When you share OneDrive files and folders with contractors who are not part of your Microsoft 365 tenant, you must manage sharing settings carefully to protect company data. Contractors often have personal Microsoft accounts or accounts from other organizations, which can cause unexpected access issues or security gaps. This article explains how to configure OneDrive sharing for external collaborators, set expiration dates and passwords, and restrict what contractors can do with your files. You will also learn how to audit external sharing activity to maintain compliance.
Key Takeaways: Secure OneDrive Sharing for Contractors
- Share dialog > Specific people > Can edit or Can view: Use this to send an invite link that requires sign-in and enforces the permission level you set.
- Link settings > Expiration date and password: Enable these options to limit how long a contractor can access a shared item and to add an extra authentication layer.
- Microsoft 365 admin center > SharePoint > Sharing policies: Control tenant-wide external sharing domains, link expiration defaults, and guest access expiration from here.
Understanding External Sharing in OneDrive for Contractors
OneDrive sharing for contractors relies on the same external sharing framework that SharePoint Online uses. When you share a file or folder with someone outside your organization, OneDrive sends an invitation link. The recipient must sign in with a Microsoft account or an Azure AD guest account to access the content. Tenant-level policies set by your IT administrator determine whether external sharing is allowed, which domains are permitted, and whether guests need to authenticate. Contractors who do not have a Microsoft account can be invited as Azure AD B2B guests, which creates a lightweight directory entry in your tenant. This method gives you visibility into who has accessed what and allows you to revoke access centrally. Without these controls, a shared link could remain active indefinitely, and a contractor could forward it to unauthorized individuals.
Prerequisites for Sharing with Contractors
Before you share files with contractors, confirm that your tenant allows external sharing. Your global or SharePoint admin must enable the setting in the Microsoft 365 admin center under Settings > Org settings > SharePoint. The default external sharing level for OneDrive is typically set to Anyone or New and existing guests. For contractor access, the recommended setting is New and existing guests because it requires the recipient to sign in and allows you to manage guest accounts. Additionally, each user’s OneDrive admin settings must allow sharing with external users. These per-user settings are managed in the SharePoint admin center under User profiles > Manage user permissions.
Steps to Share OneDrive Files Securely with Contractors
Follow these steps to share a file or folder with a contractor while applying security controls. The procedure is the same in OneDrive for Business on the web, Windows 11, and Windows 10.
- Open the OneDrive share dialog
In your web browser, go to onedrive.com and sign in with your work or school account. Navigate to the file or folder you want to share. Right-click the item and select Share. Alternatively, select the item and click the Share button in the toolbar at the top of the page. - Set the permission level
In the share dialog, click the Anyone with the link can edit dropdown. Change the link type to Specific people. This option ensures only the contractor you invite can access the item. Then choose Can edit or Can view. For most contractor scenarios, Can view is safer unless the contractor needs to modify the file. - Apply an expiration date and password
Click Link settings at the bottom of the share dialog. Under Expiration, set a date when the link will stop working. A typical duration is 30 days. Under Password, check the box and enter a strong password. Share this password with the contractor through a separate communication channel such as a phone call or a different email. Password protection is not available for links set to Anyone. - Enter the contractor email and send
In the To field, type the contractor email address. Add a short message if desired. Click Send. The contractor receives an email with the link. When they open the link, they are prompted to sign in with a Microsoft account or to authenticate as a guest. If they do not have a Microsoft account, they will be guided to create a free Microsoft account or accept the guest invitation. - Verify the shared item in your OneDrive
After sending, go back to your OneDrive. Select the shared item. In the details pane on the right, click the Manage access link. You will see the contractor listed under Direct access. You can change permissions or remove access from this pane at any time.
Sharing a Folder with Multiple Contractors
If you need to share a folder with several contractors, repeat the steps above for the folder. Each contractor receives an individual invite. To avoid sending multiple invites, you can create a distribution group or a Microsoft 365 group that contains all contractor email addresses. Share the folder with the group instead. This method simplifies permission management because you can add or remove members from the group without changing the folder sharing settings.
Common Mistakes and Limitations When Sharing with Contractors
Contractor Receives a 403 or Access Denied Error
This error occurs when the contractor attempts to open the link but their account is blocked by tenant policies. The most common cause is that your tenant’s external sharing settings are restricted to specific domains, and the contractor’s email domain is not on the allow list. Ask your IT admin to add the contractor’s domain in the SharePoint admin center under Policies > Sharing > Limit external sharing by domain. Alternatively, the contractor may be signing in with a personal Microsoft account when the link expects a guest account. Instruct the contractor to use the email address that received the invitation.
Contractor Cannot Edit the File Despite Having Edit Permissions
This happens when the file is a Microsoft Office document that is open in co-authoring mode and the contractor is using a free web-only version of Office. Free Microsoft accounts cannot edit Office files that are protected by Information Rights Management IRM or sensitivity labels. To resolve this, remove IRM protection from the file, or assign the contractor a Microsoft 365 guest license. Check the file’s sensitivity label in OneDrive by selecting the file and viewing the details pane. If a label is applied, change it to a label that allows external editing.
Shared Link Works for Weeks After the Contract Ends
If you did not set an expiration date or remove the contractor’s guest account, the link remains active indefinitely. To prevent this, always set an expiration date when creating the link. After the contract ends, remove the contractor’s guest account from the Microsoft 365 admin center under Users > Guest users. Deleting the guest account revokes all access to shared items in your entire tenant. Also remove any direct access entries from your OneDrive folders by using the Manage access option.
OneDrive Sharing Link Types: Contractor vs Internal User
| Item | Anyone with the link | Specific people |
|---|---|---|
| Authentication required | No | Yes |
| Expiration date available | No | Yes |
| Password protection | No | Yes |
| Best for contractors | Never | Always |
The Anyone link type bypasses all identity checks and should never be used for external contractor sharing. The Specific people link type requires the recipient to authenticate, supports expiration and password protection, and is the only secure option for sharing with contractors.
Conclusion
You can now share OneDrive files with contractors using expiration dates, passwords, and the Specific people link type to control access. After setting up a share, audit the access list periodically and remove guest accounts when contracts end. For ongoing collaboration, consider using a Microsoft 365 group instead of individual shares to simplify permission management. As an advanced tip, create a SharePoint site for each contractor engagement and use OneDrive sync for the site library to give the contractor a familiar Windows Explorer experience while keeping all security policies in place.