# External sharing

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/external-sharing

## Quick definition

External sharing lets people outside your company, like partners or clients, access files or folders that are normally private. It is set up by an IT administrator and often requires a guest account. Think of it as giving a temporary key to a visitor so they can enter a specific room in your office, but not the whole building. This feature is common in Microsoft 365, Google Workspace, and other cloud platforms.

## Simple meaning

Imagine you work in an office building with a security desk. Every employee has a badge that opens the main door and their specific floor. But sometimes, a delivery person or a consultant needs to enter a particular room, say the conference room on the second floor, without having access to the entire building or the employee break room. You could give that person a temporary visitor badge that only unlocks the conference room door for a set amount of time. That is exactly what external sharing does in the digital world.

In IT, an organization has internal files, folders, SharePoint sites, or Microsoft Teams channels that are meant for employees only. But occasionally, a freelancer, a vendor, or a client needs to see a specific document or collaborate on a project without being given full employee credentials. External sharing allows the system administrator to invite that person by their email address. The guest user receives an invitation, clicks a link, and is granted access only to the shared resource. They usually do not get access to anything else in the organization.

This is very different from sending a file as an email attachment. When you attach a file to an email, you lose control over it. The recipient can forward it, edit it, or share it with others without your knowledge. With external sharing, the resource stays inside the organization's secure environment. The administrator can set permissions like view-only or edit, and they can revoke access at any time. The guest does not have a full user account, only a restricted identity that is separate from normal employee accounts.

External sharing is built on trust but also on strict limits. The guest must authenticate themselves, usually by entering a one-time code sent to their email, to verify they are who they claim to be. This ensures that even if the invitation link is intercepted, the wrong person cannot use it. The entire process is designed to make collaboration safe while keeping the rest of the corporate data protected.

## Technical definition

External sharing is a feature in identity and access management (IAM) systems, particularly in Microsoft Entra ID (formerly Azure Active Directory), that allows organizations to securely share resources with users outside their tenant. When an administrator or authorized user initiates sharing, the system creates a guest user object in the directory. This guest user is given a unique identity that is separate from internal users, but which can still be managed with policies such as conditional access, multi-factor authentication, and expiration dates.

From a protocol perspective, external sharing relies on federation and identity providers. The host organization’s Microsoft Entra ID uses OAuth 2.0 and OpenID Connect to authenticate the guest. The guest is asked to verify their identity using their own email provider or a one-time passcode (OTP) sent to their email address. This OTP-based authentication is used when the guest’s email domain is not federated with the host’s tenant. The guest then receives an access token that is scoped to the specific resource, such as a SharePoint site, a OneDrive folder, or a Teams channel.

There are three main settings for external sharing in SharePoint and OneDrive: anyone links (anonymous sharing that does not require authentication), new and existing guests (guests must sign in or provide a verification code), and only people in your organization. For compliance and security, administrators can configure sharing policies at the tenant level and then override them at the site or folder level. For example, a tenant-level policy might block external sharing entirely, while a specific project site might be allowed to share with external users who have a verified work email.

In Microsoft 365, external sharing also involves concepts like B2B collaboration and B2B direct connect. B2B collaboration allows guests to sign in using their own identity provider (Google, Facebook, or any SAML/WS-Fed IdP). B2B direct connect uses Azure AD B2B to create a mutual connection between two organizations, enabling shared resources like Teams Channels without creating a guest user object. Auditing is essential: every sharing event is logged in the Microsoft 365 audit log, and administrators can generate reports to see who shared what, with whom, and when.

External sharing also supports version history and co-authoring. When a guest edits a document, the changes are saved in the same version history as internal changes. The guest's identity is captured, so audits show exactly who made each change. However, external sharing does not extend to all services. For instance, SharePoint external sharing does not automatically give access to related Power Automate flows or Power Apps unless explicitly configured. The guest user must also accept the sharing invitation within a time window, typically 30 days, otherwise the link expires.

