Document management and file sharing are important features of Microsoft SharePoint and OneDrive. In order to set up the best setting for external Sharing in SharePoint Online, you need to arrange the organisation-level Sharing.
Users of an organization can benefit from the SharePoint document sharing setting to share folders and files with unauthenticated users such as partners, vendors, clients, and others who don’t have an account in your company directory services.
SharePoint organization-level sharing settings
To enable a document’s external access in SharePoint or OneDrive, the organisation-level sharing setting must be set to allow sharing with people outside your organisation.
Follow the steps below to set SharePoint organization-level sharing settings:
- Go to Microsoft 365 admin center, click SharePoint.
- Open SharePoint admin center, click Policies then Sharing.
- In the External sharing section for SharePoint, ensure you have marked your desired sharing level.
- After making the changes, click Save.
The levels of access are:
Anyone: Allow unauthenticated users to share files and folders. Anyone links allow external users to open the link without authentication and they are able to pass it on to others.
New and existing guests: Allow external users access with authentication. This way the external collaborator receives an invitation email with a link to the shared file. Users should be added to your Azure AD in order to access the files.
Existing guests: Select this option to share documents with users who are already in your Azure active directory.
SharePoint organization-level default link settings
The organization-level default link settings in SharePoint determine the option that will be displayed to users by default when sharing a file.
To define the SharePoint and OneDrive organization-level default link settings follow the steps below:
- In the SharePoint admin center, open Sharing page.
- click Policies then Sharing thengo to section File and Folder Link.
- Apply setting as desired.
- Click Save.
The default link types are as listed below:
- Anyone with the link: Best for those who expect to share files and folders with external users. To enable this link type Anyone sharing should be enabled.
- Only people in your organization: If most documents are expected to be shared with internal users, choose this option.
- Specific people: This option best works with guests and it requires them to authenticate.
It should be noted that this setting affects SharePoint sites in your organization, as well as OneDrive.
You may set default permission for sharing links:
- Select View, if you do not want to allow unauthenticated users to make changes to the files and folders.
- Select Edit, if you want external users make changes to the files and folders.
You can also apply permission-options for internal users as well as external users.
Enable additional security for sharing files and folders with unauthenticated users
Unauthenticated sharing (Anyone links) can be very useful to share documents with partners, vendors, clients, or anyone outside your organisation, they can easily use the link and send it to others. But some sensitive content needs advanced sharing settings to protect your organisation’s content.
Set an expiration date for Anyone links
Sharing documents with external users for a long period of time may cause unexpected changes by unauthenticated users in the future. To deal with such a problem you should define an expiration time for Anyone links.
The steps to set an expiration date to Anyone links across the organisation are:
- Go to the SharePoint admin center.
- Go to Policies, and click Sharing.
- Check the These links must expire within this many days check box.
Prevent unauthenticated sharing of sensitive content
To prevent users from sharing sensitive content with external users, you can take advantage of the data loss prevention (DLP) rule. It takes action on a file’s sensitivity label.
To create a DLP rule:
- In the Microsoft 365 compliance admin center, open the Data loss prevention page.
- Choose Create policy.
- Select Custom and click Next.
- Choose the policy name and click Next.
- On the Locations to apply the policy page turn off all settings except SharePoint sites and OneDrive accounts, and then click Next.
- Click Next on the Define policy settings page.
- On the Customize advanced DLP rules page, click Create rule
- Type a name for the rule.
- Click Add condition, and select Content contains and click Add
- Determine the type of information for which you want to prevent unauthenticated sharing.
- Under Actions, click Add an action
- Choose Restrict access or encrypt the content in Microsoft 365 locations.
- Select the Restrict access or encrypt the content in Microsoft 365 locations check box
- Select the Only people who were given access to the content through the “Anyone with the link” option.
- Click Save and then click Next.
- Select your test options and click Next.
- Click Submit, and then click Done.