This chapter covers external sharing in SharePoint and OneDrive, a critical topic for the MS-900 exam under objective 3.4 (Describe security capabilities of Microsoft 365). External sharing controls how users share content with people outside the organization, including anonymous links, authenticated guests, and integration with Azure AD B2B. Expect 5-7% of exam questions to touch this area, often testing default settings, sharing link types, and the relationship between SharePoint sharing settings and Azure AD external identities.
Jump to a section
Imagine a company with a secure office building that has a reception desk. Employees have permanent badges that let them enter any common area and their own office. When a visitor arrives, the receptionist issues a temporary badge that is valid only for a specific day and only for the floor and conference room the visitor needs. The visitor cannot access other floors or the server room. The host employee must approve the visitor's entry and can revoke the badge at any time. The receptionist logs every entry and exit. If the visitor tries to swipe into a restricted area, the door remains locked and an alert is sent to security. This mirrors SharePoint/OneDrive external sharing: the tenant is the building, the receptionist is the sharing settings, the temporary badge is the sharing link with expiration and permissions, the host is the content owner who sets sharing scope, and the log is the audit log. Just as the visitor badge cannot be used to enter after hours or access other floors, an external sharing link can be limited to specific files and can expire.
What is External Sharing and Why Does It Exist?
External sharing in SharePoint and OneDrive allows users to share content—documents, folders, sites—with people who are not part of your Microsoft 365 tenant. This is essential for collaboration with clients, partners, vendors, and freelancers. The feature is built on top of Azure Active Directory (Azure AD) Business-to-Business (B2B) collaboration, which provides the underlying identity and authentication layer. External sharing can be configured at three levels: tenant-wide (via SharePoint admin center or PowerShell), site collection (site-level), and individual item (via share dialog). The MS-900 exam focuses on tenant-level settings and the types of sharing links.
How External Sharing Works Internally
When a user shares a file with an external email address, SharePoint Online generates a sharing link. The link type depends on the sharing settings and the user's choice: - Anyone link (anonymous): No authentication required. Anyone with the link can access the content. The link is tied to a specific resource (file or folder) and can have an expiration date and password. Internally, SharePoint creates a unique GUID-based token embedded in the URL. The token is stored in a secure database and is validated on each access request. No Azure AD guest account is created. - Specific people link (authenticated): The recipient must authenticate with a Microsoft account (MSA) or an Azure AD account. SharePoint sends an invitation email with a link. When the recipient clicks it, they are redirected to Azure AD B2B invitation redemption flow. If the recipient does not already exist as a guest user in the tenant, Azure AD creates a guest user object (with UserType = Guest) and assigns them a guest identity. The guest user is then added to the site's visitors group (or the appropriate permission group). - Existing guests link: Used to share with people who are already guest users in the tenant.
Key Components and Defaults
External sharing toggle: At the tenant level, you can set the default sharing link type: Anyone, New and existing guests, Existing guests, or Only people in your organization. The default for SharePoint is "Anyone" (if enabled) or "New and existing guests" (if Anyone is disabled). OneDrive defaults to "Anyone" unless restricted.
Expiration and password: For Anyone links, you can require an expiration date (default: 30 days) and a password. The password is set by the sharer and must be transmitted out-of-band.
Domain restrictions: You can allow or block sharing with specific domains (allow list or block list). This is configured in the SharePoint admin center under Policies > Sharing.
Guest access limits: You can limit guest access to specific sites or to the entire tenant. You can also set maximum number of guests.
Audit logging: Every external sharing event is logged in the Microsoft 365 audit log (Unified Audit Log). You can view who shared what, with whom, and when.
Configuration and Verification Commands
To check current tenant-level external sharing settings via PowerShell:
Connect-SPOService -Url https://<tenant>-admin.sharepoint.com
Get-SPOTenant | Select-Object -Property *Sharing*Key properties: SharingCapability (values: Disabled, ExternalUserSharingOnly, ExternalUserAndGuestSharing, ExistingExternalUserSharingOnly), DefaultSharingLinkType (values: None, Direct, Internal, AnonymousAccess), RequireAnonymousLinksExpirationInDays, RequireAcceptingAccountMatchInvitedAccount.
To verify Azure AD B2B guest users:
Connect-AzureAD
Get-AzureADUser -Filter "UserType eq 'Guest'" | Select-Object DisplayName, UserPrincipalNameInteraction with Related Technologies
Azure AD B2B: The foundation for authenticated external sharing. Guest users are managed in Azure AD. If Azure AD B2B is disabled at the tenant level, external sharing with authenticated guests will fail.
