You set a sharing policy in the SharePoint admin center to restrict external sharing across all sites. But one site still allows external users. This happens because the site-level sharing setting overrides the organization-wide policy. This article explains why a single site can bypass the sharing policy and provides workarounds to enforce consistent sharing rules.
Key Takeaways: Why a Site Ignores the Sharing Policy
- SharePoint admin center > Policies > Sharing: Controls the default sharing level for all new sites, but does not enforce a maximum on existing sites.
- Site-level sharing setting: Overrides the organization policy when set to a higher permission level, such as Anyone or New and existing guests.
- PowerShell command Set-SPOSite -SharingCapability: Can forcibly apply a sharing restriction to a specific site, bypassing the site owner’s manual setting.
Why a Site Can Ignore the Organization Sharing Policy
SharePoint has two layers of sharing controls: the organization-level policy in the SharePoint admin center and the site-level sharing setting. The organization policy sets a default that applies to new sites. When a site is created, it inherits this default. However, site owners or administrators can later change the site-level sharing setting to a more permissive option. This change overrides the organization policy for that specific site.
The organization policy acts as a baseline, not a hard limit. This design allows flexibility for sites that need different sharing rules. The downside is that a single site can become an exception without central administrators realizing it. The site-level setting can be changed by anyone with site owner permissions, including site collection administrators and site owners. This includes users who are not global or SharePoint admins.
The root cause is the absence of a feature in the SharePoint admin center to enforce a maximum sharing level across all sites. The only way to enforce a hard limit is through PowerShell. The organization policy does not lock the site-level setting. This is by design to allow site owners to manage their own sharing needs.
How the Organization Policy Works
The organization-level sharing policy is set in the SharePoint admin center under Policies > Sharing. It includes options such as Anyone, New and existing guests, Existing guests, and Only people in your organization. This policy applies to all new sites and OneDrive accounts. It also sets the default for existing sites that have not been manually changed. If a site was created before the policy was updated, the site retains its previous sharing setting unless it is explicitly changed.
How the Site-Level Setting Works
Each site has its own sharing setting located in Site settings > Site permissions > Sharing settings. This setting can be set to a level equal to or more permissive than the organization policy. For example, if the organization policy is set to New and existing guests, a site can be changed to Anyone. The site-level setting takes immediate effect and does not require approval from a SharePoint admin. This is the most common reason why a policy does not apply to one site.
Steps to Identify and Fix the Site That Ignores the Policy
To resolve the issue, you must first identify which site is out of compliance. Then you can either change the site-level setting manually or enforce a restriction using PowerShell.
- Check the organization-level sharing policy
Sign in to the SharePoint admin center with a global admin or SharePoint admin account. Go to Policies > Sharing. Note the current setting under External sharing for SharePoint. This is the baseline that should apply to all sites. - Identify the site that is out of compliance
In the SharePoint admin center, go to Active sites. Find the site that you suspect is ignoring the policy. Click the site name to open the details panel, then select the Policies tab. Look at the External sharing setting. Compare it to the organization policy. If it is more permissive, you have found the problem. - Change the site-level sharing setting manually
In the site details panel, click Edit next to External sharing. Select a sharing level that matches the organization policy. Click Save. This change applies immediately. Verify that the site now shows the correct setting. - Use PowerShell to enforce a maximum sharing level
If you need to prevent future manual overrides, use the SharePoint Online Management Shell. Run the commandSet-SPOSite -Identity "https://yourtenant.sharepoint.com/sites/yoursite" -SharingCapability ExternalUserSharingOnly. Replace the URL with your site URL. The parameterExternalUserSharingOnlycorresponds to New and existing guests. UseDisabledfor no external sharing orExternalUserAndGuestSharingfor Anyone. This command sets a hard limit that cannot be changed by site owners. - Run a compliance report
To find all sites that are out of compliance, use the PowerShell cmdletGet-SPOSite | Select-Object Url, SharingCapability. Export the results to a CSV file. Filter for sites where the SharingCapability is higher than the organization policy. You can then apply the fix to each site in bulk using a loop.
Common Issues When the Policy Does Not Apply to a Site
The site shows the correct setting but still allows external sharing
This can happen if the site has unique permissions for a subsite or list. Check the site collection permissions. Go to Site settings > Site permissions. Look for any broken inheritance. If a subsite or list has unique permissions, it may have its own sharing setting that overrides the parent site. Check each subsite individually.
The organization policy was changed after the site was created
When you update the organization policy, existing sites are not automatically updated. Only new sites inherit the new policy. To apply the new policy to existing sites, you must either manually change each site or use PowerShell to update all sites in bulk. Use the Set-SPOSite cmdlet with the -SharingCapability parameter for each site.
A site owner changed the setting after the admin applied the fix
If you changed the site-level setting manually, a site owner can change it back. To prevent this, use the PowerShell command with the -SharingCapability parameter. This locks the setting so that only SharePoint admins can change it. Site owners will see a message that the setting is enforced by the organization.
The site is a hub site and the policy does not apply to associated sites
Hub sites have a separate sharing setting that applies to the hub itself. Associated sites are not automatically controlled by the hub setting. Each associated site retains its own sharing setting. You must check and update each site individually or use PowerShell to apply the policy to all sites in the hub.
| Item | Organization Policy | Site-Level Setting |
|---|---|---|
| Scope | Applies to all new sites and OneDrive | Applies to a single site |
| Who can change | Global admin or SharePoint admin | Site owner or site collection admin |
| Default behavior | Sets baseline for new sites | Overrides organization policy |
| Enforcement | Not enforced on existing sites | Immediate effect |
| Locking capability | None | Can be locked via PowerShell |
You can now identify which site is ignoring the sharing policy and apply a permanent fix using the site-level setting or PowerShell. For ongoing compliance, run a weekly PowerShell script that checks all sites against the organization policy and updates any that are out of compliance. Use the Get-SPOSite and Set-SPOSite cmdlets in a scheduled task to automate this process.