One of the interesting features in Microsoft SharePoint is External Sharing. This features lets users of an organization share content with people outside the organization (such as partners, vendors, clients, or customers). External sharing feature can also help in sharing between licensed users on multiple Microsoft 365 subscriptions if an organization has more than one subscription. Planning for external sharing should be included as part of overall permissions planning for SharePoint in Microsoft 365.
External Sharing Settings External Sharing settings can be applied both in Organization level and Site Level. If External Sharing needs to be enabled for any site, it has to be first enabled in Organization level after which it can be restricted in the other sites. If the site’s external sharing option is different from an organization-level sharing option, then the most restrictive value will take precedence.
Security and Privacy If there is any confidential information which should not be shared externally, then the external sharing for that site should be turned off and additional sites should be created for external sharing. This will help in managing the security risk by preventing external access to sensitive information.
Sharing Permissions Following are the sharing permissions that can be enabled on the site:
Anyone: User with whom files are being shared don’t need to Sign-in.
New and Existing guest:Guests will require to Sign-in to access the files.
Existing guests only:Guests are needed to be part of the Organizational Active Directory.
Only people in your organization:External sharing won't be allowed.
If the site is having external sharing as 'Anyone' then users are not required to Sign-in or to be added in the Organization Active Directory.
If the site is has external sharing as 'New and Existing guest' then files can be shared with new users or to the existing guest members in AD. If they are new users then after signing up, they will get added to the Organization Active Directory
If the site is having external sharing as 'Existing guest only' then the Azure AD admin will need to add the user first as a 'Guest', after which the external user will receive an invitation and once accepted, he will be part of the tenant.
If the site is has 'Only people in your organization' then external sharing can't be done from that site.
What happens when Users shareWhen users share sites, recipients will be prompted to sign in with.
When users share files and folders, recipients will also be prompted to sign in if they have:
These recipients will typically be added to your directory as guests, and then permissions and groups work the same for these guests as they do for internal users.
Because these guests do not have a license in your organization, they are limited to basic collaboration tasks:
If your authenticated guests need greater capability such as OneDrive storage or creating a Power Automate flow, you must assign them an appropriate license from Microsoft 365 admin center
You can stop sharing with guests by removing their permissions from the shared item, or by removing them as a guest in your directory.
You can stop sharing with people who have an "Anyone" link by going to the file or folder that you shared and deleting the link.
Steps to create external user in Azure AD
1. Login to Azure Portal and click on User (1)
2. Click on ‘Add guest user’ (2)
3. Select ‘Invite User’ (3), fill the details (4) and click ‘Invite’ (5)
4. Once invited, user will get added in the users list, as shown below: