You want to stop OneDrive users from sharing files and folders with new external guest accounts while still allowing sharing with guests already in your Microsoft 365 directory. The default OneDrive sharing settings let users invite any external email address, which can lead to unwanted guest accounts and security risks. This article explains how to configure the OneDrive sharing policy to restrict external sharing to only existing guests in your organization’s Azure AD. You will learn the exact steps in the Microsoft 365 admin center and the SharePoint admin center to enforce this policy.
Key Takeaways: Restrict OneDrive Sharing to Existing Guests Only
- Microsoft 365 admin center > SharePoint admin center > Policies > Sharing: Controls the organization-level external sharing setting for OneDrive and SharePoint, including the option to limit sharing to existing guests.
- Set external sharing to “Existing guests”: This option prevents users from sharing with new external email addresses while maintaining access for guests already in Azure AD.
- Audit existing guest accounts before enforcing: Review the guest list in Azure AD to ensure current guests still need access before you lock down sharing to existing guests only.
What Does “Existing Guests” Mean in OneDrive Sharing?
When you limit OneDrive sharing to existing guests, you change the external sharing policy so that only people who already have a guest user account in your Microsoft 365 tenant can receive new sharing invitations. Any external email address that does not already exist as a guest in Azure Active Directory will be blocked from accessing shared content. This setting does not remove existing permissions — guests who already have access to a file or folder keep that access.
The option is part of the SharePoint and OneDrive sharing settings at the organization level. It is not a per-user setting. Once enabled, all OneDrive for Business sites in the tenant inherit this restriction. The setting applies to sharing links, direct invitations, and any request for access from external users.
Before you enable this restriction, you must have at least one guest user in your tenant. If no guests exist, the setting effectively blocks all external sharing because there are no existing guests to share with. You can add guests manually through Azure AD or through a previous sharing invitation that was accepted.
Steps to Limit OneDrive Sharing to Existing Guests
You must have SharePoint admin or Global admin permissions to change these settings. The configuration is done in the SharePoint admin center, which also controls OneDrive sharing policies.
- Sign in to the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with a Global admin or SharePoint admin account. In the left navigation, select Admin centers and then choose SharePoint. - Open the sharing policy page
In the SharePoint admin center, select Policies in the left menu, then choose Sharing. This page shows the organization-wide external sharing settings for both SharePoint and OneDrive. - Select the OneDrive sharing option
Scroll down to the OneDrive section. Under External sharing, you will see a dropdown with these options: Anyone, New and existing guests, Existing guests, and Only people in your organization. Select Existing guests. - Save the changes
Click Save at the bottom of the page. The change takes effect immediately for all OneDrive sites. Users who try to share a file or folder with an email address that is not already a guest will see an error message.
Verify the Setting Is Applied
To confirm the policy is working, sign in as a regular OneDrive user and attempt to share a file with an external email address that does not exist as a guest in your tenant. The sharing dialog should show a message that external sharing is limited to existing guests. If the user can still send the invitation, the setting may not have saved, or a custom policy at the site level may override the organization setting.
What Happens When Users Try to Share with a New External User
After you enable the “Existing guests” restriction, users see different behavior depending on how they share:
- Direct invitations: When a user enters an email address that is not a guest, the sharing dialog displays an error: “Sharing with external users is limited to existing guests.” The user cannot send the invitation.
- Sharing links: Users can still create “People in your organization” links and “Specific people” links for internal users. External sharing links such as “Anyone with the link” are disabled entirely when the setting is “Existing guests” or stricter.
- Access requests: If an external user without a guest account requests access to a file, the request is automatically denied. The file owner receives a notification that the request was blocked.
Existing guests continue to receive new sharing invitations and can access files they already have permission to. Their existing access is not affected by this policy change.
Common Issues When Limiting Sharing to Existing Guests
Users report that external sharing is completely broken
If no guest accounts exist in your tenant, the “Existing guests” setting blocks all external sharing because there are no recipients to share with. Before enabling this setting, verify that at least one guest account is present. Go to the Azure AD admin center, select Users > All users, and filter by User type = Guest. If the list is empty, either add guests manually or use a different sharing setting such as “New and existing guests.”
Some OneDrive sites still allow new guest sharing
The organization-level setting applies to all OneDrive sites by default, but a SharePoint admin can override it at the site collection level. To check if a custom policy exists, go to the SharePoint admin center, select Sites > Active sites, choose the affected OneDrive site, and select Policies in the site panel. Under External sharing, ensure it is set to “Same as organization-level setting.”
Guest users cannot access shared content after the change
The “Existing guests” setting does not revoke access from current guests. If a guest cannot access a file, check whether the guest account is still active in Azure AD. Guest accounts can expire or be deleted by an admin. Go to Azure AD > Users > select the guest user and verify the account is enabled and not blocked from sign-in.
Organization-Level Sharing vs OneDrive Site-Level Sharing
| Item | Organization-Level Sharing | OneDrive Site-Level Sharing |
|---|---|---|
| Description | Default policy applied to all SharePoint and OneDrive sites in the tenant | Custom policy that overrides the organization default for a specific OneDrive site |
| Where to set it | SharePoint admin center > Policies > Sharing | SharePoint admin center > Sites > Active sites > select site > Policies |
| Effect on new guests | Blocks all new guest invitations if set to “Existing guests” | Can allow new guests even if the organization setting blocks them |
| Permissions needed | SharePoint admin or Global admin | SharePoint admin or site collection admin |
If you need to allow new guest sharing for specific OneDrive sites while blocking it for others, set the organization-level to “Existing guests” and then individually set specific OneDrive sites to “New and existing guests.” This gives you granular control without opening up sharing for all users.
Conclusion
You can now restrict OneDrive sharing to only existing guest accounts by changing the external sharing setting in the SharePoint admin center to “Existing guests.” This reduces the risk of unauthorized external access while preserving collaboration with partners and vendors already in your directory. Verify that guest accounts exist in Azure AD before applying the setting to avoid completely blocking external sharing. As an advanced step, consider using Azure AD guest access reviews to periodically audit which guests still require access and remove inactive accounts. This keeps your guest list clean and your sharing policy secure.