Microsoft 365 Groups: Sharing a Microsoft 365 group site externally adds external members as guests in Azure AD and in the group.
Conditional Access: You can apply Conditional Access policies to guest users, such as requiring MFA or blocking access from untrusted locations.
Information Protection: Sensitivity labels can restrict external sharing by applying encryption or marking content as "Confidential".
Trap Patterns and Wrong Answers
Mistaking "Anyone" links for "Specific people" links: Candidates often think that Anyone links require authentication — they do not. Anyone links are anonymous.
Assuming external sharing is disabled by default: In most tenants, external sharing is enabled by default with the Anyone setting (if allowed by policy). However, it can be disabled.
Confusing SharePoint external sharing settings with Azure AD external collaboration settings: Azure AD has its own external collaboration settings (Guest invite settings) that can override SharePoint settings. If Azure AD blocks guest invites, SharePoint external sharing with guests will fail.
Thinking that external sharing creates a full user account: Guest users are limited and do not have a full user license by default. They can only access resources they are invited to.
Edge Cases and Exam Favorites
Domain restrictions: The exam likes to test that you can block specific domains (e.g., competitors) or allow only trusted domains.
Expiration dates: The default expiration for Anyone links is 30 days, but this can be customized from 1 to 365 days.
Password protection: For Anyone links, a password can be required. The password is set by the sharer and must be shared separately.
Guest access limits: You can limit guest access to a specific site only, not the entire tenant.
B2B integration: If Azure AD B2B is disabled, external sharing with authenticated guests does not work, but Anyone links (if enabled) still work because they don't require Azure AD authentication.
Exam Focus Section
MS-900 tests external sharing primarily under objective 3.4: "Describe security capabilities of Microsoft 365". Specifically, you should know:
The three types of sharing links: Anyone, People in your organization, Specific people (guests).
The default sharing link type for SharePoint and OneDrive.
How to restrict external sharing by domain.
The role of Azure AD B2B in external sharing.
The difference between anonymous (Anyone) and authenticated (guest) sharing.
Common security controls: expiration, password, and access requests.
Common wrong answers: 1. "External sharing is disabled by default" — Actually, it is enabled by default for most tenants, but can be disabled. 2. "Anyone links require the recipient to sign in" — They do not; they are anonymous. 3. "Guest users get a full user license" — They do not; they are free (up to a limit) and have limited access. 4. "You can only share with people who have a Microsoft account" — You can share with any email address; if they don't have an MSA, they can create one or use their Azure AD account.
Numbers and terms to memorize:
Default expiration for Anyone links: 30 days (configurable 1-365).
Maximum number of guests per tenant: 500,000 (Azure AD B2B limit).
Sharing link types: Anyone, People in your organization, Specific people (guests).
Tenant-level setting: SharingCapability with values Disabled, ExternalUserSharingOnly, ExternalUserAndGuestSharing, ExistingExternalUserSharingOnly.
How to eliminate wrong answers: If the question mentions "no authentication required", the answer is "Anyone". If it mentions "must sign in with work or school account", it's "Specific people". If it mentions "domain restrictions", look for allow/block list settings. If it mentions "guest user created in Azure AD", it's authenticated sharing.
Misconceptions
Myth: External sharing in SharePoint and OneDrive is the same as sharing in Microsoft Teams. Reality: While both use Azure AD B2B for guests, Teams sharing is tied to Microsoft 365 Groups and has additional settings. SharePoint and OneDrive sharing is more granular at the file/folder level.
Myth: Anyone links are secure because they require the recipient to authenticate. Reality: Anyone links are anonymous and do not require any authentication. They are the least secure option and should be used with caution.
Myth: Disabling external sharing at the SharePoint tenant level completely prevents external access. Reality: Disabling external sharing in SharePoint does not affect external sharing in other services like Teams or Power BI. Each service has its own external sharing settings.
Myth: Guest users in Azure AD are automatically deleted when you remove external sharing permissions. Reality: Guest user accounts remain in Azure AD until explicitly removed by an admin. Removing sharing permissions only revokes access to the specific site or file.
Myth: You can only share with people who have an email address in an allowed domain. Reality: Domain restrictions apply only to sharing with guests (authenticated). Anyone links can be used with any email address, regardless of domain restrictions.
