How to Block External Sharing in SharePoint Online

TL;DR: In the SharePoint admin center at https://admin.microsoft.com/sharepoint, go to Policies > Sharing. Slide SharePoint down to Only people in your organization to block all external sharing tenant-wide. Or set the slider to New and existing guests and use per-site overrides + domain allow lists for a more nuanced policy. OneDrive’s slider can be at or more restrictive than SharePoint’s, never more permissive.

External sharing in SharePoint Online and OneDrive is one of the most consequential settings in Microsoft 365 — wide open by default, devastating if a breach happens, but also load-bearing for legitimate collaboration. This guide blocks it tenant-wide and walks through the more-common case of tightening it without breaking everyone’s work.

What this does

The tenant-level external-sharing slider controls whether any site in your tenant can be shared with people outside your organization. There are four settings, from most to least permissive:

Setting What’s allowed
Anyone Anonymous “Anyone with the link” sharing — no sign-in, no audit trail of who accessed what
New and existing guests Authenticated guests; new guests can be invited and added to your directory
Existing guests Sharing only with guests already in your directory (added previously, or via Microsoft Entra B2B)
Only people in your organization No external sharing at all

The OneDrive slider can be at the same level as the SharePoint setting or more restrictive — never more permissive. So if SharePoint is Anyone, OneDrive can be Anyone, New and existing, Existing only, or Only people. If SharePoint is Existing guests, OneDrive can only be Existing or Only people.

Per-site overrides can be at or more restrictive than the tenant setting — so a generally-open tenant can have a locked-down site, but a generally-locked-down tenant can’t have an open site.

When you’d want this

  • Compliance-driven shutdown — regulated industries that can’t allow external sharing at all
  • Incident response — a confirmed sharing-link breach where you need to stop the bleed
  • A tightening of a previously-loose tenant: drop from Anyone to New and existing guests, eliminate anonymous links
  • A targeted block on specific external domains while allowing others (allow list)
  • Locking down a single sensitive site while leaving the rest of the tenant open

Steps

Tenant-level — block all external sharing

The fastest path to stopping all external sharing.

  1. Sign in as a SharePoint Administrator or Global Administrator at https://admin.microsoft.com/sharepoint.
  2. In the left navigation, select Policies > Sharing.
  3. Under External sharing, drag the SharePoint slider down to Only people in your organization.
  4. The OneDrive slider drops automatically (it can’t be more permissive than SharePoint).
  5. Select Save at the bottom of the page.

This change takes effect within a few minutes and applies to new sharing operations. Existing share links remain valid until you separately revoke them.

Existing guests don’t lose access automatically. Sharing turned off applies only to new shares. To kick existing guests out, either remove them from individual sites, or run a tenant-wide guest removal via PowerShell.

Tenant-level — restrict to authenticated guests (recommended for most)

For a safer default than Anyone without going full lockdown:

  1. Same path: SharePoint admin center > Policies > Sharing.
  2. Drag SharePoint slider to New and existing guests.
  3. Drag OneDrive slider to New and existing guests (or stricter if you want).
  4. Under More external sharing settings, consider:
    • Limit external sharing by domain — Allow or Block specific domains. Allow-listing partner domains forces all other external traffic through a block.
    • Allow only users in specific Security groups to share externally — restricts who in your organization can initiate external shares.
    • Guests must sign in using the same account to which sharing invitations are sent — closes a hole where invitations could be redirected.
    • Allow guests to share items they don’t own — typically off; most orgs only want owners to share.
  5. Under File and folder links, set the Default link type to Specific people (most restrictive default; users have to explicitly broaden if they want to).
  6. Under Anyone link advanced settings (only relevant if Anyone is allowed), require expiration (e.g., 30 days) and View permission only.
  7. Select Save.

Per-site override

If the tenant is on New and existing guests but you want one site to be Only people in your organization:

  1. From the SharePoint admin center, go to Sites > Active sites.
  2. Select the site.
  3. On the Settings tab, select More sharing settings.
  4. Pick the more restrictive setting (e.g., Only people in your organization).
  5. Optionally, set per-site domain restrictions, default link types, and link expiration that differ from tenant defaults.
  6. Select Save.

The site’s sharing setting must be at or more restrictive than the tenant setting. You can’t open one site beyond the tenant policy.

PowerShell

For scripted enforcement, use the SharePoint Online Management Shell:

Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser
Connect-SPOService -Url https://contoso-admin.sharepoint.com

# Tenant — block all external sharing
Set-SPOTenant -SharingCapability Disabled

# Tenant — authenticated guests only
Set-SPOTenant -SharingCapability ExternalUserSharingOnly

# Tenant — authenticated + new guests, no anonymous
Set-SPOTenant `
  -SharingCapability ExternalUserAndGuestSharing `
  -DefaultSharingLinkType Direct `
  -RequireAnonymousLinksExpireInDays 30

# Per-site override
Set-SPOSite `
  -Identity "https://contoso.sharepoint.com/sites/finance" `
  -SharingCapability Disabled

The SharingCapability enum values:

Value Equivalent UI setting
Disabled Only people in your organization
ExistingExternalUserSharingOnly Existing guests
ExternalUserSharingOnly New and existing guests
ExternalUserAndGuestSharing Anyone

Notes and gotchas

  • OneDrive can’t exceed SharePoint. The OneDrive slider auto-clamps to the SharePoint setting. If you tighten SharePoint, OneDrive tightens too — review the OneDrive slider after every SharePoint change.
  • Microsoft 365 Groups and Teams settings interact. If a SharePoint site is connected to a Microsoft 365 group or a team, the group’s guest-sharing settings affect the site too. Lock down both for a coherent policy.
  • Existing share links survive setting changes. Tightening the tenant setting doesn’t revoke previously-issued links. To actually cut off existing access, walk individual sites or run Remove-SPOExternalUser to deauthorize specific guests.
  • Microsoft Entra B2B is the upstream gate. SharePoint and OneDrive sharing depend on Microsoft Entra ID’s external collaboration settings. If Entra blocks guest invitations entirely, SharePoint can’t issue them either — even if SharePoint says New and existing guests.
  • Domain allow lists are coarse. They apply per-domain, not per-user. A trusted domain you allow gets the run of whatever sites the inviter has shared.
  • Anonymous links and DLP. Anonymous “Anyone with the link” sharing is what most leaks come from. If you must allow it, pair it with Microsoft Purview DLP policies that detect and block sharing of sensitive content (PII, credit cards, etc.).
  • Audit before tightening. Before dropping from Anyone to New and existing guests, run the Sharing report in the SharePoint admin center to find sites and links that will be affected. Communicate with affected site owners. Surprise lockdowns drive shadow IT.
  • Permissions: minimum role is SharePoint Administrator. Don’t use Global Administrator unless required.