This chapter covers OneDrive sharing policies and external access configuration in Microsoft 365, a critical topic for the MS-102 exam's Tenant Management domain (Objective 1.5). You will learn how to control external sharing at the tenant, site, and link levels, including default settings, inheritance, and override behaviors. Approximately 5-10% of exam questions touch on sharing policies, often testing your ability to configure and troubleshoot external access scenarios. Mastery of this topic is essential for securing organizational data while enabling legitimate collaboration.
Jump to a section
Think of your organization's OneDrive as a secure office building. Employees have keycards that let them enter and access their own offices (their personal OneDrive). Sharing policies are the building's visitor policy. By default, employees can invite external guests (external users) into the building, but only to specific meeting rooms (shared folders) and only for a limited time (expiration). The building manager (tenant admin) can set global rules: no external visitors at all (external sharing disabled), visitors must sign in with a Microsoft account or work account (specific authentication), or visitors can enter with just a code sent to their email (anyone link). The manager can also set per-floor (per-site) policies that override the building-wide policy. When an employee shares a file, they generate a link that acts like a digital visitor badge. The link can be set to expire after a certain number of days, or require the visitor to authenticate. If the building policy says no external visitors, that link won't work for anyone outside the company. The manager can also set a maximum number of days a visitor can stay (sharing expiration default), and require that visitors re-authenticate every so often (access review). This analogy mirrors how OneDrive sharing policies control external access at the tenant, site, and link levels, with inheritance and override rules exactly like a building's visitor policy hierarchy.
Overview of OneDrive Sharing Policies
OneDrive sharing policies define how users can share files and folders with people inside and outside the organization. These policies are configured at three levels: tenant-level (organization-wide), site-level (per OneDrive site), and link-level (per share action). The tenant-level policy sets the most restrictive baseline; site-level policies can only be more restrictive, not more permissive. Link-level settings further refine access within a site's allowed sharing scope.
Tenant-Level Sharing Policy
The tenant-level sharing policy is the topmost control. It is configured in the SharePoint admin center under Policies > Sharing. The key settings are:
- External sharing: Controls whether users can share with people outside the organization. Options: - Anyone (anonymous links): Users can share with anyone, no sign-in required. This is the most permissive option. - New and existing guests: Users can share with external users who authenticate using a Microsoft account or Azure AD B2B guest account. - Existing guests: Only share with external users already in your Azure AD directory. - Only people in your organization: No external sharing allowed. - External sharing expiration: For Anyone links, you can set a default expiration (1-365 days) and a default permission (view or edit). - External sharing for file and folder links: Control default link type (Anyone, People in your organization, Specific people). - Limit external sharing by domain: Allow or block sharing with specific domains. - Allow or block sharing with people using other Microsoft 365 organizations: For B2B direct connect. - Guest access to a site or OneDrive: Controls whether guests can access shared resources. - Let people outside your organization access your intranet content: For SharePoint.
These settings are stored in the SharePoint Online tenant configuration and are enforced by the SharePoint Online service. Changes take effect within minutes.
Site-Level (OneDrive) Sharing Policy
Each user's OneDrive site inherits the tenant-level policy by default. However, an admin can set a custom sharing policy for a specific OneDrive site using PowerShell or the SharePoint admin center. The site-level policy can only be more restrictive than the tenant-level policy. For example, if the tenant allows Anyone links, a site can disable them, but if the tenant disables Anyone links, a site cannot enable them.
To configure a OneDrive site's sharing policy via PowerShell:
Set-SPOSite -Identity https://contoso-my.sharepoint.com/personal/user_domain_com -SharingCapability ExternalUserAndGuestSharingThe -SharingCapability parameter accepts:
- Disabled: No external sharing.
- ExistingExternalSharing: Only share with existing guests.
- ExternalUserAndGuestSharing: Allow sharing with new and existing guests.
- ExternalUserSharingOnly: Allow sharing with authenticated external users only.
- AnonymousLinkSharing: Allow Anyone links (requires tenant-level Anyone enabled).
Link-Level Sharing Settings
When a user shares a file or folder, they can create a link with specific permissions. The available link types depend on the tenant and site policies:
Anyone link: No authentication required. Anyone with the link can access the item. These links can have expiration and password protection if configured at the tenant level.
People in your organization link: Requires the user to be in the same tenant.
Specific people link: Only specified users (internal or external guests) can access.
