As a SharePoint site owner, you may want to allow external collaboration but prevent new people from being invited. The default sharing settings in SharePoint let anyone share with new guests, which can lead to unwanted access and security risks. This article explains how to configure SharePoint to allow sharing only with existing guests who already have accounts in your Microsoft Entra ID directory. You will get a practical checklist to implement this restriction across your site, organization, and OneDrive.
Key Takeaways: Restrict Sharing to Existing Guests in SharePoint
- SharePoint admin center > Sharing > External sharing: Set the organization-level sharing to allow only existing guests to receive sharing invitations.
- Site-level sharing settings override: Each site can override the organization default; verify that individual sites use the same restriction.
- Microsoft Entra ID guest user policy: Ensure guest invite settings in Entra ID block new guest creation from SharePoint invitations.
Why You Need to Limit Sharing to Existing Guests
SharePoint and OneDrive allow external sharing by default. When you share a file or site with someone who is not already in your Microsoft Entra ID tenant, SharePoint creates a new guest account for that person. This behavior can cause your directory to grow with unmanaged external users. If you want to collaborate only with people who already have guest accounts, you must change the sharing settings at the organization level and optionally at each site level.
The key setting is called “Allow sharing to only existing guests”. When enabled, SharePoint blocks invitations to people who do not already have a guest account in your tenant. Existing guests can still receive new shares, and people with guest accounts can continue to access content they already have. This restriction does not affect sharing with people inside your organization.
This feature is part of the external sharing controls in the SharePoint admin center. It works together with Microsoft Entra ID guest user policies. You must configure both places to fully prevent new guest creation from SharePoint sharing invitations.
How the Existing Guest Restriction Works
When you set the sharing level to “Only existing guests”, SharePoint checks the email address of the person you are sharing with. If that email address matches a guest user account in your Microsoft Entra ID tenant, the share succeeds. If no matching guest account exists, SharePoint shows an error message and does not send the invitation. The person must be added as a guest through another process, such as a manual invitation from the Microsoft Entra admin center or a Microsoft 365 group membership.
What Happens to Existing Guest Permissions
Existing guests keep all permissions they already have. They can be added to new sites, folders, or files as long as their guest account remains active. If you later revoke a guest account in Entra ID, that person loses access to all SharePoint content, regardless of the sharing setting.
Checklist to Limit Sharing to Existing Guests
Follow these steps to configure SharePoint and OneDrive to allow sharing only with existing guests. Perform these steps in the order shown.
- Set the organization-level sharing policy
Go to the SharePoint admin center at https://admin.microsoft.com/SharePoint. In the left navigation, select Policies and then Sharing. Under External sharing, choose Only existing guests for SharePoint and for OneDrive. Click Save. - Verify site-level sharing settings
In the SharePoint admin center, go to Active sites. Select a site, then click Settings in the command bar. Under External sharing, confirm the setting is Only existing guests or Same as organization-level setting. Repeat for each site that should use the restriction. - Block guest invites from Microsoft Entra ID
Open the Microsoft Entra admin center at https://entra.microsoft.com. Go to External Identities > External collaboration settings. Set Guest invite settings to Only users with Guest Inviter role can invite or No one in the organization can invite. This prevents SharePoint from creating new guest accounts through sharing invitations. - Review Microsoft 365 group guest settings
In the Microsoft 365 admin center at https://admin.microsoft.com, go to Settings > Org settings > Security & privacy. Under Let people add new guests to the organization, set this to Off. This prevents groups from inviting new guests. - Test the restriction
Open a SharePoint site where you are a member. Try sharing a document with an email address that does not have a guest account. You should see an error message: “You can’t share with this user because sharing is limited to existing guests.” If the share succeeds, recheck the settings in steps 1 through 4.
Common Issues When Limiting Sharing to Existing Guests
“You can’t share with this user” error still appears for existing guests
If an existing guest sees this error, the guest account may be disabled or expired. Check the user in the Microsoft Entra admin center under Users > All users. Ensure the account is enabled and has a valid license if required. Also verify that the guest user type is set to Guest and not Member.
New guests are still being created despite the restriction
This can happen if the site-level setting overrides the organization setting. Go to the SharePoint admin center > Active sites. Select the site and check the sharing setting. If it is set to Anyone or New and existing guests, change it to Only existing guests. Also verify the Microsoft Entra ID guest invite setting is not set to Anyone in the organization can invite.
OneDrive sharing still allows new guests
OneDrive has its own sharing setting in the SharePoint admin center. Go to Policies > Sharing and scroll to the OneDrive section. Set it to Only existing guests. This setting applies to all users in the organization.
Users cannot share with external partners who are already in the directory
If the guest account exists but the share fails, the guest user may not have the correct email address. For example, the guest account might use a different email alias than the one the user is trying to share with. Ask the guest to verify their sign-in email in their Microsoft account profile. You can also check the guest user’s User Principal Name in Entra ID.
Sharing Setting Comparison: Organization vs Site vs OneDrive
| Item | Organization-Level | Site-Level | OneDrive |
|---|---|---|---|
| Scope | All SharePoint sites and OneDrive | Single site collection | All OneDrive accounts |
| Default setting | Anyone (most permissive) | Same as organization | Same as organization |
| Override allowed | No | Yes | No |
| Affects new guests | Yes | Yes | Yes |
| Configuration location | SharePoint admin center > Policies > Sharing | SharePoint admin center > Active sites > site > Settings | SharePoint admin center > Policies > Sharing |
After you complete this checklist, your SharePoint environment will allow sharing only with people who already have guest accounts in your tenant. New external users cannot be invited through SharePoint sharing links or direct invitations. To add a new guest, use the Microsoft Entra admin center or a Microsoft 365 group invitation. As an advanced tip, consider using Microsoft Entra ID access reviews to periodically audit which guest accounts still need access to your SharePoint sites.