When you set the sharing policy to allow sharing only with existing guests, you expect that new external users cannot be added to your SharePoint sites or Microsoft 365 groups. However, many administrators find that this setting does not work as expected. The root cause is often a misunderstanding of how the policy interacts with other sharing controls in the admin center. This article explains the most common mistakes administrators make when configuring this policy and how to fix them.
Key Takeaways: Configure Existing Guests Only Without Errors
- SharePoint admin center > Policies > Sharing: The global sharing policy must be set to “Existing guests only” for all sites or specific site collections.
- Azure AD External Identities > External collaboration settings: Guest invite settings must be set to “Only users in this organization can invite guests” or the policy will be bypassed.
- Site-level sharing settings: Individual site owners can override the global policy if the site-level setting is more permissive than “Existing guests only.”
Why the Existing Guests Only Policy Can Fail
The “Existing guests only” setting is a sharing restriction that prevents new external users from being added to your tenant through SharePoint, OneDrive, or Microsoft 365 groups. When this policy is active, users can only share content with external users who already have a guest account in your Azure Active Directory. The policy is configured in the SharePoint admin center under the sharing section, but its effectiveness depends on multiple layers of settings.
The most common reason the policy appears broken is that the global sharing policy is not the only control. Azure AD external collaboration settings, site-level sharing permissions, and group membership settings can all override the global policy. If any of these other settings allow new guest invitations, the “Existing guests only” restriction is bypassed.
Another frequent cause is that the policy does not retroactively remove guests who were added before the policy was enabled. Existing guests remain in the directory, and users can continue to share with them. The policy only blocks the creation of new guest accounts.
Steps to Correctly Configure Existing Guests Only
To ensure the “Existing guests only” policy works across your entire tenant, you must configure three separate settings in the correct order. Follow these steps exactly.
- Set the global sharing policy in the SharePoint admin center
Go to the SharePoint admin center. Select Policies from the left navigation, then choose Sharing. Under External sharing, select Existing guests only from the dropdown. This setting applies to all new SharePoint sites and OneDrive accounts. Click Save. If you have existing sites that need this restriction, you must apply the policy to each site individually using PowerShell or the site-level sharing settings. - Restrict guest invitations in Azure AD
Open the Azure Active Directory admin center. Go to External Identities and select External collaboration settings. Under Guest invite settings, choose Only users in this organization can invite guests. This prevents users from sending new guest invitations through Azure AD, which bypasses the SharePoint policy. Click Save. - Lock site-level sharing settings
For each SharePoint site that must enforce the policy, go to Settings > Site permissions > Sharing settings. Select Existing guests only and uncheck the box that says Allow site owners to change sharing settings. This prevents site owners from making the policy more permissive.
Common Mistakes When Configuring Existing Guests Only
Mistake 1: Not Checking Azure AD Guest Invite Settings
The most overlooked setting is the Azure AD guest invite permission. Even if SharePoint is set to “Existing guests only,” users can still invite new guests through Microsoft Teams, Microsoft 365 groups, or Azure AD directly. To fix this, go to Azure AD > External Identities > External collaboration settings and set the guest invite setting to Only users in this organization can invite guests. This blocks all new guest invitations from any Microsoft service.
Mistake 2: Site Owners Overriding the Global Policy
When site owners have permission to change sharing settings, they can switch a site to “Anyone” or “New and existing guests.” This bypasses the global “Existing guests only” policy. To prevent this, navigate to each site’s sharing settings and uncheck Allow site owners to change sharing settings. You can also use PowerShell to apply this restriction to all sites at once.
Mistake 3: Not Applying the Policy to Existing Sites
The global sharing policy only applies to new sites created after the policy is set. Existing sites retain their previous sharing configuration. To apply the policy to all existing sites, use the SharePoint Online Management Shell. Run the command Set-SPOSite -Identity <SiteURL> -SharingCapability ExistingExternalUserSharingOnly for each site. To update all sites, loop through your site collection.
Mistake 4: Assuming the Policy Blocks All External Access
The “Existing guests only” policy does not remove existing guest accounts or revoke access they already have. It only prevents new guest accounts from being created. Existing guests can still access content they were previously invited to. To remove existing guests, you must delete their accounts from Azure AD or revoke their access from individual sites.
Mistake 5: Forgetting About Microsoft 365 Groups and Teams
Microsoft 365 groups and Teams have their own guest access settings that are separate from SharePoint. Even if SharePoint is locked down, a Team owner can add a new guest to the group, which creates a guest account in Azure AD. To block this, go to the Microsoft 365 admin center > Settings > Org settings > Microsoft 365 groups and uncheck Let group owners add people outside the organization to Microsoft 365 groups.
| Setting | Location | Effect on Existing Guests Only |
|---|---|---|
| SharePoint global sharing policy | SharePoint admin center > Policies > Sharing | Controls external sharing for SharePoint and OneDrive |
| Azure AD guest invite settings | Azure AD > External Identities > External collaboration settings | Blocks new guest invitations from all Microsoft services |
| Site-level sharing settings | Site Settings > Site permissions > Sharing settings | Can override global policy if not locked |
| Microsoft 365 groups guest settings | Microsoft 365 admin center > Org settings > Microsoft 365 groups | Prevents group owners from adding new guests |
After configuring all these settings, test the policy by asking a user to share a document with a new external email address. The user should receive an error message stating that sharing with new external users is not allowed. If the user can still share, review each setting again. The most common culprit is the Azure AD guest invite setting being left at its default value of “Anyone in the organization can invite guests.”
For a complete audit, run a sharing report from the SharePoint admin center. Go to Policies > Sharing and select View sharing reports. This report shows all external sharing activity and helps identify any sites that are still allowing new guests.