This chapter covers SharePoint external sharing and guest policies, a critical topic for the MS-102 exam under Tenant Management (Objective 1.5). You will learn how to configure and manage external sharing at the tenant, site, and item levels, including guest access, anonymous links, domain restrictions, and expiration policies. Expect 5-8% of exam questions to touch this area, often in scenarios involving security, compliance, or collaboration with external partners.
Jump to a section
Think of SharePoint external sharing like a company's visitor management system. The company (tenant) has a main entrance with a security desk (SharePoint admin center). The security guard (global admin) sets a global policy: visitors are allowed, but only with a badge that expires after 7 days (guest access expiration). Individual departments (site collections) can override this to be more restrictive but never more permissive. When a visitor arrives (external user is invited), they must present ID (email verification) and receive a badge (invitation link) that grants access only to specific floors (sites or folders). The badge can be a one-time pass (specific people link) or a reusable pass (sharing link). The guard logs every entry (audit logs). If the visitor tries to share their badge with a friend (re-sharing), the guard checks if the visitor has 're-share' permission (can add external participants). The system also has a blacklist (domain restrictions) and can require visitors to have a specific clearance level (Azure AD conditional access). The key mechanism: external sharing is always controlled at the tenant level first, then site level, and finally at the item level, with each level inheriting restrictions from above. The default tenant setting is 'Anyone' (anonymous links), but most enterprises set it to 'New and existing guests' to require authentication.
What is SharePoint External Sharing?
SharePoint external sharing allows users in your organization to share content (sites, folders, files) with people outside your Azure AD tenant. This is a key collaboration feature but also a security boundary. External sharing is controlled at three levels: tenant, site collection, and item. The most restrictive setting wins.
Why It Exists
External sharing enables collaboration with partners, vendors, and customers without requiring them to have an Azure AD account in your tenant. It reduces friction but introduces risk of data leakage. Microsoft provides granular controls to balance usability and security.
How External Sharing Works Internally
When a user shares a file with an external email address, SharePoint generates a sharing link. The link type depends on the sharing settings: - Anyone links: Anonymous, no authentication required. Anyone with the link can access the item. Default expiration is 30 days (configurable). - New and existing guests: External users must authenticate using a Microsoft account or Azure AD guest account. If the user is new, an invitation is sent to join the tenant as a guest. - Existing guests: Only users who already have a guest account in your Azure AD can access. - Only people in your organization: No external sharing.
When an external user clicks a sharing link, SharePoint checks: 1. Is the link valid (not expired or revoked)? 2. Is the user authenticated (if required)? 3. Does the user have permissions to the item? 4. Does the user have the 're-share' permission?
Key Components and Defaults
Tenant-level settings (SharePoint admin center > Sharing):
Sharing capability: Choose from 'Anyone', 'New and existing guests', 'Existing guests', or 'Only people in your organization'.
Default link type: 'Anyone', 'People in your organization', 'Specific people'.
Expiration for Anyone links: Default 30 days, can be set from 1 to 365 days.
Guest access expiration: Default 30 days (inactive guests), can be set from 1 to 365 days.
Domain restrictions: Allow or block specific domains.
Allow external users to share items they don't own: Enabled by default.
Allow sharing to everyone in a link: Disabled by default.
Site-level settings (Site Settings > Sharing):
Can be more restrictive than tenant but never more permissive.
Options: Same as tenant plus 'Only people in your organization'.
Default link type: Inherits from tenant.
Expiration: Inherits from tenant.
Item-level settings (Share dialog):
User can choose link type (if allowed by site/tenant).
Can set expiration (if allowed).
Can set password (for Anyone links).
Configuration and Verification
To configure tenant-level sharing via PowerShell:
Set-SPOTenant -SharingCapability ExternalUserAndGuestSharing
Set-SPOTenant -DefaultSharingLinkType AnonymousLink
Set-SPOTenant -AnonymousLinkExpirationInDays 30
Set-SPOTenant -GuestSharingGroupAllowList @("contoso.com")To verify current settings:
Get-SPOTenant | Select SharingCapability, DefaultSharingLinkType, AnonymousLinkExpirationInDaysTo configure site-level sharing:
Set-SPOSite -Identity https://contoso.sharepoint.com/sites/project -SharingCapability ExternalUserSharingOnlyInteraction with Azure AD
External sharing relies on Azure AD B2B collaboration. When you invite a new guest, an Azure AD guest user object is created. The guest must accept the invitation and sign in with their work, school, or Microsoft account. Guest users have limited Azure AD capabilities (e.g., no access to Teams unless explicitly granted).
