Configuration Settings for Sharing in Microsoft 365

The ability to share content rather than send copies of content is one of the main benefits of Office 365.  There are many settings that need to be configured this ability and they are distributed through multiple interfaces.  This article documents the settings and their locations.

It is fair to say that these settings would be much easier to manage if they were all in one location, but the evolution of different products has produced a complex set of locations and settings, which in some cases exist in multiple locations with different wording.

As there are so many settings in so many locations, and many of the settings are duplicated in different locations, I have constructed a spreadsheet that brings them all together. The spread sheet can be downloaded from the link below:

Key Concepts

When we discuss sharing there are two key questions that we need to consider:

  • Who are we sharing with?
    • Partners with O365 accounts
    • Partners with other accounts
    • Individuals with personal accounts
  • What are we sharing?
    • Files
    • Folders
    • Sites
    • Teams

The answers to these question drive the configuration that we want to apply to the environment.

Configuration Locations

There are currently nine (9) different locations in various admin centres where settings to manage sharing are located, and this does not include the following tools:

  • Entitlements
  • Sensitivity labels applied to sites and groups
  • Site Settings

The locations are

  • OneDrive Admin
  • Sites
    • [Site]
      • Azure Active Directory > External Identities > External Collaboration Settings

        Link | Further Information

        SettingDescription
        Guest user access
        • Guest users have same access as members
        • Guest users have limited access to properties and memberships of directory objects (Default)
        • Guest user access is restricted to properties and memberships of their own directory objects
        Controls what guest users can see within from Active Directory, e.g. The membership of groups that they are in.  

        Further information
        Admins and users in the guest inviter role can inviteYes means that only members of the guest inviter role can invite guests.  

        No means that the ability to invite guests is not restricted to the guest inviter role.
        Members can inviteIf this is set to No, only Active Directory Admins can invite guest users.  

        Members in this context refers to Active Directory NOT Microsoft Team Members
        Guests can inviteCan guests invite other guests?
        Enable email one-time passcode for guestsThis is a preview feature that allows users to be authenticated using a one-time passcode when they can’t be authenticated using Azure Active Directory, Microsoft Accounts or a federated identity provider like Google.  

        Further information
        Enable guest self-service sign-up via user flowsThis is a preview feature that allows users to sign-up to use your app by using social identity providers such as Facebook and Google.  

        Further information
        Collaboration restrictions
        • Allow invitations to be sent to any domain
        • Deny invitations to be sent to specified domains
        • Allow invitations to only specified domains
        This option allows control of the domains that invitations can be sent to.  

        Further information

        Microsoft 365 Admin > Settings > Org Settings > Security & Privacy > Sharing

        Link

        SettingDescription
        Let users add new guests to the organisationWhen this is set, all users can add guest users to the organisation. When it is not set, only admins can add guest users to the organisation

        Microsoft 365 Admin > Settings > Org Settings > Services > Microsoft 365 Groups

        Link

        SettingDescription
        Let group owners add people outside your organisation to Microsoft 365 Groups as guestsGrants permission to group owners to add guest users to groups
        Let guest group members access group content (If you don’t select this, guests will still be listed as members of the group, but they won’t receive group emails or be able to access any group content. They’ll only be able to access files that were directly shared with them.)When not checked, this option restricts the access that guest users have within groups that they are added to

        Microsoft 365 Admin > Settings > Org Settings > Services > Microsoft Teams

        Link

        SettingDescription
        Allow Guest Access in TeamsTurns on guest access to Teams.  

        This can take 24 hours to take effect.

        Microsoft 365 Admin > Settings > Org Settings > Services > SharePoint

        Link

        SettingDescription
        SharePoint Content can be shared with
        • Anyone
        • New and existing guests
        • Existing guests only
        • Only people in your organisation
        Determines whether files and sites can be shared outside of the organisation, how they can be shared and whether they can be shared with new or existing guest users

        Microsoft Teams Admin > Org-wide settings > Guest access

        Link

        SettingDescription
        Allow Guest Access in TeamsTurns on guest access to Teams.  

        This can take 24 hours to take effect.