## Real-life example

Think of your home and a house-sitter. You have a front door with a smart lock that works with your fingerprint. You do not want to give the house-sitter your own fingerprints, because then they could come in anytime even after their job is done. Instead, you create a one-time code for the smart lock that works only for the next week and only for the back door, not the front door. The house-sitter gets a text with that code. They enter the code, the door opens, and they can access only the living room and the kitchen to feed your cat. They cannot open the bedroom or the garage. At the end of the week, the code stops working.

This is exactly how external sharing works for files. You have a digital front door to your company's network. You do not want to give a contractor a full employee login, because then they could browse all files. Instead, you generate a specific sharing link for a single folder containing a project plan. That link requires a one-time passcode that is sent to the contractor's email. The contractor enters the code, and the folder opens. They can see that one folder, but they cannot see any other folders in your SharePoint site. They can upload a new file or edit an existing one if you gave them permission. When the project ends, you delete the link or remove the guest account, and access is cut off completely.

The whole process is controlled from a central dashboard like the Microsoft 365 admin center or SharePoint admin center. The administrator can see exactly what links are active, who created them, and who has accessed them. They can also set an expiration date on the link, so even if they forget to revoke it, the link will stop working automatically after a set number of days. This is similar to setting a timer on your smart lock code so that it self-destructs after a week. It is a way to be generous with temporary access while staying in full control.

## Why it matters

External sharing matters because modern business rarely happens within a single company's walls. Organizations collaborate with partners, vendors, freelancers, consultants, and clients on a daily basis. Without a secure external sharing mechanism, workers would resort to insecure workarounds like emailing sensitive files, using personal cloud storage like Dropbox, or even physical USB drives. These methods bypass IT governance completely, leading to data leaks, version control nightmares, and compliance violations.

From an IT perspective, external sharing is essential for maintaining data sovereignty and compliance with regulations like GDPR, HIPAA, and SOC 2. When sharing externally, administrators can apply Data Loss Prevention (DLP) policies that prevent sensitive information like credit card numbers or health records from being shared outside the organization. For example, a DLP rule can block external sharing of any file containing a Social Security number. This way, even if a user tries to share a file that is not supposed to be shared, the system will automatically block it and notify the user and the compliance team.

External sharing also improves productivity. A project manager can share a project timeline with a client in seconds, and the client can leave comments and make edits without needing to learn a new system or get a full VPN connection. The sharing link can be set to 'view only' so the client cannot accidentally delete something. This reduces the back-and-forth of emailing multiple versions of the same document. Everyone works on the same live document, which saves time and reduces errors.

Security is another reason external sharing matters. Every external access event is auditable. If a data breach occurs, a forensic investigator can look at the audit logs to see exactly which external user accessed which file and when. This is impossible with emailed attachments. Administrators can require multi-factor authentication for all external users, adding an extra layer of protection. This ensures that even if a guest's email account is compromised, an attacker cannot use the sharing link without also passing the MFA challenge.

external sharing directly impacts user experience. If external sharing is too restrictive, employees will find ways around it. If it is too permissive, data leaks occur. IT professionals must strike a balance by configuring sharing policies that match the organization's risk appetite. This is why understanding external sharing is critical for any certification candidate: it is a core administrative skill that combines security, compliance, and usability.

## Why it matters in exams

External sharing appears in several Microsoft certification exams, especially those focused on Microsoft 365 administration, security, and compliance. For the MS-100 (Microsoft 365 Identity and Services) and MS-101 (Microsoft 365 Mobility and Security) exams, external sharing is a primary objective. You will be tested on how to configure sharing at the tenant level, how to set up guest access policies, and how to audit external sharing activities. In these exams, you may be given a scenario where a company wants to enable external sharing only for certain departments, and you must choose the correct PowerShell or admin center setting.

For the SC-300 (Microsoft Identity and Access Administrator) exam, external sharing appears under the B2B collaboration domain. You need to understand the differences between B2B collaboration and B2B direct connect, and how to configure cross-tenant access settings. Expect questions about invited user redemption, source of authority, and how external identities flow through Microsoft Entra ID. You may also be asked about the external identities pricing model and the limits on guest users.