Interaction with Microsoft 365 Groups
SharePoint sites connected to Microsoft 365 Groups inherit sharing settings from the Group. Group settings for guest access are configured in Azure AD or Teams admin center. If a Group allows guests, the connected SharePoint site allows guests (subject to tenant and site settings).
Interaction with Sensitivity Labels
Sensitivity labels can enforce encryption or restrict sharing. For example, a label with 'Let users assign permissions' can override SharePoint sharing defaults. Labels can also block external sharing entirely.
Interaction with Conditional Access
Azure AD Conditional Access policies apply to guest users if configured. For example, you can require MFA for all guest access or block access from specific countries.
Audit Logs
All external sharing events are logged in the unified audit log. Key events: 'Shared an item externally', 'Invited external users', 'Accepted external invitation'. Admins can search these logs in the compliance center or via PowerShell.
Best Practices
Use 'New and existing guests' instead of 'Anyone' for better security.
Set expiration on Anyone links to the minimum needed.
Restrict sharing to specific domains when possible.
Monitor audit logs for unusual sharing patterns.
Use sensitivity labels to enforce policies.
Common Pitfalls
Setting site-level sharing more permissive than tenant: Not possible, the tenant setting overrides.
Expecting guest users to have full Azure AD functionality: Guests have limited capabilities.
Forgetting that Anyone links bypass authentication: Anyone with the link can access.
Trap Patterns on the Exam
The exam often asks: 'You need to allow external users to access a site without signing in. What setting?' Answer: 'Anyone' links. Wrong answer: 'New and existing guests' (requires sign-in).
Another trap: 'You want to restrict sharing to only specific domains. Where do you configure?' Answer: Tenant-level domain restrictions. Wrong answer: Site-level settings (domain restrictions are only at tenant level).
'A user reports they cannot share with an external partner. What is the first thing to check?' Answer: Tenant-level sharing setting. Wrong answer: Site-level setting (tenant is the top-level gate).
Configure Tenant-Level Sharing
Navigate to SharePoint admin center > Policies > Sharing. Select the desired sharing capability: 'Anyone' allows anonymous links; 'New and existing guests' requires authentication; 'Existing guests' restricts to existing guest accounts; 'Only people in your organization' disables external sharing. Also set the default link type, expiration for Anyone links (default 30 days), and guest access expiration (default 30 days). Domain restrictions can be added to allow or block specific domains. This setting applies to all SharePoint sites in the tenant. Any changes take effect immediately.
Configure Site-Level Sharing
For a specific site, go to Site Settings > Sharing. The options are similar to tenant but cannot be more permissive. For example, if tenant allows 'Anyone', site can choose 'Anyone' or 'New and existing guests' but not 'Only people in your organization' (that is more restrictive, so it is allowed). If tenant only allows 'New and existing guests', site cannot enable 'Anyone'. The site owner can also set default link type and expiration (if tenant allows). Changes apply to that site only.
Share an Item Externally
User selects a file or folder and clicks Share. Enters external email address or generates a sharing link. The link type depends on tenant and site settings. If 'Anyone' is allowed, user can create an anonymous link. If not, the user must specify individuals. The external recipient receives an email with the link. For 'Anyone' links, no sign-in is required. For guest links, the recipient must sign in with a Microsoft account or Azure AD credentials. If the recipient is new, they must accept the invitation and create a guest account.
Guest Accepts Invitation
External user receives email invitation. They click 'Accept invitation' and are redirected to Azure AD consent page. They sign in with their work, school, or Microsoft account. A guest user object is created in Azure AD (if not already exists). The guest is added to the SharePoint site's permissions. They can now access the shared content. The guest's access is governed by Azure AD Conditional Access policies if configured. The invitation link expires after 7 days by default.
