, utilizing the Request File feature would be much more secure and wiser. This would implement somewhat of a one-way street for the recipients to submit their content without seeing your destination. I explain how the Request file feature works here and compare the two here.