In the AZ-104 (Microsoft Azure Administrator) exam, external sharing is less central but appears in the context of Azure AD B2B. You might need to know how to invite external users to an Azure AD tenant and how to manage their role assignments. The AZ-500 (Microsoft Azure Security Technologies) exam also covers external sharing as part of identity security. You should know how to set up conditional access policies for external users and how to restrict sharing by location or device compliance.

For the MS-700 (Managing Microsoft Teams) exam, external sharing is crucial. Teams relies on SharePoint for file storage, so external sharing in SharePoint directly affects Teams channel sharing. You need to understand how guest access in Teams works, including the comparison between guest access, external access (federation), and anonymous meeting join. Question types include scenario-based multiple choice, where you choose the correct sharing configuration to allow a specific external collaborator to edit a file in a Teams channel.

Finally, in the PL-900 (Microsoft Power Platform Fundamentals) exam, external sharing appears lightly, mostly regarding sharing of Power Apps and Power Automate flows with external users. You will not need deep configuration knowledge, but you should know that external sharing is possible and that it requires guest accounts in the parent Microsoft 365 tenant. Across all exams, the most common question type is a scenario where the learner must decide whether to enable external sharing, configure an expiration policy, or review audit logs to find an unauthorized share.

## How it appears in exam questions

Exam questions about external sharing often fall into three categories: configuration scenarios, troubleshooting scenarios, and best practice choices. In configuration scenarios, you are given a business requirement, such as 'The marketing team needs to share a folder with an external design agency for three weeks. Only the design agency should have edit access, and the link should expire automatically.' You will then be shown several options, each describing a different combination of sharing settings. The correct answer will involve creating a specific sharing link with the 'Edit' permission, requiring authentication (not anonymous), and setting an expiration date. The distractors might include options that allow anonymous access or do not set an expiration.

In troubleshooting scenarios, you are given a user report: 'I shared a file with a vendor, but they received the invitation link and it says access denied.' You must diagnose the issue. Common causes include: the sharing link has expired, the guest email domain is blocked by an allowed domain list, the user's 'Anyone' links setting is disabled, or the guest did not accept the invitation within the redemption window. The question may require you to check the audit log or run a Get-SPOSite cmdlet to verify the sharing policy.

Best practice questions ask about the most secure way to achieve a certain goal. For example: 'Your company is sharing sensitive financial data with an external auditor. What is the most secure configuration?' The correct answer will include requiring multi-factor authentication for guests, setting an expiration date, and disabling the ability to re-share. The distractors might include giving the auditor full control of the SharePoint site or using an anonymous link because it is easier.

Another common pattern is comparison questions. You might be asked to choose between guest access, external access, and anonymous access in Microsoft Teams. The question will describe a situation where someone outside the organization needs to join a Teams meeting and view files. The correct answer will differentiate the capabilities: guest access provides full channel membership and file editing, external access allows federation for chat and calls but not file sharing, and anonymous join only allows meeting participation without accessing files.

Questions may also ask about administrative control, such as: 'Which role can configure tenant-level external sharing settings?' The answer is SharePoint Administrator or Global Administrator, not a Site Collection Administrator unless delegated. You might also be asked about the default sharing settings for a new Microsoft 365 tenant: by default, external sharing is allowed but users must authenticate. Knowing the defaults is critical.

## Example scenario

Your company, Northwind Traders, has a Microsoft 365 tenant with a SharePoint site for the Sales department. Your sales manager needs to share a quarterly report with a consultant named Mia from a partner company called Contoso. Mia does not have an account in Northwind Traders. The sales manager wants Mia to be able to read the report but not change it. She also wants to make sure that the link does not work anymore after the end of the quarter, which is two weeks from now.

You, as the IT administrator, need to set up external sharing to allow this. First, you check the tenant-level sharing settings in the SharePoint admin center. You see that external sharing is enabled, but the default sharing link type is set to 'Internal' (only people in your organization). To allow sharing with Mia, you must ensure that the site-level settings are not more restrictive. The Sales site's sharing setting is set to 'New and existing guests', which is correct because Mia is a new guest.