        OneDrive Admin > Sharing

        Link

        SettingDescription
        Default link type:
        • Shareable: Anyone with the link
        • Internal: Only people in your organisation
        • Direct: Only specific people
        This option sets the default link type that is used when a user shares a file or folder.
        Links must expire within this number of days (enter -1 for never)Determines how long a “shareable” link allowing unauthenticated access will remain active before expiring
        Anyone link: Permissions for files:
        • View
        • View, edit and upload
        Determines the file permissions that can be shared via “shareable” links
        Anyone link: Permissions for folders:
        • View
        • View, edit and upload
        Determines the folder permissions that can be shared via “shareable” links
        SharePoint Content can be shared with
        • Anyone
        • New and existing guests
        • Existing guests only
        • Only people in your organisation
        Determines whether files and folders can be shared outside of the organisation, how they can be shared and whether they can be shared with new or existing guest users
        OneDrive Content can be shared with
        • Anyone
        • New and existing guests
        • Existing guests only
        • Only people in your organisation
        Same as the SharePoint setting, but applies just to files and folders within OneDrive.

        This setting can be equal to or lower than the SharePoint setting, but not higher
        Allow or block sharing with people on specific domainsThis setting can be used to restrict the domains that sharing invitations are sent to.

        Does not apply to “shareable” or “anyone” links
        External users must accept sharing invitations using the same account that invitations were sent toThis option restricts the sharing to the specific email address that the invitation was sent to
        Let external users share items they don’t ownThis option allows guests to share content with other people when it is content that they are not the owner of.
        Display to owners the names of people who viewed their filesThis options displays the views of a OneDrive file on the file card that is displayed in OneDrive

        SharePoint Admin > Policies > Sharing

        Further information

        SettingDescription
        SharePoint Content can be shared with
        • Anyone
        • New and existing guests
        • Existing guests only
        • Only people in your organisation
        Determines whether files and sites can be shared outside of the organisation, how they can be shared and whether they can be shared with new or existing guest users
        OneDrive Content can be shared with
        • Anyone
        • New and existing guests
        • Existing guests only
        • Only people in your organisation
        Same as the SharePoint setting, but applies just to files and folders within OneDrive.

        This setting can be equal to or lower than the SharePoint setting, but not higher
        Limit external sharing by domain
        • Allow only specific domains
        • Block specific domains
        This setting can be used to restrict the domains that sharing invitations are sent to
        Allow only users in specific security groups to share externallyThis setting restricts who can share to members of specific security groups

        Further information
        Guests must sign in with the same account to which the sharing invitations are sentThis option restricts the sharing to the specific email address that the invitation was sent to
        Allow guests to share items they don’t ownThis option allows guests to share content with other people when it is content that they are not the owner of.

        By default, guests must have full control permission to share items externally.
        People who use a verification code must reauthenticate after X daysIf people who use a verification code have selected to “stay signed in” in the browser, they must prove they can still access the account they used to redeem the sharing invitation.
        Default sharing link type:
        • Specific people
        • Only people in your organisation
        • Anyone with a link
        This option sets the default link type that is used when a user shares a file or folder.
        Default sharing link permission:
        • View
        • Edit
        This option sets the default permissions that are granted when a user shares a file or folder.
        Anyone link: Will expireDetermines whether an “anyone” link allowing unauthenticated access will expire
        Anyone link: Will expire after X number of daysDetermines how long an “anyone” link allowing unauthenticated access will remain active before expiring
        Anyone link: Permissions for files:
        • View
        • View and edit
        Determines the file permissions that can be shared via “anyone” links
        Anyone link: Permissions for folders:
        • View
        • View, edit and upload
        Determines the folders permissions that can be shared via “anyone” links
        Show owners the names of people who viewed their files in OneDriveThis options displays the views of a OneDrive file on the file card that is displayed in OneDrive
        Let site owners choose to display the names of people who viewed files or pages in SharePointThis options displays the views of a SharePoint file on the file card that is displayed in SharePoint.

        This is recommended to be disabled on sites that have sensitive information. Link
        Use short links for sharing files and folders 

        SharePoint Admin > Sites > [Site] > Sharing

        SettingDescription
        SharePoint Content can be shared with
        • Anyone
        • New and existing guests
        • Existing guests only
        • Only people in your organisation
        Determines whether files and sites can be shared outside of the organisation, how they can be shared and whether they can be shared with new or existing guest users
        Default sharing link type:
        • Same as organisation-level setting
        Use organisation level setting or custom setting for the site
        Default sharing link type:
        • Specific people
        • Only people in your organisation
        • Anyone with a link
        This option sets the default link type that is used when a user shares a file or folder.
        Default sharing link permission:
        • Same as organisation-level setting
        Use organisation level setting or custom setting for the site
        Default sharing link permission:
        • View
        • Edit
        This option sets the default permissions that are granted when a user shares a file or folder.