Comparisons
a_label: Anyone Link (Anonymous) b_label: Specific People Link (Authenticated Guest) a_points: [ "No authentication required", "Link can be forwarded to anyone", "Can set expiration and password", "No guest account created in Azure AD", "Less secure, but convenient for quick sharing" ] b_points: [ "Recipient must authenticate with MSA or Azure AD", "Link cannot be easily forwarded (guest must be added)", "Can set expiration, but not password (authenticated)", "Guest account created in Azure AD (B2B)", "More secure, auditable, and manageable" ]
Key Takeaways
External sharing in SharePoint and OneDrive can be configured at tenant, site, and item level.
There are three sharing link types: Anyone (anonymous), People in your organization, and Specific people (guests).
Anyone links do not require authentication; they are the least secure.
Specific people links require the recipient to authenticate as a guest via Azure AD B2B.
Default expiration for Anyone links is 30 days, configurable from 1 to 365 days.
Domain restrictions allow or block sharing with specific email domains for guest access.
Guest users are limited in capabilities and do not consume a full license.
External sharing events are logged in the Microsoft 365 audit log.
Disabling external sharing in SharePoint does not disable it in other services like Teams.
Azure AD B2B settings can override SharePoint external sharing settings.
FAQ
Question: What is the difference between an Anyone link and a Specific people link in SharePoint? Answer: An Anyone link allows anyone with the link to access the content without signing in. It is anonymous and can be forwarded. A Specific people link requires the recipient to sign in with a Microsoft account or work/school account (Azure AD). The recipient is added as a guest in Azure AD and must be explicitly invited. Anyone links are less secure but easier; Specific people links provide better control and auditing.
Question: Can I restrict external sharing to only certain domains? Answer: Yes. In the SharePoint admin center, under Policies > Sharing, you can configure domain restrictions. You can either allow sharing only with specified domains (allow list) or block sharing with specified domains (block list). This applies to guest access (authenticated sharing) but not to Anyone links.
Question: Do guest users count against my Microsoft 365 license count? Answer: No. Guest users in Azure AD do not require a paid license for basic access to SharePoint, OneDrive, Teams, etc. However, if you want guest users to have advanced features (e.g., Azure AD Premium P1/P2 features), you may need to assign licenses. Up to 500,000 guest users are allowed per tenant without additional cost.
Question: How do I set an expiration date on an external sharing link? Answer: For Anyone links, you can set an expiration date when creating the link. The default maximum expiration is 30 days, but an admin can change this up to 365 days in the SharePoint admin center under Sharing settings. For Specific people links, you can also set an expiration date for the guest user's access via the site permissions page or Azure AD.
Question: What happens if I disable external sharing at the tenant level? Answer: When external sharing is disabled at the SharePoint tenant level, users cannot share content with external users. Existing external links will stop working. However, this setting only affects SharePoint and OneDrive; other services like Teams and Power BI may still allow external sharing unless separately configured.
Question: Can external users edit files shared with them? Answer: Yes, if the sharing link grants edit permissions. When creating a sharing link, the sharer can choose between view and edit permissions. For Anyone links, edit permission is allowed but can be restricted. For Specific people links, edit permission is controlled by the site or item permissions.
Question: How do I audit external sharing activity? Answer: Use the Microsoft 365 compliance center or the unified audit log. Search for activities like "Shared file, folder, or site" with a target of "ExternalUser". You can also use the SharePoint admin center's "Sharing report" to see a summary of shared items.
Quiz
Question: An organization wants to share a sensitive document with a client, but requires the client to authenticate and does not want the link to be forwarded. Which sharing link type should be used? Answer: Specific people (authenticated guest). This requires the client to sign in and the link cannot be used by others unless they are also added as guests. Anyone links would allow anonymous access and forwarding.
Question: A company has disabled external sharing in SharePoint, but users can still share files with external users via Teams. Why? Answer: External sharing settings in SharePoint do not affect Teams. Teams has its own external sharing settings that must be configured separately. To block all external sharing, you must disable it in each service individually.
Question: What is the default expiration for an Anyone link in SharePoint Online? Answer: 30 days. This can be changed by an admin to any value between 1 and 365 days.
Question: Which of the following is true about guest users in Azure AD B2B? Answer: Guest users do not require a paid license for basic access. They are free up to 500,000 per tenant. They can be assigned to groups and applications, but have limited directory permissions.
Question: An admin wants to prevent users from sharing with a competitor's domain. What should they configure? Answer: Domain restrictions in the SharePoint admin center under Policies > Sharing. They can add the competitor's domain to the block list to prevent sharing with any email address from that domain.
