SharePoint Online and Security: external sharing and extranets

6 min read
6 min read

This is part 4 of a longer series in securing SharePoint Online as part of securing Office 365. The purpose in writing this is to provide a more comprehensive look into the aspects of SharePoint Online security, especially for those who might not have extensive experience in working with SharePoint Online yet.

The whole series contains the following articles:

Building extranets using SharePoint Online

When working with customers who plan to move to Office 365, it’s inevitable that at some point – perhaps after migrating email to Exchange Online – they have a need for SharePoint Online services. I’ve been seeing a growing demand for starting with extranets, rather than the usual intranets. Sometimes companies already have a solid intranet platform built in their on-premises platform, or there’s a more urgent need to securely share and collaborate with external stakeholders. The beauty of using Office 365 is that you get to choose which services, when and how are being employed.

In its essence, and I’m heavily oversimplifying this, a SharePoint Online extranet is creating a site collection, and enabling external users to access it. Simple as that. Naturally there is more to this than just clicking a few settings, but this is also often the type of approach I see, especially with smaller organizations, and in a way, it works.

If we choose to use a traditional SharePoint Online site – now often referred to as a classic site – we can simplify the overall implementation to one or more externally shared sites. I prefer the approach of having a single /sites/extranet site collection, and provisioning subsites for each project, or customer, or both. This keeps it clean, as I know everything under this site collection is somehow visible externally.

Watch Jussi explain step by step how to secure SharePoint Online.

Free Risk Assessment

The alternative is to share multiple site collections, such as /sites/customerA, and /sites/customerB. This prevents the human error of accidentally oversharing content to external users, but also makes it more burdensome to manage multiple site collections – and possibly keeping them in sync for external sharing settings.


At a site collection level, we can define the external sharing settings with the following admin interface:

The interesting option here is the third – by setting a site collection to allowing external users, who accept our invitation and bring their own identity with them – we can securely share content.

The last option, for anonymous access links, is something I refrain from using as sharing content anonymously in a corporate extranet is generally a bad idea.

Once we select the third option, we can also limit access per domain:

With some of my customers we’ve resorted to having a whitelist of allowed domain. Blacklisting domains might work but generally I don’t feel it’s purposeful to go that route.

To complement this single site collection level sharing setting, in SharePoint Admin Center (the classic one, not the modern one that was rolled out to Targeted release recently) we have a separate admin UI for sharing under https://{tenant} From here, we can specify the organizational sharing preferences, such as the use of anonymous links, default link types and other additional settings. I urge SharePoint Online administrators to frequently visit this view to ascertain settings are set to the minimum-security level of your organization.

Best practices

You can easily view the sharing settings of a given site collection via PowerShell, by filtering for the SharingCapability property:

Get-SPOSite https://{tenant} | Format-List SharingCapability

Typically you want to disable sharing at all levels, except within the designated externally facing site collections of your tenant. This keeps it clean and simple to manage, as you can rest assured only content that is meant to be shared, is shared. There are multiple controls within the general sharing settings of SharePoint Admin Center to fine tune this.

A recent change, that was rolled out to Targeted release tenants, allows you also to securely share with external users despite the users not having a Microsoft Account or an organizational account. This uses a one-time code, which might be more beneficial for those users who are not part of the Microsoft identity ecosystem in any way. See more details here, on how this feature works.

All sharing settings and the specific limits they set for users are listed here.

In closing

As SharePoint Online-based extranets have become a usual aspect of many Office 365 deployments, securely sharing content with external users is critical. You will need to restrict access for content your users are sharing, by disabling anonymous access – unless it’s absolutely needed. With the recent addition of using a one-time passcode it might be a better alternative than just blindly allowing users to generate anonymous links to your content.

Over to you

Why not check out the Security in and with Office 365 using Secure Code eBook by Jethro Seghers. This eBook is solely dedicated to explaining and helping you improve the Security in and with Office 365. Download this eBook for free today!

Get the eBook

Subscribe to our newsletter