How to limit external sharing to specific users

When your organisation uses Microsoft 365, it’s very easy to share content with anyone in your company as well as with any external users (if allowed by your company). Some companies have strong sharing policies and it might not be acceptable for everyone to share content with external users.

There are many options to manage sharing content in Microsoft 365. The option I’ll cover in this article is ‘Allow only users in specific security group to share externally’.

The specific setting lets us define which specific users may share files externally. With this option, only the members of a specific Microsoft 365 security group will be allowed to share files, folders, and sites with external users.

All other users will be prevented from sharing with external users.

This option is configured by your Microsoft 365 Administrator or your SharePoint Online Administrator from the SharePoint admin center.

In the SharePoint Online Admin Center:

  • Click Policies
  • Click Sharing

On the sharing page:

  • Click More external sharing settings
  • Click Allow only users in specific security group to share externally
  • Click Manage Security Groups

In the Manage security groups pane:

  • Add a security group
  • Once the security group is added you can select if the members of the group can share with ‘anyone’, or with ‘authenticated guests only’
  • Click Save

Important: This setting does not prevent an owner of a Team or group from adding an external user as a guest to that Team or group. It is simply blocking the ‘sharing’ option.

The result – what happens now?

So we let’s say we now have our security group with permissions to share externally.
If a user of a SharePoint site (including OneDrive), who is not a member of this security group, tries to share a document with an external user, they will receive the following message:

When this same user, that is not a member of the security group tries to add an external user to an existing SharePoint group, those external users will not be found and will therefore not be able to be added to the SharePoint group:

Remember, this option does not block a user from adding external users as a member of a Microsoft 365 group or team. The external user would then have access to the site content.