External sharing in SharePoint: Keep your tenant safe
During the pandemic, many organisations turned to SharePoint and Microsoft Teams as a great way to manage content and share it with external organisations that they collaborate with. Making sure you configure external sharing correctly is vital to ensuring your sensitive data isn’t shared with the wrong external organisations or not shared externally at all. In this post, I want to discuss how you can manage external sharing correctly.
Admin level settings
The first place to start is the SharePoint admin center. On the left under Policies, you’ll find the Sharing option. This area provides tenant wide settings for external sharing. The first setting provides sliders for both SharePoint and OneDrive for Business, with settings from the most permissive to the least in terms of restricting external sharing.
Anyone
The most permissive is fairly extreme in my view, allowing anybody to share links to files without sign in. This means if anyone with the link can view the content which has been shared which could easily lead to the wrong people viewing content without you knowing. While this may be ok for OneDrive users, I don’t think this is great as a default setting for SharePoint.
New and existing guests
This might be ok as a default setting for some organisations. However, if your users are creating sites at will to store sensitive documents, then this default setting is probably not advisable. In those situations, it is probably better to allow users to create the site and allow them to request external sharing for that individual site if it is required.
Existing guests
This may be more advisable than the above as a default option. Some organisations will have trusted partners who are already guests on their tenant, meaning they are comfortable with users being able to share documents with them at will.
Only people in your organisation
This might be the most advisable and safest option. Setting this as the default means all external sharing is disabled unless an administrator actively enables external sharing on the site. This ensures that users aren’t accidentally sharing documents externally.
Additional settings
Limit external sharing by domain
This is a useful setting if combined with the “Anyone” and “New and existing guests” settings. Simply add the list of domains that you will allow documents to be shared with and this will ensure users are only able to share documents with users who have an email address with that domain.
Allow only users in specific security groups to share externally
A very good setting if you only want to allow a certain set of users to share files e.g. site owners.
Guests must sign in using the same account to which sharing invitations are sent
This is a great setting if you are concerned that someone other than the person who initially received the invitation link could use it to accept the invitation and therefore gain access to the tenant.
Allow guests to share items they don’t own
Most tend to have this enabled and allows any user to share any item that they have access to.
Guest access to a site or OneDrive will expire automatically after this many days
Users might forget to revoke access to files over time or the external user may leave their organisation without access to their account being removed. Therefore it might be worth enabling this setting if you have a lot of external sharing in your organisation which is hard to keep track of.
People who use a verification code must reauthenticate after this many days
This is a good idea if you’re concerned about the wrong people gaining access to your data e.g. a device that has been lost for example.
File and folder links
Choose expiration and permissions options for Anyone links.
You can decide how long “Anyone” links last and the type of permissions a person receiving the link can have. Personally, I would set a limit on the number of days the links work and set them to view only. My reasoning for this is that if this link would to fall in to the wrong hands then they could edit or upload a file and that could be a danger to your users.