Monitor and Audit Sharing
Admins can view sharing activity in the unified audit log. Search for 'Shared an item externally' or 'Invited external users'. Use the compliance center or PowerShell: Search-UnifiedAuditLog -Operations SharingInvitationCreated. For real-time monitoring, use Azure Sentinel or Microsoft 365 Defender. Audit logs are retained for 90 days (default) and can be exported. Key information: who shared, what was shared, with whom, and the link type.
Enterprise Scenario 1: Partner Collaboration with Domain Restriction
A large enterprise works with a single partner company 'partner.com'. They want to allow external sharing only to that domain. The admin configures tenant-level domain allow list: 'partner.com'. They set sharing capability to 'New and existing guests' to require authentication. Site owners can share with any email address, but only those with '@partner.com' domain will receive the invitation; others are blocked. This prevents accidental sharing with unauthorized domains. Performance is minimal; the check happens at invitation time. Common issue: the partner uses multiple domains (e.g., 'partner.com' and 'partnerglobal.com'), so the admin must add all partner domains. If a domain is missed, sharing fails with a generic error, leading to help desk calls.
Enterprise Scenario 2: Anonymous Links for Public Documents
A marketing department needs to share press releases with journalists without requiring sign-in. The admin enables 'Anyone' links at tenant level but sets expiration to 7 days and requires a password for all anonymous links. The marketing team creates a library with default link type 'Anyone' and expiration 7 days. Journalists receive a link and a password via separate email. This works well but poses a risk: if the password is weak or shared, anyone can access the document. The admin mitigates by using sensitivity labels to apply encryption and watermarking. Misconfiguration: if the admin forgets to set expiration, links never expire, leading to potential data exposure. The admin must regularly audit anonymous links using the 'Access review' feature.
Enterprise Scenario 3: Guest Access for Extranet
A company builds an extranet for customers to access project documents. They enable 'New and existing guests' at tenant level. They create a site collection with sharing set to 'New and existing guests' and default link type 'Specific people'. Customers are invited as guests and must sign in with their corporate credentials. To enhance security, the admin configures Azure AD Conditional Access to require MFA for all guest users. Performance is good, but guest account lifecycle management is challenging: when a customer contract ends, the admin must manually remove the guest account. They use Azure AD Entitlement Management to automate guest access expiration. Common failure: if the Conditional Access policy blocks guests from specific IP ranges, customers traveling may be locked out, requiring a help desk override.
What MS-102 Tests (Objective 1.5)
The exam focuses on:
Configuring tenant-level external sharing settings (SharingCapability, DefaultSharingLinkType, AnonymousLinkExpirationInDays).
Understanding the hierarchy: tenant > site > item.
Domain restrictions: allow/block list at tenant level only.
Guest access expiration: default 30 days, configurable.
Interaction with Azure AD B2B and Conditional Access.
Audit logging for external sharing events.
Common Wrong Answers and Why Candidates Choose Them
'You can set domain restrictions at the site level.' Wrong. Domain restrictions are only at tenant level. Candidates confuse site-specific sharing settings with domain allow/block lists.
'Anyone links require the recipient to sign in.' Wrong. Anyone links are anonymous. Candidates think all external sharing requires authentication.
'Guest access expiration applies to all external users.' Wrong. Guest access expiration applies to inactive guest accounts, not to active sessions. Candidates assume it is a session timeout.
'You can allow external sharing for a site even if tenant disables it.' Wrong. Tenant settings are the top-level gate. Site cannot be more permissive than tenant.
Specific Numbers and Values
Default AnonymousLinkExpirationInDays: 30.
Default guest access expiration: 30 days of inactivity.
Maximum AnonymousLinkExpirationInDays: 365.
Default invitation link expiration: 7 days.
SharingCapability values: ExternalUserAndGuestSharing (Anyone), ExternalUserSharingOnly (New and existing guests), ExistingExternalUserSharingOnly (Existing guests), Disabled (Only people in your organization).
Edge Cases and Exceptions
If you change tenant sharing from 'Anyone' to 'New and existing guests', existing anonymous links continue to work until they expire or are revoked. The exam may ask: 'You change the setting, but users can still access via old links. Why?' Answer: Existing links are not invalidated.