Next, you go to the document library where the quarterly report is stored. You select the file and click 'Share'. In the sharing dialog, you enter Mia's email address (mia@contoso.com). You choose 'Can view' permission. You then click 'Link settings' and change the link to 'Specific people' (only Mia can use it). You also set an expiration date two weeks in the future. You click 'Send'.

Mia receives an email with the link. When she clicks it, she is asked to verify her email with a one-time code sent to mia@contoso.com. She enters the code and is taken to the report. She can see the file in a read-only view. She cannot download it because the link does not allow download (a separate setting). The next week, she clicks the link again, and it still works. After exactly two weeks, the link expires. Mia tries to access it again, but she gets a page saying 'This link has expired'. The sales manager receives no notification; the system handles expiration automatically. The entire process is logged in the audit log, and you can see that Mia accessed the file on three different days. This scenario demonstrates the safe, temporary, auditable nature of external sharing.

## Common mistakes

- **Mistake:** Giving anonymous 'Anyone' links to sensitive data because it is the easiest option.
  - Why it is wrong: Anyone links do not require authentication. Anyone who finds the link can access the content without providing any identity. This defeats auditing and increases the risk of data exposure to unauthorized parties.
  - Fix: Use 'Specific people' links instead. These require the recipient to authenticate before accessing the resource. Even if the link is forwarded, the new person cannot access it unless they are added to the sharing list.
- **Mistake:** Setting an expiration date on a sharing link but forgetting to set a password or authentication requirement.
  - Why it is wrong: An expiration date alone does not secure the link before it expires. Anyone with the link can still access the resource until the expiration date. Without authentication, the link remains vulnerable to interception or forwarding.
  - Fix: Combine the expiration date with 'Specific people' permission so that only authenticated guests can use the link. Optionally, also set a unique one-time passcode requirement for additional security.
- **Mistake:** Assuming that disabling external sharing at the tenant level applies to all sites automatically without checking site-level overrides.
  - Why it is wrong: Tenant-level settings define default behavior, but site owners or administrators can override them at the site level. A site might have external sharing enabled even if the tenant level is set to block it, because the site-level policy was configured first.
  - Fix: Use the SharePoint admin center or PowerShell to review all site-level sharing policies. To enforce a tenant-wide block, use sensitivity labels or conditional access policies that override site settings. Always verify with a regular audit.
- **Mistake:** Assuming that external sharing in OneDrive is identical to external sharing in SharePoint or Teams.
  - Why it is wrong: Each service has its own sharing settings. OneDrive for Business has a separate sharing policy that must be configured independently from SharePoint. Teams also uses SharePoint for file storage, but the sharing experience is mediated by Teams guest access settings. For example, you can enable guest access in Teams but still block external sharing in the parent SharePoint site, which will prevent file sharing in channels.
  - Fix: Always check the sharing settings for the specific workload: SharePoint admin center for SharePoint sites, OneDrive admin center for OneDrive, and Teams admin center for Teams guest access. Use consistent policies across all three to avoid confusion.
- **Mistake:** Not reviewing the audit logs regularly after enabling external sharing.
  - Why it is wrong: External sharing creates a risk surface. Without audits, an administrator may not notice that a guest has accessed more files than intended, that a link has been shared with unauthorized people, or that a former guest still has active access. This can lead to data breaches that go undetected for weeks.
  - Fix: Set up audit log search in Microsoft 365 Purview compliance portal. Create alerts for specific events like 'Shared a file with an external user' and 'Added external user to site collection'. Review these logs weekly. Use retention policies to keep logs for at least 90 days.

## Exam trap

{"trap":"When asked about the default external sharing setting for a new Microsoft 365 tenant, you might think the default is 'Anyone' (anonymous links) because it seems the most permissive or because some marketing materials highlight easy sharing.","why_learners_choose_it":"Learners often associate 'external sharing' with the ability to send a link to anyone, and they remember that Microsoft 365 is designed for collaboration. They may also recall that some demo environments use 'Anyone' links for simplicity, which leads them to assume the default is unrestricted.","how_to_avoid_it":"Know the actual default: New Microsoft 365 tenants have external sharing enabled but with the setting 'New and existing guests' for SharePoint and OneDrive. This means users must authenticate. 'Anyone' links are not enabled by default. To confirm, search for the current default settings in official Microsoft documentation or memorize it as a core fact. Also remember that the default for OneDrive is even stricter: 'Only people in your organization' is the default for OneDrive, not 'Anyone'. Always differentiate between SharePoint and OneDrive defaults."}

