External users in your SharePoint environment might see search results that include content from sites they do not have explicit access to. This typically occurs because SharePoint search indexes content across all sites, and external users inherit search permissions based on their membership in Microsoft 365 groups or Azure AD. The default search experience in SharePoint can show results from any site where the external user has any level of access, even if that access is limited to a single document library. This article explains the root cause of this search visibility problem and provides step-by-step instructions to restrict external user search results to only the sites they need.
Key Takeaways: Restricting External User Search Results in SharePoint
- SharePoint admin center > Search > Search permissions: Allows you to set search result visibility at the tenant level for external users.
- Azure AD > External Identities > External collaboration settings: Controls guest user access scope across Microsoft 365 services including SharePoint search.
- Site-level search permissions via site collection administrators: Override tenant settings for specific sites that require broader or narrower search access.
Why External Users See Too Many Search Results
SharePoint search indexes content from all sites in the tenant. When an external user performs a search, SharePoint returns results based on the user’s effective permissions. The problem occurs because external users often have at least read access to multiple sites through Microsoft 365 group membership or direct sharing. Even if you share only a single document with an external user, they may become a guest member of the underlying Microsoft 365 group. That group membership grants them access to the entire site, including its search index. As a result, search results can include documents, pages, and list items from all sites where the external user has any permission level.
The root cause is the default search permission model in SharePoint. By default, search results reflect the user’s effective permissions across the entire tenant. There is no built-in filter that limits external users to only the content explicitly shared with them. The fix involves adjusting tenant-level search permissions or implementing site-level restrictions to control what external users can discover through search.
Steps to Restrict External User Search Results
Follow these steps to limit what external users can see in SharePoint search results. The primary method uses the SharePoint admin center to set search permissions at the tenant level.
- Sign in to the SharePoint admin center
Go tohttps://admin.microsoft.comand select SharePoint under Admin centers. You must have SharePoint administrator or Global administrator permissions. - Open Search settings
In the left navigation, select Policies then Search. This opens the search configuration page for your tenant. - Configure Search permissions
Select Search permissions from the top menu. Under External sharing, set External users can see search results from to Only sites that they have access to. This is the default setting, but verify it is selected. If you want to further restrict results, choose Only content that is shared directly with them. This second option limits results to items explicitly shared via a sharing link or direct access, not all sites the user can access. - Save the changes
Click Save at the bottom of the page. The change applies to all new searches immediately. Existing search results may take up to 24 hours to reflect the new permission settings. - Test with an external user account
Sign in as an external user and perform a search. Verify that results are limited to only the sites or content you configured. If results still show too many items, proceed to the Azure AD settings below.
Adjust Azure AD External Collaboration Settings
Azure AD settings control guest user access across Microsoft 365 services. Restricting guest user permissions at the Azure AD level can further limit search visibility.
- Open Azure AD admin center
Go tohttps://aad.portal.azure.comand sign in as a Global administrator. - Navigate to External Identities
Select External Identities then External collaboration settings. - Set guest user access restrictions
Under Guest user access, set Guest user access restrictions to Guest users have limited access to properties and memberships of directory objects. This prevents guest users from enumerating other users and groups, which can reduce the scope of search results. - Save the settings
Click Save and wait for replication across your tenant.
If External Users Still See Too Many Results After the Main Fix
Even after applying tenant-level search permissions, external users may still see excessive search results. This can happen due to site-level search configurations or cached permissions.
External Users See Results from Sites They Were Removed From
SharePoint search indexes can take up to 24 hours to reflect permission changes. If you removed an external user from a site, their search results may still include that site’s content until the next incremental crawl. To force a reindex, go to the site collection settings and select Search and offline availability then Reindex site. This triggers a full crawl of the site, updating search results with the current permissions.
External Users Can Search Across All Sites in the Tenant
If the tenant-level search permission is set to Only sites that they have access to, external users can still see all sites where they have any permission. To limit this, change the setting to Only content that is shared directly with them. Note that this setting may break search for internal users who rely on discovering content through search. Test this option in a pilot group before applying it tenant-wide.
External Users See Content from Unrelated Microsoft 365 Groups
External users who are guests in multiple Microsoft 365 groups can search across all those groups’ sites. To prevent this, review each group’s membership and remove external users from groups they do not need. Use the Microsoft 365 admin center to manage group memberships. For each group, select Active teams and groups then the group name, and remove external users under Membership.
Tenant-Level vs Site-Level Search Permission: Key Differences
| Item | Tenant-Level Search Permission | Site-Level Search Permission |
|---|---|---|
| Scope | Applies to all sites in the tenant | Applies to a single site collection |
| Configuration location | SharePoint admin center > Policies > Search > Search permissions | Site settings > Search and offline availability > Set search permissions for this site |
| Granularity | Coarse: all external users or all internal users | Fine: can exclude specific groups or users from search |
| Override priority | Site-level settings can override tenant defaults | Site-level settings take precedence for that site |
| Best for | Broad restriction for all external users | Restricting search on sensitive sites while allowing broader search elsewhere |
You can now restrict what external users see in SharePoint search results by adjusting tenant-level search permissions and Azure AD collaboration settings. Start by setting the search permission to Only content that is shared directly with them in the SharePoint admin center. If users still see too many results, force a reindex of affected sites or remove external users from unnecessary Microsoft 365 groups. For sites that require maximum security, use site-level search permissions to exclude specific groups from search results entirely.