Review External Sharing Settings Across All Sites: Practical Checklist for SharePoint Owners

As a SharePoint site owner, you need to know who outside your organization can access your content. External sharing settings can vary by site and by tenant. This can lead to unintended access if not reviewed regularly. This article provides a practical checklist to review and update external sharing settings across all your SharePoint sites. You will learn the key settings to check, how to audit them at scale, and what actions to take for secure sharing.

Understanding SharePoint External Sharing Settings

SharePoint allows you to share content with people outside your organization. The tenant-level setting defines the most permissive sharing level allowed. Each site can then be set to a less permissive level but not more permissive than the tenant setting. There are four sharing levels for SharePoint sites: Anyone (anonymous links), New and existing guests, Existing guests only, and Only people in your organization. The default for new sites depends on the tenant setting. Site owners can change the site-level sharing setting if the tenant allows it. Understanding this hierarchy is essential before you start auditing.

Sharing Levels Explained

The Anyone setting lets users share files and folders using anonymous links. Anyone with the link can access the content without signing in. The New and existing guests setting requires external recipients to authenticate using a Microsoft account or a work or school account. The Existing guests only setting only allows sharing with people who already have a guest account in your Microsoft Entra ID. The Only people in your organization setting disables all external sharing. Each level has security implications. Anonymous links are convenient but offer no control over who uses the link. Authenticated guest links provide better tracking and revocation options.

Where Settings Apply

The tenant-level sharing setting applies to all sites by default. Site owners can override this for their sites if the tenant allows. Changes at the tenant level do not automatically change existing site-level overrides. This means a site could be set to a more permissive level than the current tenant default. You must check each site individually or use PowerShell to list all site sharing settings. The SharePoint admin center provides a Sharing report under Reports > Site usage to see sharing activity, but it does not show the actual sharing setting for each site.

Checklist to Review External Sharing Settings

Use this checklist to systematically review and adjust external sharing settings for all SharePoint sites you own. Perform each step in order. Document the current setting and the desired setting for each site. Then apply changes as needed.

1. Check the tenant-level default sharing setting
   Sign into the SharePoint admin center at https://admin.microsoft.com/SharePoint. In the left navigation, select Policies and then select Sharing. Under External sharing, review the setting for SharePoint. The default is typically New and existing guests. If you want to restrict all sharing, select Only people in your organization. Changing the tenant default does not affect sites that have a custom sharing setting. Record the current tenant setting.
2. Identify all sites you own or manage
   In the SharePoint admin center, select Active sites to see a list of all sites. Filter by owner if needed. Note the URL and the current external sharing status shown in the External sharing column. This column shows the site-level sharing setting. If the column is not visible, click Add columns and select External sharing.
3. Review site-level sharing settings for each site
   Click on a site URL to open the site details panel. Under External sharing, note the current setting. Compare it with the tenant default. If the site setting is more permissive than the tenant default, the tenant setting overrides. However, if the tenant setting becomes more restrictive later, the site setting remains. Change the site setting by clicking Change and selecting the appropriate level. Click Save.
4. Use PowerShell to export all site sharing settings
   Open SharePoint Online Management Shell as an administrator. Run Connect-SPOService -Url https://admin.sharepoint.com and sign in with global admin or SharePoint admin credentials. Run Get-SPOSite | Select Url, SharingCapability to get a list of all sites and their sharing settings. Export to CSV for offline review. This method shows the effective sharing setting for each site.
5. Set a policy for anonymous links
   If your tenant allows Anyone links, decide if you want to allow them on specific sites. In the SharePoint admin center, under Policies > Sharing, scroll to Advanced settings for Anyone links. Set expiration and permissions for anonymous links. For example, set links to expire after 30 days and set them to view-only by default. Apply the policy to all sites or specific sites.
6. Enable guest link expiration
   Under Policies > Sharing, find External sharing expiration. Set a default expiration period for guest links. For example, set links to expire after 90 days. This automatically revokes access after the expiration period. Users can request extensions if needed.
7. Review and clean up existing external users
   In the Microsoft Entra admin center, go to Identity > Users > All users. Filter by User type and select Guest. Review the list of guest users. Remove any guests who no longer need access. You can also use Microsoft Entra access reviews to automate this process.
8. Schedule regular access reviews
   In the Microsoft Entra admin center, go to Identity > Governance > Access reviews. Create a new access review for guest users of specific SharePoint sites. Set the review to recur every 90 days. Assign reviewers who are site owners. This ensures ongoing compliance with your sharing policy.

Common Issues When Reviewing External Sharing Settings

Site Sharing Setting Shows as Inherited But Is Different

In the SharePoint admin center, the External sharing column sometimes shows Inherited even when the site has a custom setting. This occurs when the site was created with a template that set a specific sharing level. To verify the actual setting, use PowerShell or open the site details panel. The panel always shows the effective setting. If you need to change it, click Change and select the correct level.

Changes to Tenant Default Do Not Apply to Existing Sites

The tenant-level sharing setting only applies to new sites. Existing sites retain their individual settings. To enforce a new default across all sites, you must update each site manually or use PowerShell. Run Set-SPOSite -Identity -SharingCapability for each site. Use a CSV export to script this for multiple sites.

External Users Cannot Access the Site After You Change the Setting

If you change a site from Anyone to New and existing guests or Existing guests only, anonymous links stop working. Users who had anonymous links lose access. Guest users who were already invited continue to have access. To prevent disruption, communicate the change to site users before applying it. Consider re-inviting external users with authenticated guest links.

Setting	Tenant Default	Site Override
Anyone	Allowed for new sites	Can be set per site
New and existing guests	Common default	Can be set per site
Existing guests only	Less common	Can be set per site
Only people in organization	Restricted	Can be set per site

Use this checklist quarterly to review external sharing settings. Start with the tenant default, then check each site. Use PowerShell for large environments. Set expiration policies for guest links and anonymous links. Schedule access reviews to remove unused guest accounts. By following these steps, you maintain control over who can access your SharePoint content from outside your organization. For advanced security, consider blocking downloads for unmanaged devices using conditional access policies in Microsoft Entra ID.