## Commonly confused with

- **External sharing vs Federation (External Access):** Federation (also called external access) allows users from two different Microsoft 365 tenants to communicate via chat, call, and presence without sharing files or sites. It is a separate feature from external sharing. Federation does not grant access to internal resources like files or sites; it only enables communication. External sharing specifically gives access to content. (Example: With federation, a user at northwind.com can chat with a user at contoso.com using Teams, but cannot see any files in the other tenant's SharePoint. With external sharing, the contoso user gets a link to a specific file and can open it.)
- **External sharing vs Anonymous Sharing (Anyone links):** Anonymous sharing creates a link that does not require authentication. Anyone who gets the link can access the resource, and the identity of the user is not tracked. External sharing (in the broader sense) includes anonymous sharing as a subtype, but most policies refer to guest sharing which requires authentication. The key difference is authentication: guest sharing requires sign-in, anonymous sharing does not. (Example: You create an 'Anyone' link to a party invitation PDF and post it on a public forum, anybody can download it. For external sharing with a specific client, you use a 'Specific people' link that requires them to log in with their email.)
- **External sharing vs Guest Access in Teams:** Guest access in Teams is a feature that adds a guest user to a specific team. This guest has a full team membership, can join channels, use chats, and access shared files. External sharing is a broader concept that includes sharing individual files or folders via links. Guest access requires the guest to have a Microsoft Entra ID account (even if free), while external sharing via link does not require a directory account for the guest (only the share's authentication step). (Example: To let a contractor work on a project in a Teams channel with full conversations, you use guest access. To just share a single document for review, you use a sharing link (external sharing).)

## Step-by-step breakdown

1. **Enable external sharing at the tenant level** — The SharePoint admin center has a global setting that controls whether external sharing is allowed at all. This is the master switch. Without this enabled, no site-level sharing can happen. You choose from: Anyone, New and existing guests, Existing guests only, or Only people in your organization. For security, most organizations choose 'New and existing guests' which requires authentication.
2. **Configure site-level or library-level sharing settings** — Even if the tenant allows sharing, each SharePoint site and OneDrive has its own sharing setting. You can override the tenant default at the site level. For example, you might allow external sharing on a project site but block it on a human resources site. This granularity ensures that sensitive areas remain locked down.
3. **Create a sharing link** — A user selects a file or folder, clicks 'Share', and chooses the type of link: Anyone, People in your organization, Specific people, or people with existing access. For external sharing, they choose 'Specific people' and enter the external email address. They can also set permissions (view or edit) and optionally add an expiration date and a password.
4. **Invitation delivery and guest redemption** — The system sends an email to the external address with a link. When the guest clicks the link, they are redirected to a sign-in page where they must authenticate. If their email domain is not federated, they receive a one-time passcode. They enter the code and are then redirected to the shared file. The guest does not need to have a paid license; a free Azure AD B2B guest account is created automatically.
5. **Auditing and management of the share** — Every share event is recorded in the Microsoft 365 audit log. The administrator can view a report of all external shares, filter by user, site, or date. They can also generate a sharing link report to see all active links and revoke them if necessary. The guest user object can be deleted from Azure AD to remove all access immediately.

## Practical mini-lesson

External sharing in Microsoft 365 is not a single on/off switch; it is a layered system of policies that must be carefully configured to balance collaboration and security. As an IT professional, you must understand the hierarchy of settings: tenant-level, site-level, and file-level. The most common mistake is to set the tenant-level policy correctly but then forget that site owners can overrule it. For example, you might block external sharing at the tenant level but a site owner could have previously set their site to allow it, and that site-level setting persists. To enforce a global block, you must use Microsoft Entra ID conditional access policies or SharePoint PowerShell to revert all sites to the tenant default.

