Configuration Settings for Sharing in Microsoft 365
The ability to share content rather than send copies of content is one of the main benefits of Office 365. There are many settings that need to be configured this ability and they are distributed through multiple interfaces. This article documents the settings and their locations.
It is fair to say that these settings would be much easier to manage if they were all in one location, but the evolution of different products has produced a complex set of locations and settings, which in some cases exist in multiple locations with different wording.
As there are so many settings in so many locations, and many of the settings are duplicated in different locations, I have constructed a spreadsheet that brings them all together. The spread sheet can be downloaded from the Related Files section at the end of this post.
Key Concepts
When we discuss sharing there are two key questions that we need to consider:
- Who are we sharing with?
- Partners with O365 accounts
- Partners with other accounts
- Individuals with personal accounts
- What are we sharing?
- Files
- Folders
- Sites
- Teams
The answers to these question drive the configuration that we want to apply to the environment.
Configuration Locations
There are currently nine (9) different locations in various admin centres where settings to manage sharing are located, and this does not include the following tools:
- Entitlements
- Sensitivity labels applied to sites and groups
- Site Settings
The locations are
- Azure Active Directory
- External Identities
- Microsoft 365 Admin
- Settings
- Org Settings
- Security & Privacy
- Services
- Org Settings
- Settings
- Microsoft Teams Admin
- Org-wide settings
- Services
- Org-wide settings
- OneDrive Admin
- SharePoint Admin
Configuration Settings
Azure Active Directory > External Identities > External Collaboration Settings
| Setting | Description |
|---|---|
Guest user access
|
Controls what guest users can see within from Active Directory, e.g. The membership of groups that they are in.
Further information |
| Admins and users in the guest inviter role can invite |
Yes means that only members of the guest inviter role can invite guests.
No means that the ability to invite guests is not restricted to the guest inviter role. |
| Members can invite |
If this is set to No, only Active Directory Admins can invite guest users.
Members in this context refers to Active Directory NOT Microsoft Team Members |
| Guests can invite | Can guests invite other guests? |
| Enable email one-time passcode for guests |
This is a preview feature that allows users to be authenticated using a one-time passcode when they can’t be authenticated using Azure Active Directory, Microsoft Accounts or a federated identity provider like Google.
Further information |
| Enable guest self-service sign-up via user flows |
This is a preview feature that allows users to sign-up to use your app by using social identity providers such as Facebook and Google.
Further information |
Collaboration restrictions
|
This option allows control of the domains that invitations can be sent to.
Further information |
Microsoft 365 Admin > Settings > Org Settings > Security & Privacy > Sharing
| Setting | Description |
|---|---|
| Let users add new guests to the organisation | When this is set, all users can add guest users to the organisation. When it is not set, only admins can add guest users to the organisation |
Microsoft 365 Admin > Settings > Org Settings > Services > Microsoft 365 Groups
| Setting | Description |
|---|---|
| Let group owners add people outside your organisation to Microsoft 365 Groups as guests | Grants permission to group owners to add guest users to groups |
| Let guest group members access group content (If you don't select this, guests will still be listed as members of the group, but they won’t receive group emails or be able to access any group content. They’ll only be able to access files that were directly shared with them.) | When not checked, this option restricts the access that guest users have within groups that they are added to |
Microsoft 365 Admin > Settings > Org Settings > Services > Microsoft Teams
| Setting | Description |
|---|---|
| Allow Guest Access in Teams |
Turns on guest access to Teams.
This can take 24 hours to take effect. |
Microsoft 365 Admin > Settings > Org Settings > Services > SharePoint
| Setting | Description |
|---|---|
SharePoint Content can be shared with
|
Determines whether files and sites can be shared outside of the organisation, how they can be shared and whether they can be shared with new or existing guest users |
Microsoft Teams Admin > Org-wide settings > Guest access
| Setting | Description |
|---|---|
| Allow Guest Access in Teams |
Turns on guest access to Teams.
