External sharing in Microsoft 365 can expose sensitive data if not configured correctly. Many organizations have hundreds of SharePoint sites, each with its own sharing level. Without a centralized review, you risk oversharing with anonymous users or blocking legitimate collaboration. This article explains how to audit external sharing settings across all sites using the SharePoint admin center and Microsoft PowerShell. You will learn the recommended settings for security and productivity.
Key Takeaways: External Sharing Settings Audit
- SharePoint admin center > Policies > Sharing: Sets the organization-wide external sharing default for all new sites.
- SharePoint admin center > Active sites > Sharing: Lets you review and change sharing settings for individual existing sites.
- Get-SPOSite command in PowerShell: Retrieves the SharingCapability property for all sites to find overly permissive sharing levels.
Understanding External Sharing Levels in SharePoint
SharePoint offers five external sharing levels for sites. Each level controls how users can share content with people outside your organization. The levels are:
- Anyone: Users can share files and folders using links that do not require sign-in. Anyone with the link can access the content anonymously.
- New and existing guests: Users can share with people outside the organization who have a Microsoft account. New guests receive an invitation to create an account.
- Existing guests: Users can share only with guests already in your Azure AD directory. No new external users can be invited.
- Only people in your organization: External sharing is disabled entirely. Only internal users can access content.
- Only people in specific security groups: External sharing is allowed only for members of designated security groups. This level appears only when organization-level settings restrict sharing to specific groups.
The organization-wide default in the SharePoint admin center applies to all new sites. Existing sites retain their own sharing settings unless you change them. A site-level setting cannot be more permissive than the organization default. For example, if the organization default is “New and existing guests,” you cannot set a site to “Anyone.”
Steps to Review External Sharing Settings Across All Sites
You can review sharing settings using the SharePoint admin center for a few sites or PowerShell for all sites. The recommended workflow starts with the admin center to understand the organization default, then uses PowerShell to audit every site.
Check the Organization Default in the SharePoint Admin Center
- Open the SharePoint admin center
Sign in to Microsoft 365 admin center, then select Admin centers > SharePoint. Alternatively, go directly tohttps://admin.microsoft.com/SharePoint. - Navigate to the Sharing settings
In the left navigation, select Policies, then click Sharing. - Review the external sharing default
Under External sharing, look at the slider for SharePoint. The selected option is the default for all new sites. Note the current setting.
Review Sharing Settings for Individual Sites in the Admin Center
- Open the Active sites list
In the SharePoint admin center, select Active sites from the left navigation. - Select a site to inspect
Click the name of any site. A details panel opens on the right side. - Check the Sharing section
In the panel, scroll to Sharing. The current external sharing level is displayed. To change it, click Edit, select a new level, then click Save.
This method works for a handful of sites, but not for hundreds. Use PowerShell to audit all sites at scale.
Audit All Sites Using PowerShell
Before you start, install the SharePoint Online Management Shell. Open Windows PowerShell as an administrator and run Install-Module -Name Microsoft.Online.SharePoint.PowerShell if you have not installed it.
- Connect to SharePoint Online
RunConnect-SPOService -Url https://yourtenant-admin.sharepoint.com. Replaceyourtenantwith your tenant name. Sign in with a global admin or SharePoint admin account. - Retrieve all site sharing settings
Run the following command to export a CSV file with every site and its sharing level:Get-SPOSite -Limit All | Select-Object Url, Title, SharingCapability | Export-Csv -Path "C:\temp\sites-sharing.csv" -NoTypeInformation - Open the CSV file
OpenC:\temp\sites-sharing.csvin Excel. The SharingCapability column shows values like ExternalUserAndGuestSharing (Anyone), ExternalUserSharingOnly (New and existing guests), ExistingExternalUserSharingOnly (Existing guests), or Disabled (Only people in your organization). - Filter for overly permissive sites
In Excel, filter the SharingCapability column to show only ExternalUserAndGuestSharing or ExternalUserSharingOnly if you want stricter control. Note the site URLs. - Change sharing for specific sites
To change a site sharing level to “Existing guests,” run:Set-SPOSite -Identity https://yourtenant.sharepoint.com/sites/sitename -SharingCapability ExistingExternalUserSharingOnly
Replace the URL with the actual site URL from the CSV.
If You Cannot Change Sharing Settings
Sometimes the site sharing setting appears grayed out or cannot be changed. This usually happens because the organization-level default is more restrictive than what you want to set. For example, if the organization default is “Only people in your organization,” you cannot set a site to “Anyone.” Check the organization default first in the SharePoint admin center > Policies > Sharing. If you need a more permissive setting at the site level, you must first change the organization default.
SharePoint Admin Center Does Not Show All Sites
The Active sites list in the admin center shows only sites created in the last 30 days by default. To see older sites, click the Filter button, then select Last 30 days and change it to Last 90 days or All. If you still cannot see a site, use PowerShell Get-SPOSite | Where-Object {$_.Url -like "sitename"} to find it.
PowerShell Returns an Access Denied Error
The account you use with Connect-SPOService must have the SharePoint admin role or be a global admin. If you receive an access denied error, ask your Microsoft 365 administrator to assign the SharePoint admin role to your account.
| Setting | Organization Default | Site-Level Override |
|---|---|---|
| Anyone | Allows anonymous links for all new sites | Can be restricted per site to a lower level |
| New and existing guests | Allows inviting new external users | Can be tightened to existing guests only per site |
| Existing guests | Only pre-existing guests can be shared with | Cannot be made more permissive than the default |
| Only people in your organization | No external sharing | Cannot be overridden to enable external sharing |
For most organizations, the recommended setting is Existing guests at the organization level. This prevents new external users from being invited while allowing collaboration with guests already in Azure AD. For highly sensitive sites, set the site-level sharing to Only people in your organization. Use the PowerShell export command to run this audit quarterly and catch any sites that were accidentally set to a permissive level.