You are trying to share a file or folder from OneDrive with an external user, but the share action fails silently or shows an error about sensitivity labels. This happens because a sensitivity label applied to the file or folder includes a protection setting that blocks external sharing. Microsoft Purview Information Protection lets administrators configure labels that restrict access to only people inside your organization. This article explains how sensitivity labels interact with OneDrive external sharing, how to identify the blocking label, and how to work around the restriction when you need to share with external collaborators.
Key Takeaways: Identify and Resolve Sensitivity Label Blocks on OneDrive External Sharing
- Microsoft Purview compliance portal > Information protection > Labels: Review label settings for encryption and access control that may block external users.
- OneDrive sharing dialog > Copy link > Manage access: Check which sensitivity label is applied to the file or folder you are trying to share.
- Remove or replace the sensitivity label: If you have edit permissions, you can remove the label or apply a less restrictive label to allow external sharing.
Why Sensitivity Labels Block External Sharing in OneDrive
Sensitivity labels are part of Microsoft Purview Information Protection. Administrators create labels that apply encryption, watermarking, or access restrictions to files and emails. When a label includes encryption with user-defined permissions, the encrypted file cannot be shared with anyone outside your Microsoft 365 tenant. The encryption is enforced at the file level, not at the folder level, though a folder inherits the label applied to its parent site or library.
The block occurs because the label’s encryption configuration sets the “Let users assign permissions” option to “Only people in your organization” or “Only specific people” and does not include external email addresses. Even if the file owner tries to share via a “Specific people” link, the encryption prevents the external recipient from decrypting the file. OneDrive detects this restriction and disables external sharing options in the share dialog or shows an error message such as “This item can’t be shared because of sensitivity label restrictions.”
The block applies to both new and existing shares. If a file previously shared externally receives a restrictive label after the share was created, the external user loses access immediately. The file remains in the external user’s OneDrive or SharePoint view but becomes inaccessible.
Label Scope and Inheritance
Labels can be applied automatically through auto-labeling policies, manually by users, or by default at the document library level. In OneDrive, a file inherits the label from the folder it resides in if the folder has a default label set. A file can also have a label applied directly. The most restrictive label among inherited and directly applied labels takes effect. This means a user might not realize a label is blocking sharing if the label came from a parent folder.
Steps to Identify the Sensitivity Label Blocking External Sharing
Before you can fix the issue, you need to identify which sensitivity label is applied to the file or folder and confirm that it blocks external sharing. Follow these steps.
- Open the file or folder in OneDrive
Go to OneDrive in your browser at onedrive.com or open the file in the OneDrive folder in File Explorer. Right-click the file and select Details or Properties. - Check the Sensitivity label column
In the OneDrive web interface, select the file and look at the details pane on the right. The Sensitivity field shows the current label. If no label appears, the file is not restricted by a label. - Review the label configuration
Ask your Microsoft 365 administrator to open the Microsoft Purview compliance portal. Go to Information protection > Labels. Find the label name you saw in step 2. Click the label and review its settings under Encryption. If encryption is enabled and the “Assign permissions now” or “Let users assign permissions” option restricts to internal users only, this label blocks external sharing. - Test sharing with a different label
If you have permission to change the label, apply a label that does not have encryption or that allows external sharing. For example, a label named “Public” or “General” typically has no encryption. After applying the new label, try sharing the file externally again.
If OneDrive Still Blocks External Sharing After Checking the Label
“You can’t share this item because of sensitivity label restrictions” error persists
The error may appear even after you remove the label if the file is still encrypted. Sensitivity label encryption is applied to the file content, not just the metadata. To fully remove encryption, you must remove the label entirely. Right-click the file in OneDrive, select Details, and in the Sensitivity section choose Remove label if the option is available. If the option is grayed out, you do not have sufficient permissions. Contact your administrator to remove the label or to grant you the “Export” or “Full Control” usage right.
External user receives “You don’t have permission to open this file” message
This message appears when the file is encrypted with a label that does not include the external user’s email address. Even if the share link is valid, the encryption prevents decryption. The only fix is to remove the label or replace it with a label that allows external access. The external user must be removed from the existing share and re-invited after the label change takes effect.
Folder cannot be shared externally but individual files inside can
A folder inherits the label of its parent site or document library. If the library has a default label that blocks external sharing, the folder cannot be shared externally. However, individual files inside the folder may have a different label applied directly. If a file’s own label allows external sharing, that file can be shared independently. To share the folder externally, either change the library default label via the SharePoint admin center or remove the default label from the folder’s library settings.
Sensitivity Label vs External Sharing: Comparison of Label Configurations
| Item | Label with encryption (blocks external) | Label without encryption (allows external) |
|---|---|---|
| Encryption enabled | Yes | No |
| External sharing via link | Blocked | Allowed |
| External user can open file | No | Yes (if share link is valid) |
| Removal by end user | Often not allowed | Allowed if user has edit rights |
| Admin override possible | Yes, by creating a new label | Not needed |
If you need to share externally but must keep the file encrypted, your administrator can create a label that uses encryption with the “Let users assign permissions” option set to “Anyone” or include specific external domains in the allowed list. This label must be published to users who need to share externally.
You now know how to identify a sensitivity label that blocks external sharing in OneDrive and how to remove or replace the label to allow sharing. If you cannot remove the label yourself, request a less restrictive label from your Microsoft 365 administrator. As an advanced tip, use the Microsoft 365 admin center > SharePoint > Policies > Sharing to set a tenant-level sharing policy that restricts external sharing by default, then rely on sensitivity labels to selectively allow external access for specific files.