You need to audit which users in your organization share OneDrive files and folders with people outside your company. Without a tenant-level review, external sharing settings can drift from security policies, exposing sensitive data. This article explains how to use the Microsoft 365 admin center and PowerShell to review all external sharing settings for OneDrive in one place. By following these steps, you can confirm your tenant is configured correctly and identify any users who have changed their default sharing scope.
Key Takeaways: Review OneDrive External Sharing Settings Tenant-Wide
- Microsoft 365 admin center > Settings > Org settings > OneDrive > Sharing: View and change the default external sharing level for all new OneDrive sites.
- SharePoint admin center > Policies > Sharing: Set the tenant-wide external sharing policy that applies to all SharePoint and OneDrive sites, including file and folder sharing limits.
- SharePoint Online Management Shell (PowerShell): Use Get-SPOSite to retrieve the exact sharing capability for each OneDrive site and identify sites that differ from the tenant default.
What Controls OneDrive External Sharing at the Tenant Level
OneDrive external sharing is governed by two layers of settings in Microsoft 365. The first layer is the tenant-wide sharing policy, which sets the maximum allowed sharing level for all SharePoint and OneDrive sites. The second layer is the per-site sharing setting, which can be more restrictive than the tenant policy but never more permissive. When you review external sharing at the tenant level, you are checking both the tenant policy and the individual site settings to ensure they match your security requirements.
The tenant-level sharing policy includes four levels:
- Anyone: Users can share files and folders with any person, including anonymous links that do not require sign-in.
- New and existing guests: Users can share with people outside the organization who sign in with a Microsoft account or a work or school account.
- Existing guests: Users can share only with guests who already exist in your Azure AD directory.
- Only people in your organization: External sharing is disabled for all sites.
The per-site setting for each OneDrive site can be set to a level equal to or more restrictive than the tenant policy. For example, if the tenant policy allows sharing with anyone, a specific user’s OneDrive can be limited to existing guests only. This flexibility means a tenant-level review must check both the global policy and the individual site configurations.
Steps to Review OneDrive External Sharing Settings Using the Admin Center
- Open the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with a Global Admin or SharePoint Admin account. - Navigate to Org settings
In the left navigation pane, select Settings and then Org settings. - Select the OneDrive service
On the Services tab, scroll down and click OneDrive. If you do not see it, use the search box at the top of the list and type OneDrive. - Review the Sharing section
In the OneDrive settings panel, select the Sharing tab. Here you will see the default sharing level for new OneDrive sites. This setting applies only to sites created after the change. To see the current effective policy, review the note below the dropdown that states the tenant-level SharePoint sharing policy. - Check the tenant-wide SharePoint sharing policy
In a separate browser tab, open the SharePoint admin center at https://admin.microsoft.com/SharePoint. In the left pane, select Policies, then Sharing. Under External sharing, you will see the tenant-level policy that applies to all SharePoint and OneDrive sites. This is the maximum level allowed. Compare it with the OneDrive default setting you saw in the previous step.
Steps to Review OneDrive External Sharing Using PowerShell
The admin center shows the default setting for new OneDrive sites and the tenant-level policy. To see the actual sharing setting for every existing OneDrive site, you must use PowerShell. This method is essential for auditing compliance because many users may have changed their site’s sharing level after creation.
Prerequisites for PowerShell
- Install the SharePoint Online Management Shell. Open PowerShell as an administrator and run
Install-Module -Name Microsoft.Online.SharePoint.PowerShell. - You must have SharePoint Admin or Global Admin permissions.
Connect to SharePoint Online
- Open the SharePoint Online Management Shell
Launch PowerShell as an administrator and run the following command to connect:Connect-SPOService -Url https://yourtenant-admin.sharepoint.com
Replaceyourtenantwith your actual tenant name. Sign in with your admin credentials when prompted.
Retrieve OneDrive Sites with Their Sharing Settings
- Run the Get-SPOSite command for OneDrive sites
Use the following command to get all OneDrive sites (also called My Site hosts):Get-SPOSite -Template "SPSPERS" -Limit All | Select-Object Url, SharingCapability
This command returns the URL and the current sharing capability for every user’s OneDrive site. - Interpret the SharingCapability values
The output shows values likeExternalUserAndGuestSharing(anyone),ExternalUserSharingOnly(new and existing guests),ExistingExternalUserSharingOnly(existing guests), orDisabled(only people in your organization). Compare these values against your required policy. - Filter for sites that are more permissive than your policy
To find OneDrive sites where sharing is set higher than allowed, run:Get-SPOSite -Template "SPSPERS" -Limit All | Where-Object { $_.SharingCapability -ne "Disabled" } | Select-Object Url, SharingCapability
Adjust the filter value to match your desired maximum level.
Common Misconfigurations and How to Identify Them
OneDrive Default Sharing Is Set to Anyone but Tenant Policy Allows Only Existing Guests
This configuration is safe because the tenant policy overrides the per-site default. The effective sharing level for new sites will be existing guests only. However, if you later change the tenant policy to a more permissive level, the OneDrive default will apply. To avoid future risk, set the OneDrive default to match your intended policy.
Individual OneDrive Sites Have a More Permissive Setting Than the Tenant Policy
This situation cannot occur. The per-site setting is always capped by the tenant policy. If you see a site with a sharing capability that seems too high, check the tenant policy first. The tenant policy may have been changed after the site was created, but the site will still respect the tenant maximum.
Changes Made in the OneDrive Admin Panel Do Not Affect Existing Sites
The default sharing level in the OneDrive settings panel applies only to new OneDrive sites. Existing sites retain their individual settings. To change the sharing level for all existing OneDrive sites, use the SharePoint admin center or PowerShell. In the SharePoint admin center, go to Active sites, select all OneDrive sites, and choose Sharing from the toolbar to bulk update.
| Item | Admin Center (OneDrive Settings) | PowerShell (Get-SPOSite) |
|---|---|---|
| Scope | Default setting for new OneDrive sites only | Actual sharing capability for every existing OneDrive site |
| Ease of use | Graphical interface, no scripting required | Requires PowerShell knowledge and module installation |
| Bulk update | Not possible | Possible with Set-SPOSite piped from Get-SPOSite |
| Audit history | No built-in audit log for default changes | Can export results to CSV for change tracking |
| Best use case | Quick check of the intended policy for new sites | Comprehensive audit and remediation of all sites |
Now you can review OneDrive external sharing at the tenant level using both the admin center and PowerShell. Start by checking the tenant-wide sharing policy in the SharePoint admin center to confirm the maximum allowed level. Then use PowerShell to export the actual sharing capability of every OneDrive site and identify any sites that need adjustment. For ongoing compliance, schedule a monthly PowerShell script that emails a report of sites with sharing levels above your approved threshold.