Configure tenant-level sharing settings
Navigate to SharePoint admin center > Policies > Sharing. Set the external sharing level: Anyone, New and existing guests, Existing guests, or Only people in your organization. Also configure default link type, expiration for Anyone links (default 30 days), and domain restrictions. These settings apply to all SharePoint sites and OneDrive unless overridden at site level.
User creates a sharing link
A user selects a file or folder and clicks Share. They choose link type: Anyone (anonymous), People in your organization, or Specific people (guests). For Anyone links, they can set expiration and password. For Specific people, they enter email addresses. SharePoint generates a unique token and sends an invitation email.
Recipient receives and uses the link
If it's an Anyone link, the recipient clicks the link and accesses the content directly without authentication. If it's a Specific people link, the recipient clicks the link and is redirected to Azure AD B2B redemption flow. They must sign in with a Microsoft account or work/school account. Azure AD creates a guest user object if not exists.
Guest access is logged
SharePoint logs the sharing event in the unified audit log. Admins can view who shared, with whom, when, and what resource. For guest users, their sign-in and access events are also logged. Audit logs are retained based on the organization's audit retention policy (default 90 days for E3, 1 year for E5).
Admin monitors and manages external sharing
Admins can review sharing reports in SharePoint admin center, manage guest users in Azure AD (enable/disable, remove), and apply Conditional Access policies to guests. They can also revoke sharing links via the Share dialog or using PowerShell (Remove-SPOSiteFileLink).
Scenario 1: Client Collaboration with Expiration A marketing agency regularly shares draft campaign materials with clients. They use Anyone links with a 7-day expiration and password protection. The agency configures the tenant default to require an expiration date for Anyone links (set to 7 days) and mandates passwords. The link is shared via email, and the password is sent separately via SMS. This ensures that even if the email is intercepted, the file cannot be accessed without the password. After 7 days, the link expires automatically, preventing access to outdated versions. The agency uses audit logs to track which client viewed which file.
Scenario 2: Vendor Access with Domain Restriction A manufacturing company needs to share technical specifications with a trusted vendor. They configure domain restrictions to allow only the vendor's domain (e.g., vendor.com) for guest sharing. They use Specific people links, which require the vendor's employees to authenticate as guests. The company also sets a 90-day expiration for guest access. This prevents sharing with unauthorized domains and ensures that vendor access is time-limited. The company uses Azure AD B2B to manage the guest accounts and applies a Conditional Access policy requiring MFA for all guest users.
Scenario 3: Large-Scale Partner Onboarding A consulting firm onboards hundreds of external partners annually. They create a partner portal site in SharePoint with external sharing enabled for authenticated guests. They use Azure AD B2B to bulk invite partners via CSV. Each partner is added to a security group that grants access to the portal. The firm sets the guest access limit to 30 days with automatic expiration. They regularly review guest accounts and remove stale ones. Performance considerations: with thousands of guests, the site may experience slower load times if not optimized. They use SharePoint site collections and manage permissions carefully. Misconfiguration: if domain restrictions are too permissive, competitors may gain access; if too restrictive, legitimate partners cannot access.
MS-900 tests external sharing primarily under objective 3.4: "Describe security capabilities of Microsoft 365". Specifically, you should know:
The three types of sharing links: Anyone, People in your organization, Specific people (guests).
The default sharing link type for SharePoint and OneDrive.
How to restrict external sharing by domain.
The role of Azure AD B2B in external sharing.
The difference between anonymous (Anyone) and authenticated (guest) sharing.
Common security controls: expiration, password, and access requests.
Common wrong answers: 1. "External sharing is disabled by default" — Actually, it is enabled by default for most tenants, but can be disabled. 2. "Anyone links require the recipient to sign in" — They do not; they are anonymous. 3. "Guest users get a full user license" — They do not; they are free (up to a limit) and have limited access. 4. "You can only share with people who have a Microsoft account" — You can share with any email address; if they don't have an MSA, they can create one or use their Azure AD account.
Numbers and terms to memorize:
Default expiration for Anyone links: 30 days (configurable 1-365).
Maximum number of guests per tenant: 500,000 (Azure AD B2B limit).
Sharing link types: Anyone, People in your organization, Specific people (guests).
Tenant-level setting: SharingCapability with values Disabled, ExternalUserSharingOnly, ExternalUserAndGuestSharing, ExistingExternalUserSharingOnly.
How to eliminate wrong answers: If the question mentions "no authentication required", the answer is "Anyone". If it mentions "must sign in with work or school account", it's "Specific people". If it mentions "domain restrictions", look for allow/block list settings. If it mentions "guest user created in Azure AD", it's authenticated sharing.
External sharing in SharePoint and OneDrive can be configured at tenant, site, and item level.
There are three sharing link types: Anyone (anonymous), People in your organization, and Specific people (guests).
Anyone links do not require authentication; they are the least secure.
Specific people links require the recipient to authenticate as a guest via Azure AD B2B.
Default expiration for Anyone links is 30 days, configurable from 1 to 365 days.
Domain restrictions allow or block sharing with specific email domains for guest access.
Guest users are limited in capabilities and do not consume a full license.
External sharing events are logged in the Microsoft 365 audit log.
Disabling external sharing in SharePoint does not disable it in other services like Teams.
Azure AD B2B settings can override SharePoint external sharing settings.
These come up on the exam all the time. Here's how to tell them apart.
Anyone Link (Anonymous)
No authentication required
Link can be forwarded to anyone
Can set expiration and password
No guest account created in Azure AD
Less secure, but convenient for quick sharing
Specific People Link (Authenticated Guest)
Recipient must authenticate with MSA or Azure AD
Link cannot be easily forwarded (guest must be added)
Can set expiration, but not password (authenticated)
Guest account created in Azure AD (B2B)
More secure, auditable, and manageable
Mistake
External sharing in SharePoint and OneDrive is the same as sharing in Microsoft Teams.
Correct
While both use Azure AD B2B for guests, Teams sharing is tied to Microsoft 365 Groups and has additional settings. SharePoint and OneDrive sharing is more granular at the file/folder level.
Mistake
Anyone links are secure because they require the recipient to authenticate.
Correct
Anyone links are anonymous and do not require any authentication. They are the least secure option and should be used with caution.
Mistake
Disabling external sharing at the SharePoint tenant level completely prevents external access.
Correct
Disabling external sharing in SharePoint does not affect external sharing in other services like Teams or Power BI. Each service has its own external sharing settings.
Mistake
Guest users in Azure AD are automatically deleted when you remove external sharing permissions.
Correct
Guest user accounts remain in Azure AD until explicitly removed by an admin. Removing sharing permissions only revokes access to the specific site or file.
Mistake
You can only share with people who have an email address in an allowed domain.
Correct
Domain restrictions apply only to sharing with guests (authenticated). Anyone links can be used with any email address, regardless of domain restrictions.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
An Anyone link allows anyone with the link to access the content without signing in. It is anonymous and can be forwarded. A Specific people link requires the recipient to sign in with a Microsoft account or work/school account (Azure AD). The recipient is added as a guest in Azure AD and must be explicitly invited. Anyone links are less secure but easier; Specific people links provide better control and auditing.
Yes. In the SharePoint admin center, under Policies > Sharing, you can configure domain restrictions. You can either allow sharing only with specified domains (allow list) or block sharing with specified domains (block list). This applies to guest access (authenticated sharing) but not to Anyone links.
No. Guest users in Azure AD do not require a paid license for basic access to SharePoint, OneDrive, Teams, etc. However, if you want guest users to have advanced features (e.g., Azure AD Premium P1/P2 features), you may need to assign licenses. Up to 500,000 guest users are allowed per tenant without additional cost.
For Anyone links, you can set an expiration date when creating the link. The default maximum expiration is 30 days, but an admin can change this up to 365 days in the SharePoint admin center under Sharing settings. For Specific people links, you can also set an expiration date for the guest user's access via the site permissions page or Azure AD.
When external sharing is disabled at the SharePoint tenant level, users cannot share content with external users. Existing external links will stop working. However, this setting only affects SharePoint and OneDrive; other services like Teams and Power BI may still allow external sharing unless separately configured.
Yes, if the sharing link grants edit permissions. When creating a sharing link, the sharer can choose between view and edit permissions. For Anyone links, edit permission is allowed but can be restricted. For Specific people links, edit permission is controlled by the site or item permissions.
Use the Microsoft 365 compliance center or the unified audit log. Search for activities like "Shared file, folder, or site" with a target of "ExternalUser". You can also use the SharePoint admin center's "Sharing report" to see a summary of shared items.
You've just covered External Sharing in SharePoint and OneDrive — now see how well it sticks with free MS-900 practice questions. Full explanations included, no account needed.
Done with this chapter?