Introduction
In SharePoint online when you need to share the content with external users (people outside your organization) you need to have the sharing enabled at the site collection.
The sharing settings are inherited from the SharePoint admin center settings.
Note that to view the sharing settings at a minimum you need Global reader, SharePoint admin, or Global Admin privileges. There are 4 types of sharing capability options that M365 provides.
Anyone
This lets users on that site share the content with any users outside or inside the organization. The users do not need to sign in to access the links. If you need to enable this option, you need to specify the expiry time and the permissions for the links. you can scroll down the sharing page to view these options.
New and Existing Guests
This option lets the users on the site share the content with new guests (users not registered and signed into tenant) and existing guests (users already registered and signed in at least once).
Existing Guests
This option lets the users on the site share the content with existing guests only(users already registered and signed in at least once).
Only people in your organization
This option lets you share the content within the organization only. The content cannot be shared with outside users/guests.
Default Sharing Settings
For the self-service SharePoint online sites created via Microsoft Teams, and Office 365 groups the sharing settings are referenced from SharePoint admin center ‘Sharing’ settings, except for ‘Anyone settings’. For ‘Anyone’ sharing settings, by default, the sharing settings are set to one level down which is ‘New and Existing guests’ by default.
This is done from MSFT for security reasons. If the organization sharing setting is ‘New and Existing guests’ then the same settings are down streamed and same as for the other 2 settings Existing guests only and Only people in your organization.
I refer to the word self-service here which means the teams and groups can be created by end-users. There are no admin permissions needed to create them.
For the self-service ‘Communication Sites’ and the ‘stand-alone SharePoint sites’ (these sites needed admin privileges to create) the sharing is set to ‘Only people in your organization.
To get the current sharing settings, go to SharePoint admin (https://yourtenant-admin.sharepoint.com) center and click on the ‘Active Sites’, select the required size and click on sharing. Then the options will be displayed on the right information pane.
Comparison of Sharing Settings in PowerShell vs GUI
Let's have a table of comparison between Powershell commands vs GUI,
GUI Option
|
Equivalent PowerShell Command
|
Anyone
|
Set-PnPTenantSite -Identity https://contoso.sharepoint.com/sites/sitename -SharingCapability ExternalUserAndGuestSharing
|
New and Existing Guests
|
Set-PnPTenantSite -Identity https://contoso.sharepoint.com/sites/sitename -SharingCapability ExternalUserSharingOnly
|
Existing Guests only
|
Set-PnPTenantSite -Identity https://contoso.sharepoint.com/sites/sitename -SharingCapability ExistingExternalUserSharingOnly
|
Only people in your organization
|
Set-PnPTenantSite -Identity https://contoso.sharepoint.com/sites/sitename -SharingCapability Disabled
|
Please note that in the above table you need to replace the URL property (https://contoso.sharepoint.com/sites/sitename) with your needs. I have given a dummy URL for documentation. Also, this command requires SharePoint Admin privilege or global admin privilege to run. Before running this command please make sure to connect to the SharePoint admin center using SharePoint admin or global admin account.
Note
There is an issue with the SPO management shell, where the external sharing settings are not getting applied. Hence I got to stick with PnP PowerShell commands.
Update
With the latest SPO management shell this issue has been fixed. You need to have latest version 16.0.21411.0 or above to have the sharing settings working via SPO management shell. Below is the table for executing commands via SPO management shell.
GUI Option
|
Equivalent PowerShell Command
|
Anyone
|
Set-SPOSite -Identity "https://contoso.sharepoint.com/teams/MyTeam1" -SharingCapability ExternalUserAndGuestSharing
|
New and Existing Guests
|
Set-SPOSite -Identity "https://contoso.sharepoint.com/teams/MyTeam1" -SharingCapability ExternalUserSharingOnly
|
Existing Guests only
|
Set-SPOSite -Identity "https://contoso.sharepoint.com/teams/MyTeam1" -SharingCapability ExistingExternalUserSharingOnly
|
Only people in your organization
|
Set-SPOSite -Identity "https://contoso.sharepoint.com/teams/MyTeam1" -SharingCapability Disabled
|
For instance, if you want to set the sharing settings to ‘Only people in your organization’ below are the series of commands to run.
- #connecting to pnp online using SharePoint admin or Global Admin
- Connect-PnPOnline -Url https://contoso-admin.sharepoint.com -Interactive
- #running the command to set the sharing
- Set-PnPTenantSite -Identity https://contoso.sharepoint.com/sites/sitename -SharingCapability Disabled
You need to run the below commands after connecting to SPO service (connect-sposervice -url "https://contoso-admin.sharepoint.com") using SharePoint Admin or Global Admin rights.
- #connecting to SPO Service using SharePoint admin or Global Admin
- Connect-SPOService -Url https://contoso-admin.sharepoint.com
- #running the command to set the sharing
- Set-SPOSite -Identity "https://contoso.sharepoint.com/teams/MyTeam1" -SharingCapability Disabled
External Sharing Permission Settings
Let's try understanding the following terms,
Most Permissive
The permissions are open to all, which means the site permissions are pretty much open. Hardly anyone tries to access the site, so it doesn’t require logging in to view or modify the content. The setting of ‘Anyone’ is considered the ‘Most Permissive’ setting in the SharePoint admin center.
Least Permissive
The permissions levels are restricted. Anyone trying to access the content should log in to view or modify the content. The setting of ‘Only people in your organization is considered ‘Least Permissive’ in the SharePoint admin center.
When changing sharing settings from the SPO admin center for all the sites, it will change for all the sites that are more permissive than the setting you make the change too i.e.
For instance, if the organization setting is set to ‘Existing Guests Only’, then all sites with ‘New and existing guest user’ permissions will go to ‘Existing guests only’. However, if some sites are at "Only people in your organization", it would not be changed to ‘Existing guests only’ since it is more restrictive. This also means, if you want to apply ‘Anyone’ sharing applied to specific sites, it is not possible since the setting ‘Anyone’ you are applying is most permissive than organization setting ‘Existing guest’ only. If at all you want to have ‘Anyone’ sharing enabled for selected sites, the organization setting should be set to a more permissive level (‘Anyone) and there should be other scheduled job or event trigger that sets the sharing capability to New and existing guests or Existing guests only or Disabled.
Bottom line, you cannot set the sharing settings for selected sites, greater than organization settings but you can set least permissive settings than organization sharing settings.
Conclusion
Thus, in this article, we have gone through the sharing settings for SharePoint online sites and how they can be configured in different ways with respect to organization settings.
References
- https://docs.microsoft.com/en-US/sharepoint/turn-external-sharing-on-or-off
- https://docs.microsoft.com/en-us/sharepoint/external-sharing-overview#how-the-external-sharing-settings-work