Existing guests link: Only for users already in the directory.
Users can also set permissions (view or edit) and expiration dates on individual links. Admins can enforce default link types and expiration via sharing policies.
Default Sharing Settings
Key default values in Microsoft 365:
Default link type: Set to "Only people in your organization" for new tenants. For existing tenants, it may be "Anyone" if previously configured.
Anyone link expiration: Default is 30 days if enabled. Admins can set 1-365 days.
Anyone link permissions: Default is View. Can be changed to Edit.
External sharing: Default is "New and existing guests" for most tenants.
Guest access: Guests can access shared resources by default.
Limit external sharing by domain: No restrictions by default.
Interaction with Azure AD B2B
External sharing relies on Azure AD B2B collaboration. When a user shares with an external email address, the recipient receives an invitation email. If the recipient does not have an existing Microsoft account, they are prompted to create one or sign in with a work/school account. The guest user object is created in Azure AD and can be managed like any other user. The guest user's access is subject to Azure AD Conditional Access policies and guest user access controls.
Sharing Policies and Sensitivity Labels
Sensitivity labels can restrict sharing actions. For example, a label configured with "Control access" can prevent users from sharing files with that label externally. When a label is applied, the sharing policy is enforced by the Azure Information Protection client or built-in labeling. This can override more permissive sharing policies at the tenant level.
Audit and Monitoring
Sharing activities are logged in the Microsoft 365 audit log. Key events include:
- SharingInvitationCreated
- SharingInvitationAccepted
- AnonymousLinkCreated
- AnonymousLinkUsed
- FileShared
- FileAccessed
Admins can use the audit log to investigate external sharing activities.
PowerShell Commands for Configuration
Common PowerShell commands for managing sharing policies:
# Get tenant-level sharing policy
Get-SPOTenant | Select-Object -Property SharingCapability, RequireAcceptingAccountMatchInvitedAccount, ProvisionSharedWithEveryoneFolder, ShowEveryoneClaim, ShowEveryoneExceptExternalUsersClaim, ShowPeoplePickerSuggestionsForGuestUsers
# Set tenant-level sharing policy
Set-SPOTenant -SharingCapability ExternalUserAndGuestSharing -RequireAcceptingAccountMatchInvitedAccount $true
# Get site-level sharing policy
Get-SPOSite -Identity <SiteURL> | Select-Object SharingCapability
# Set site-level sharing policy
Set-SPOSite -Identity <SiteURL> -SharingCapability ExternalUserSharingOnly
# Set default link type
Set-SPOTenant -DefaultSharingLinkType Internal
# Set Anyone link expiration
Set-SPOTenant -AnonymousLinkExpirationInDays 30Troubleshooting Sharing Issues
Common issues and resolutions:
External users cannot access shared content: Check tenant-level and site-level sharing capabilities. Ensure external sharing is not disabled. Verify the user is not blocked by domain restrictions.
Anyone link not working: Ensure the tenant allows Anyone links (-SharingCapability includes AnonymousLinkSharing). Also check that the specific site allows AnonymousLinkSharing.
Link expiration too short: Adjust -AnonymousLinkExpirationInDays at the tenant level.
Guest user cannot sign in: Check Azure AD B2B settings and Conditional Access policies.
Exam Tips
Remember the hierarchy: Tenant > Site > Link. More restrictive wins.
Know the default values: Anyone link expiration is 30 days if enabled.
Understand that site-level policy cannot be more permissive than tenant-level.
Be aware that sensitivity labels can override sharing policies.
Audit logs are key for troubleshooting sharing events.
Access SharePoint Admin Center
Navigate to the Microsoft 365 admin center (admin.microsoft.com). Under Admin centers, select SharePoint. Alternatively, directly access https://admin.microsoft.com/SharePoint. This is the primary interface for configuring sharing policies. Ensure you have SharePoint admin or Global admin permissions.
Navigate to Policies > Sharing
In the SharePoint admin center, expand Policies, then click Sharing. This page displays all tenant-level sharing settings, including external sharing, link expiration, and domain restrictions. Changes made here affect all SharePoint and OneDrive sites by default.
Configure External Sharing Level
Under External sharing, select the appropriate level: Anyone, New and existing guests, Existing guests, or Only people in your organization. Each option has sub-settings. For example, if you choose Anyone, you can set expiration and permissions for anonymous links. This setting is the baseline for all sites.
Set Default Link Type and Expiration
Under File and folder links, choose the default link type (Anyone, People in your organization, or Specific people). Set the default expiration for Anyone links (1-365 days). Also set default permissions (View or Edit). These defaults apply when users create links, but they can override them per share.
Configure Domain Restrictions
Under Limit external sharing by domain, you can allow or block sharing with specific domains. For example, block sharing with competitor.com or allow only trusted partner.com. This is useful for preventing data leakage to untrusted domains. Note that this applies to external sharing invitations, not anonymous links.
Override for Specific OneDrive Site
To set a custom policy for a specific user's OneDrive, use PowerShell: `Set-SPOSite -Identity <OneDriveURL> -SharingCapability ExternalUserSharingOnly`. This overrides the tenant default but cannot be more permissive. Verify with `Get-SPOSite -Identity <OneDriveURL> | Select-Object SharingCapability`.
Test and Verify Sharing Behavior
After configuration, test sharing from a user account. Create an Anyone link and attempt to access it from an external browser. Check that the link expires after the set duration. Use the audit log to verify that sharing events are recorded. If issues occur, review the tenant and site policies for conflicts.
Scenario 1: Large Enterprise with Strict Data Governance
A multinational corporation requires that all external sharing must be authenticated and logged. They set the tenant-level external sharing to "New and existing guests" and disable Anyone links entirely. They enforce a default link type of "Specific people" to prevent accidental oversharing. Domain restrictions are configured to block sharing with personal email domains like gmail.com and yahoo.com, forcing users to share only with corporate partners. They also enable "Require accepting account match invited account" to prevent invitation forwarding. In production, this configuration reduces data leakage incidents by 80%. However, it increases friction for legitimate collaboration, so they create a process for approving exceptions via a security team. Misconfiguration often occurs when a site admin inadvertently sets a site-level policy that is more permissive than the tenant policy, but since the system prevents that, the error is usually a misunderstanding of the hierarchy. The main challenge is managing the guest lifecycle: guest accounts accumulate over time, so they implement Azure AD access reviews to periodically remove inactive guests.
Scenario 2: Small Business Using Anyone Links for Customer Collaboration
A small marketing agency frequently shares large files with clients who do not have Microsoft accounts. They enable Anyone links with a 7-day expiration and view-only permission. They set the default link type to "Anyone" for convenience. The tenant-level sharing is set to "Anyone" with expiration and password protection enabled. In practice, they find that clients often lose the link, so they keep the default expiration short to limit exposure. The main performance consideration is that Anyone links bypass authentication, so there is no audit trail of who accessed the file. To mitigate this, they use SharePoint Online file access logs to see that the link was used, but not by whom. A common misconfiguration is forgetting to set an expiration, leading to permanent anonymous access. They use a PowerShell script to enforce a maximum expiration of 30 days on all Anyone links.
Scenario 3: Healthcare Organization with Compliance Requirements
A healthcare provider must comply with HIPAA, which requires that all external sharing be encrypted and authenticated. They set external sharing to "New and existing guests" and disable Anyone links. They also use sensitivity labels to mark patient data as "Highly Confidential" and configure the label to prevent external sharing. When a user tries to share a labeled file externally, the label blocks the action even if the site policy allows it. In production, they must carefully manage guest access to ensure that business associates sign a BAA before being invited. They use Azure AD B2B with Conditional Access policies to require multi-factor authentication for guest access. A common issue is that users mistakenly share unlabeled files externally, bypassing the label restrictions. They address this with training and by enabling default labeling for all documents. The main performance consideration is that labeling can cause delays in sharing, especially for large files, due to the Azure Information Protection service.
The MS-102 exam tests OneDrive sharing policies under Objective 1.5: Configure and manage external sharing. You must understand the hierarchy of sharing policies (tenant > site > link) and the fact that site-level policies can only be more restrictive. The exam often presents scenarios where you need to determine the effective sharing capability given conflicting settings. For example, if the tenant allows "Anyone" but a site is set to "ExternalUserSharingOnly", the effective setting is "ExternalUserSharingOnly" because the site is more restrictive.
Common wrong answers include:
Choosing "Anyone" when the site policy disables it. Candidates forget that site-level overrides are more restrictive.
Thinking that setting a site to a more permissive level than the tenant is possible. The exam tests that this is not allowed.