If you block a domain after invitations have been sent, existing guests from that domain can still access until their guest account is removed. The exam tests that domain restrictions apply only to new invitations, not existing guests.
For Microsoft 365 Groups, external sharing settings in Azure AD (Guest invite settings) override SharePoint settings. The exam often combines these.
How to Eliminate Wrong Answers
If a question mentions 'anonymous access', look for 'Anyone' links.
If a question mentions 'no sign-in required', the answer must be 'Anyone'.
If a question mentions 'domain restrictions', the configuration is at tenant level.
If a question asks 'where to configure guest access expiration', it is at tenant level under Sharing.
Always check the hierarchy: tenant > site > item. The most restrictive setting wins.
External sharing is configured at three levels: tenant, site, item. Tenant is the top-level gate.
Default AnonymousLinkExpirationInDays is 30; maximum is 365.
Default guest access expiration is 30 days of inactivity.
Domain restrictions are configured only at tenant level, not site level.
Anyone links are anonymous; New and existing guests require authentication.
Existing anonymous links continue to work even if the tenant setting is changed to a more restrictive option.
Audit logs track all external sharing events; use Search-UnifiedAuditLog to query.
Guest access expiration does not delete the guest account; it only revokes SharePoint access.
For Microsoft 365 Groups, guest settings in Azure AD override SharePoint settings.
Sensitivity labels can override SharePoint sharing permissions.
These come up on the exam all the time. Here's how to tell them apart.
Anyone Links
Anonymous, no sign-in required
Default expiration 30 days
Can be password-protected
Cannot track individual access
Risk of unintended sharing
New and Existing Guests
Requires authentication (Microsoft account or Azure AD)
Guest account created in Azure AD
Can be audited per user
Supports Conditional Access policies
More secure but higher friction
Mistake
External sharing settings at the site level override tenant settings.
Correct
Site settings cannot be more permissive than tenant settings. The tenant setting is the top-level gate. Site can only be equal or more restrictive.
Mistake
Anyone links require the external user to sign in with a Microsoft account.
Correct
Anyone links are anonymous and do not require any authentication. Anyone with the link can access the content.
Mistake
Guest access expiration removes guest accounts after a period of inactivity.
Correct
Guest access expiration only revokes the guest's access to SharePoint content after the specified inactivity period. The guest user object in Azure AD remains until explicitly deleted.
Mistake
Domain restrictions apply to existing guests as well.
Correct
Domain restrictions apply only to new invitations. Existing guests from blocked domains retain their access until their guest account is removed.
Mistake
You can set different external sharing settings for each document library.
Correct
External sharing settings are at the site level, not library level. Individual items can have different link types, but the site's sharing capability governs what is allowed.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Anyone links allow anonymous access without authentication. Anyone with the link can access the content. New and existing guests require the external user to sign in with a Microsoft account or Azure AD credentials. A guest account is created in Azure AD for new users. Anyone links are less secure but more convenient; guest links provide auditability and support Conditional Access.
In the SharePoint admin center, go to Policies > Sharing. Under 'Advanced settings for external sharing', you can add domains to an allow list or block list. This setting is tenant-wide and applies to all sites. You cannot set domain restrictions at the site level.
Existing anonymous links continue to work until they expire or are manually revoked. The change only affects new sharing actions. If you want to invalidate existing links, you must revoke them individually or use a script.
Guest access expiration is a tenant-level setting that automatically revokes access for guest users who have not accessed the SharePoint content for a specified number of days (default 30). The guest user object in Azure AD is not deleted. After revocation, the guest must be re-invited to regain access.
No. The tenant setting is the most restrictive. If the tenant disables external sharing, no site can enable it. Site settings can only be equal to or more restrictive than the tenant setting.
Use the unified audit log in the Microsoft 365 compliance center. Search for activities like 'Shared an item externally', 'Invited external users', and 'Accepted external invitation'. You can also use PowerShell: Search-UnifiedAuditLog -Operations SharingInvitationCreated. Logs are retained for 90 days by default.
The default expiration for invitation links sent to new guest users is 7 days. This is not configurable in the UI but can be changed via PowerShell using Set-SPOTenant -InvitationLinkExpirationInDays.
You've just covered SharePoint External Sharing and Guest Policies — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?