You set a sharing policy in the SharePoint admin center to restrict external sharing, but one site still allows guests to access content. This inconsistency often happens because a site-level sharing setting overrides the tenant-wide policy. The root cause is that site owners or admins have manually changed the sharing link type or external sharing setting for that specific site. This article explains why the override occurs and provides step-by-step instructions to identify and correct the misconfigured site.
Key Takeaways: Fixing a Site That Ignores the Tenant Sharing Policy
- SharePoint admin center > Policies > Sharing: Sets the default external sharing level for all sites, but individual sites can override it.
- Site-level sharing settings: Located in site Settings > Site permissions > Sharing settings; must match the tenant policy to enforce it.
- Sharing link type (Anyone vs. Specific people): A per-site setting that bypasses the tenant default if changed by a site admin.
Why a Single Site Can Bypass the Tenant Sharing Policy
SharePoint allows site owners and administrators to adjust sharing settings for their specific site independently of the tenant-wide policy. This design exists to give site owners flexibility for collaboration needs. However, when a tenant admin sets a restrictive policy, a site that has been manually configured to allow more permissive sharing will not automatically revert to the tenant default.
The override happens because SharePoint stores sharing settings at two levels: tenant and site. The tenant policy acts as a maximum ceiling, but the site setting can be lower. If a site setting is more permissive than the tenant policy, the tenant policy takes precedence. The confusion arises when the tenant policy is set to a specific level, but the site setting is also at that level, yet the site still allows external access. This usually occurs because the sharing link type (Anyone with the link) is enabled at the site level, even when the tenant policy restricts it to Specific people. The site-level link type setting is independent of the external sharing setting.
Steps to Identify and Correct the Misconfigured Site
- Confirm the tenant sharing policy
Go to SharePoint admin center > Policies > Sharing. Under External sharing, note the current tenant-level setting. Common options are Anyone, New and existing guests, Existing guests, and Only people in your organization. Write down the exact setting. - Check the site-level external sharing setting
Navigate to the site that is not following the policy. Click Settings (gear icon) > Site permissions > Sharing settings. Compare the external sharing level with the tenant setting. If the site shows a more permissive level, change it to match the tenant policy. Click Save. - Verify the sharing link type for the site
In the same Sharing settings page, look for the heading Sharing links. The default link type might be set to Anyone with the link. If the tenant policy restricts external sharing to Specific people, change this to Specific people. Click Save. - Check for individual document or folder overrides
If the site-wide settings appear correct, open a library where external users have access. Select a file or folder, click Share, and inspect the link type shown. If it says Anyone with the link, a user might have created a sharing link that bypasses the site setting. Revoke that link by clicking the link and selecting Remove. - Run a sharing report to confirm
In SharePoint admin center > Reports > Sharing reports, generate a report for the problematic site. This report lists all sharing links and external users. Use it to identify any remaining Anyone links that need to be revoked.
If the Site Still Ignores the Policy After the Fix
Site collection admin changed the setting again
A site collection administrator might have changed the sharing setting back to a more permissive level after you corrected it. To prevent this, you can lock the site-level sharing setting using a site policy. In SharePoint admin center, select Active sites, choose the site, click Policies, and then create or assign a site policy that enforces the desired external sharing level.
Guest user access persists from previously generated links
Even after you correct the site setting, existing sharing links that were created while the site was more permissive remain active. You must manually revoke those links. Use the sharing report to list all active links and remove them. Alternatively, you can use the SharePoint Online Management Shell to bulk-remove sharing links.
Tenant policy is set but not enforced for a specific site
In rare cases, a tenant policy might not apply to a site because the site was created before the policy was established. This is not a supported behavior, but a workaround is to temporarily set the site to a more restrictive level, save, and then set it back to the desired level. This forces the site to re-evaluate the tenant policy.
Site Sharing Setting vs. Tenant Sharing Policy: Key Differences
| Aspect | Tenant Sharing Policy | Site-Level Sharing Setting |
|---|---|---|
| Scope | Applies to all sites in the organization | Applies to a single site |
| Default value | Set by global admin in SharePoint admin center | Inherits from tenant policy initially |
| Can be overridden | No, it is the maximum allowed level | Yes, by site owners or site collection admins |
| Sharing link type | Set at tenant level under File and folder links | Can be set independently for each site |
| Effect on existing guests | Does not remove existing guest accounts | Does not remove existing guest accounts |
After you correct the site-level setting and remove any lingering Anyone links, the tenant policy will apply to that site consistently. To avoid future overrides, consider creating a site policy that restricts the ability of site owners to change sharing settings. Regularly audit sharing reports to catch any sites that deviate from the tenant policy.