Assuming that default link type settings apply to all shares. The default is just a default; users can override it per share.
Confusing "Existing guests" with "New and existing guests". The difference is whether new guest accounts can be created.
Key numbers to memorize:
Anyone link expiration range: 1-365 days. Default if enabled: 30 days.
External sharing options: 4 levels (Anyone, New and existing guests, Existing guests, Only people in your organization).
Domain restrictions: can be allow or block list.
Edge cases the exam loves:
What happens when a sensitivity label blocks external sharing but the site policy allows it? The label takes precedence because it is evaluated after the sharing policy.
What if a user shares with an external domain that is blocked? The share fails, and the user gets an error.
What if a guest user's access is revoked? They lose access to all shared resources immediately.
To eliminate wrong answers, always check the hierarchy: start with the tenant policy, then apply the site policy (more restrictive), then any label restrictions. The most restrictive of all applies. Also, remember that Anyone links are the only type that does not require authentication; all others require a Microsoft account or Azure AD identity.
Tenant-level sharing policy is the baseline; site-level policies can only be more restrictive.
Anyone links allow anonymous access and bypass domain restrictions.
Default Anyone link expiration is 30 days if enabled; range 1-365 days.
Sensitivity labels can override sharing policies and block external sharing.
External sharing relies on Azure AD B2B collaboration for guest accounts.
Audit log records all sharing events for monitoring.
Domain restrictions apply to sharing invitations, not to Anyone links.
Site-level policy cannot be more permissive than tenant-level policy.
These come up on the exam all the time. Here's how to tell them apart.
Anyone Links
No authentication required.
Cannot track who accesses the file.
Can have expiration and password protection.
Bypass domain restrictions.
Less secure, but easier for recipients.
Guest Links (Specific People)
Requires recipient to authenticate with a Microsoft account or Azure AD B2B.
Access is logged with the guest's identity.
Can be revoked by removing the guest from Azure AD.
Subject to domain restrictions.
More secure, but requires recipient to have or create an account.
Mistake
Site-level sharing policy can be more permissive than tenant-level.
Correct
Site-level policies can only be more restrictive than the tenant-level policy. If tenant disables external sharing, a site cannot enable it.
Mistake
Default link type setting forces all shares to use that type.
Correct
The default link type is just the preselected option in the sharing dialog; users can choose a different link type when sharing.
Mistake
Anyone links require the recipient to sign in with a Microsoft account.
Correct
Anyone links require no authentication; anyone with the link can access the content without signing in.
Mistake
Blocking a domain in sharing policy prevents external users from that domain from receiving any shared content.
Correct
Domain restrictions apply only to sharing invitations, not to access via Anyone links. Anyone links bypass domain restrictions.
Mistake
Once set, sharing policy changes take effect immediately for all existing shares.
Correct
Policy changes affect new shares immediately, but existing shares retain their original permissions unless explicitly updated or expired.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
'New and existing guests' allows users to invite new external users who are not yet in Azure AD, creating a guest account. 'Existing guests' only allows sharing with users who already have a guest account in the directory. The exam tests this distinction: 'Existing guests' prevents creation of new guest accounts.
No. The tenant-level setting for Anyone link expiration is a maximum. Users cannot set an expiration longer than the tenant default. However, they can set a shorter expiration. The tenant setting acts as a cap.
In the SharePoint admin center under Policies > Sharing, use 'Limit external sharing by domain' to add gmail.com to the blocked domains list. Note that this only blocks sharing invitations, not Anyone links. To block Anyone links, disable that option at the tenant level.
Existing shares remain active unless they violate the new policy. For example, if you disable Anyone links, existing Anyone links will still work until they expire or are manually revoked. The new policy only affects new shares.
Use the SharePoint Online Management Shell. For tenant-level: `Set-SPOTenant -SharingCapability ExternalUserAndGuestSharing`. For site-level: `Set-SPOSite -Identity <URL> -SharingCapability ExternalUserSharingOnly`. Ensure you have the required permissions.
Sensitivity labels can be configured with 'Control access' settings that prevent external sharing. When a label is applied to a file, any share action that violates the label's policy is blocked, even if the site policy allows it. This is a more granular control.
Yes, if the sharing link is an 'Anyone' link. No authentication is required. For other link types, the recipient must sign in with a Microsoft account (personal or work/school) to access the file.
You've just covered OneDrive Sharing Policies and External Access — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?