Another key point is that external sharing links can be 'managed' after creation. You can change the link type after sharing (for example, change from Anyone to Specific people), you can add or remove invitees, and you can set an expiration date retroactively. However, you cannot change the permission from edit to view after the link is created without creating a new link. This is a common trick in exam questions: if a user accidentally shared a file with edit permission, the fix is to delete the link and send a new one with view-only.

Professionals should also be aware of the cross-tenant access settings. In Microsoft Entra ID, you can configure inbound and outbound trust settings for B2B collaboration. This allows you to block external sharing from specific domains or require users from certain domains to accept your terms of use. This is different from the SharePoint sharing policies: a domain can be allowed in SharePoint but blocked in Entra ID cross-tenant settings, which will break the redemption flow. Always check both places.

When something goes wrong, the first step is to check the 'Sharing' page in the SharePoint admin center. There is a 'Sharing report' that lists all shared items and their status. If a guest reports that a link does not work, verify that the link has not expired, that the guest's email domain is not in the blocked list, and that the guest has accepted the invitation within the redemption period (30 days). Also check whether the guest already has a guest account in Azure AD that might have been deleted or disabled.

Finally, always configure Data Loss Prevention (DLP) policies to monitor and block sensitive data from being shared externally. For example, you can create a DLP rule that blocks any file containing credit card numbers from being shared with external users. This adds a layer of protection even if an administrator accidentally makes the tenant too permissive.

## Memory tip

External sharing is like giving a key to a hotel room, the guest only gets in for a limited time, only to one room, and the key expires automatically.

## FAQ

**Is external sharing the same as guest access?**

Not exactly. Guest access usually refers to adding an external user to a team or site with a full directory account, while external sharing can be as simple as sharing a single file via a link that requires only a one-time code. Guest access is a broader type of external sharing that grants membership to a resource.

**Can I set an expiration date on an external sharing link?**

Yes, when creating the link, you can set an expiration date. The link will stop working after that date, even if the guest has already accessed it. This is a best practice to limit the risk of forgotten shares.

**Do external guest accounts count against my license limits?**

Guest users in Microsoft 365 do not require a paid license for basic access to shared resources. However, if you want them to use advanced features like Azure AD Premium P1/P2 or have more than 10 guests per paid user, you may need additional licensing. Always check the latest Microsoft licensing documentation.

**What happens if a guest's invite link has expired but they still need access?**

The administrator or the person who shared the file must create a new sharing link and send it again. The guest will need to go through the redemption process again. You cannot re-activate an expired link.

**Can I prevent users from sharing externally at all?**

Yes, you can disable external sharing at the tenant level, or at the site level for specific sites. However, disabling it at the tenant level overrides all site settings. You can also configure conditional access policies to block external access for specific apps or users.

**Is external sharing available in all Microsoft 365 subscriptions?**

External sharing is available in most plans, including Business Basic, Standard, Premium, and Enterprise E1, E3, E5. However, some advanced security features like conditional access for guests require Azure AD Premium P1 or P2, which are included in E5 or available as add-ons.

## Summary

External sharing is a fundamental capability in modern cloud environments that allows organizations to collaborate with people outside their corporate boundaries in a secure, auditable, and controlled manner. This term is often tested in Microsoft certification exams because it directly touches on identity management, security compliance, and user productivity. The key takeaway is that external sharing is not a binary setting but a configurable system with multiple layers: tenant-level policies, site-level overrides, link types, expiration dates, and authentication requirements.

In exams, you must be able to differentiate between anonymous sharing, guest sharing, and federation. You also need to know the default configurations and how to troubleshoot common issues like expired links, blocked domains, or redemption failures. Remember that audit logs are your best tool for tracking external sharing events, and Data Loss Prevention policies add an essential layer of security.

For IT professionals, mastering external sharing means understanding the trade-off between user convenience and data protection. You should be comfortable configuring sharing settings in the SharePoint admin center, using PowerShell for bulk operations, and integrating external sharing with conditional access and DLP. This knowledge will not only help you pass certification exams but also make you a more effective administrator who can enable safe collaboration in any organization.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/external-sharing
