You set a company-wide sharing policy in the SharePoint admin center, but one site still allows external sharing at a higher level. This breaks your security rules and can expose sensitive data. The root cause is usually a site-level sharing override that the admin center policy did not force down. This article explains why a single site can ignore the tenant policy and shows you exactly which settings to verify and fix.
Key Takeaways: Why One Site Ignores the Tenant Sharing Policy
- SharePoint admin center > Policies > Sharing: Sets the tenant-wide default, but does not force existing sites unless you check the override box.
- Site-level sharing settings: A site owner or admin can set a more permissive level that overrides the tenant policy.
- Site sharing link (gear icon > Site permissions > Sharing settings): The exact menu path to review and change the site-specific sharing level.
Why a Single Site Can Have Different Sharing Rules
SharePoint Online has two layers of sharing configuration. The tenant-level policy in the SharePoint admin center sets the maximum allowed sharing level for all sites. Site-level settings can be more restrictive than the tenant policy, but they can also be more permissive if the tenant policy has not been forced down. When you create a new site, it inherits the tenant default. However, existing sites that were created before a policy change or that had their sharing settings manually changed will keep their own level unless you explicitly apply the tenant policy to them.
The SharePoint admin center sharing page includes an option that says “Limit external sharing using domains” and a separate setting for “Let users override the sharing policy.” If you do not select the check box that says “Only let users share with external users that exist in your organization’s directory” or if you leave the site-level setting untouched, the site retains its previous value. The most common cause is that the tenant policy was updated after the site was created, and no one went back to apply the policy to that specific site.
Steps to Check and Fix Site-Level Sharing Override
Follow these steps to identify and correct a site that does not follow the tenant sharing policy.
- Verify the current tenant sharing policy
Go to the SharePoint admin center at admin.microsoft.com. In the left navigation, select Policies then Sharing. Under External sharing, note the level shown in the SharePoint section. The options are Anyone, New and existing guests, Existing guests, and Only people in your organization. Write down this level. - Open the site that is not following the policy
In the SharePoint admin center, go to Active sites. Find the site that is misconfigured. Click on the site name to open its details pane. In the Policies section, look for External sharing. This shows the site-level setting. If it is more permissive than the tenant policy, you have found the override. - Change the site-level sharing setting
In the site details pane, click the External sharing value. A panel opens. Select the level that matches the tenant policy. Click Save. This forces the site to use the tenant policy. - Check if the tenant policy is set to enforce
Return to Policies > Sharing in the admin center. Under the SharePoint section, look for the check box that says Let users override the sharing policy. If this box is checked, site owners can change the site-level setting to anything equal to or more permissive than the tenant policy. Uncheck this box and click Save. This prevents any site from overriding the tenant policy. - Use PowerShell to apply the policy to all sites
If you have many sites, run the SharePoint Online Management Shell. Connect withConnect-SPOService -Url https://yourtenant-admin.sharepoint.com. Then runSet-SPOSite -Identity https://yourtenant.sharepoint.com/sites/sitename -SharingCapability ExternalUserAndGuestSharingreplacing the URL with your site and the capability with the value that matches your tenant policy. To apply to all sites, useGet-SPOSite -Limit All | Set-SPOSite -SharingCapability ExternalUserAndGuestSharing. Replace ExternalUserAndGuestSharing with the correct level.
If the Site Still Shows the Wrong Sharing Level
“I changed the tenant policy but the site still shows the old value”
The tenant policy does not retroactively change existing sites. You must edit each site or use PowerShell. If you already changed the site-level setting but it reverts, a custom script or a third-party tool may be reapplying the old value. Check any automation that runs against the site collection.
“The site owner says they cannot change the sharing setting”
If the tenant policy is set to enforce and the site owner tries to change the sharing level, they see a message that the setting is restricted by the organization. This is correct behavior. The site owner must contact the SharePoint administrator to change the policy.
“External sharing still works even after I set the policy to Guests only”
Check if the site has unique permissions that allow sharing through a link that was created before the policy changed. Existing sharing links remain active until they expire or are deleted. Go to the site, click the gear icon, select Site permissions, then Sharing settings. Under Advanced settings for external sharing, choose Only people in your organization. This removes all external sharing links.
“The site is a hub site and the policy does not apply to associated sites”
Hub sites do not inherit sharing settings from the hub. Each associated site has its own sharing level. You must apply the policy to each site individually or use PowerShell with a filter for all sites in the hub.
| Item | Tenant-level policy | Site-level setting |
|---|---|---|
| Where configured | SharePoint admin center > Policies > Sharing | Site details pane or gear icon > Site permissions > Sharing settings |
| Scope | All sites in the tenant by default, but does not override existing sites unless enforced | One specific site |
| Who can change | SharePoint administrator or Global admin | Site owner or SharePoint admin |
| Override behavior | Can be set to allow or prevent site-level overrides | Can be more restrictive but not more permissive if tenant policy enforces |
| Retroactive effect | Does not change existing sites automatically | Takes effect immediately after save |
You can now identify and correct any site that is not following the tenant sharing policy. Start by checking the site-level setting in the admin center and then uncheck the override option in the tenant policy to prevent future mismatches. For large environments, use the PowerShell command Set-SPOSite -SharingCapability to apply the policy to all sites at once. This closes the security gap and ensures consistent external sharing rules across your SharePoint environment.