This can take 24 hours to take effect. |
OneDrive Admin > Sharing
| Setting | Description |
|---|---|
Default link type:
|
This option sets the default link type that is used when a user shares a file or folder. |
| Links must expire within this number of days (enter -1 for never) | Determines how long a “shareable” link allowing unauthenticated access will remain active before expiring |
Anyone link: Permissions for files:
|
Determines the file permissions that can be shared via “shareable” links |
Anyone link: Permissions for folders:
|
Determines the folder permissions that can be shared via “shareable” links |
SharePoint Content can be shared with
|
Determines whether files and folders can be shared outside of the organisation, how they can be shared and whether they can be shared with new or existing guest users |
OneDrive content can be shared with
|
Same as the SharePoint setting, but applies just to files and folders within OneDrive.
This setting can be equal to or lower than the SharePoint setting, but not higher |
| Allow or block sharing with people on specific domains |
This setting can be used to restrict the domains that sharing invitations are sent to.
Does not apply to “shareable” or “anyone” links |
| External users must accept sharing invitations using the same account that invitations were sent to | This option restricts the sharing to the specific email address that the invitation was sent to |
| Let external users share items they don't own | This option allows guests to share content with other people when it is content that they are not the owner of. |
| Display to owners the names of people who viewed their files | This options displays the views of a OneDrive file on the file card that is displayed in OneDrive |
SharePoint Admin > Policies > Sharing
| Setting | Description |
|---|---|
SharePoint content can be shared with
|
Determines whether files and sites can be shared outside of the organisation, how they can be shared and whether they can be shared with new or existing guest users |
OneDrive content can be shared with
|
Same as the SharePoint setting, but applies just to files and folders within OneDrive.
This setting can be equal to or lower than the SharePoint setting, but not higher |
Limit external sharing by domain
|
This setting can be used to restrict the domains that sharing invitations are sent to |
| Allow only users in specific security groups to share externally | This setting restricts who can share to members of specific security groups |
| Guests must sign in with the same account to which the sharing invitations are sent | This option restricts the sharing to the specific email address that the invitation was sent to |
| Allow guests to share items they don’t own |
This option allows guests to share content with other people when it is content that they are not the owner of.
By default, guests must have full control permission to share items externally. |
| People who use a verification code must reauthenticate after X days | If people who use a verification code have selected to “stay signed in” in the browser, they must prove they can still access the account they used to redeem the sharing invitation. |
Default sharing link type:
|
This option sets the default link type that is used when a user shares a file or folder. |
Default sharing link permission:
|
This option sets the default permissions that are granted when a user shares a file or folder. |
| Anyone link: Will expire | Determines whether an “anyone” link allowing unauthenticated access will expire |
| Anyone link: Will expire after X number of days | Determines how long an “anyone” link allowing unauthenticated access will remain active before expiring |
Anyone link: Permissions for files:
|
Determines the file permissions that can be shared via "anyone" links |
Anyone link: Permissions for folders:
|
Determines the folder permissions that can be shared via "anyone" links |
| Show owners the names of people who viewed their files in OneDrive | This options displays the views of a OneDrive file on the file card that is displayed in OneDrive |
| Let site owners choose to display the names of people who viewed files or pages in SharePoint |
This options displays the views of a SharePoint file on the file card that is displayed in SharePoint.
This is recommended to be disabled on sites that have sensitive information. |
| Use short links for sharing files and folders |
SharePoint Admin > Sites > [Site] > Sharing
| Setting | Description |
|---|---|
SharePoint Content can be shared with
|
Determines whether files and sites can be shared outside of the organisation, how they can be shared and whether they can be shared with new or existing guest users. |
Default sharing link type:
|
Use organisation level setting or custom setting for the site |
Default sharing link type:
|
This option sets the default link type that is used when a user shares a file or folder. |
Default sharing link permission:
|
Use organisation level setting or custom setting for the site |
Default sharing link permission:
|
This option sets the default permissions that are granted when a user shares a file or folder. |
Related Files
Table of Contents
Comment on this post: