The previous post was about enabling guests in the tenant, particularly Microsoft Teams. An upside of allowing guests in the tenant is the reduction of Shadow IT by enabling efficient collaboration with people inside and outside the organization. We still need to think about how we securely collaborate with guests, what we share, and how.

Tenant level SharePoint External Sharing settings

For guests to access files, folders, and lists in SharePoint and Teams, you must enable sharing with guests in SharePoint at the tenant level.

It’s possible to configure this setting in specific sites as well. However, site settings can never be more permissive than the tenant setting, even if we use Sensitivity Labels. And just like Microsoft Teams Guest access settings, it’s better to select the most permissive setting that your organization need and limit it at the individual site level with Sensitivity Labels or manually.

In the SharePoint admin center, under Policies, click on Sharing, and there you you can control External Sharing for SharePoint and OneDrive. You probably want authenticated guests, so change from Anyone to New and existing guests or even more restrictive if required. The Anyone option means anyone you send the link to can forward the link to whomever they choose.

You have more external sharing settings as well.

Tenant level default sharing link

The default sharing link settings determine the default link option shown to users when they share a file or folder. This setting affects all SharePoint sites and Microsoft Teams.

As you can see in the image above, Anyone with the link is greyed out because we disabled Anyone earlier. I have selected Only people in your organization, which is perfect for reducing the risk of accidentally sharing with guests. If users need to share externally, they can still change the link type to Specific people when they share, which allows for sharing with internal users and authenticated guests.

SharePoint Site External Sharing and Default sharing link

You can manage sharing settings for specific sites either manually, via the UI, or automatically via a Sensitivity Label. This involves both external sharing and default sharing link.

In the SharePoint admin center, select a site under Active sites, click on Sharing (you may find it hidden in the ellipsis), and pick the external sharing level you want.

If you want to change the default sharing link type or permissions, clear the Same as organization-level setting checkboxes and set the values you want to use.

Who can share the SharePoint site?

As you might know, a Microsoft Teams team has an associated SharePoint team site in the backend. The SharePoint site has the regular Visitors, Members, and Owners groups, with different SharePoint-specific permissions.

In SharePoint, Team owners (Microsoft 365 group owners) are added to the Owners group and receive Full Control in SharePoint. Team members are added to the Members group with Edit permissions.

The challenge

Since we have this connection between Microsoft Teams and SharePoint, you should always add new members directly in Microsoft Teams. By default, team owners and members can share the SharePoint site according to sharing settings, leading to potentially unwanted people accessing the site’s content.

The solution

Configure that only owners can share the site, which simplifies permissions management and helps prevent access by people without a team owner’s knowledge. You can set this via Sensitivity Labels (preview) or via the UI.

Microsofts reasoning: sharing-the-sharepoint-site

Navigate to the SharePoint site, click the cogwheel and click Site permissions. In the Site permissions pane, click Change how members can share under Site sharing. As you can see in the picture, choose Site owners and members, and people with Edit permissions can share files and folders, but only site owners can share the site. If you have more sensitive sites, you might want to limit everything to site owners and also turn off access requests.

Summary

• Manage permissions exclusively through the team. The exception to this rule will be if you have stakeholders who only need to view team files. Then add them to the SharePoint site Visitor group, that gives them Read permissions.

• Set the highest allowed settings at the tenant level. Adjust at site level based on requirements.

• Set team owners as responsible for sharing the SharePoint site, because it aligns better with how it works in Microsoft 365 groups and Microsoft Teams. Make sure to educate the owners and communicate the responsibility.

In the next post we will look at how to automate some of these options with the help of sensitivity labels. Labels are a great way to enforce the required settings in an automated fashion, based on Team classification. More on this later.

Thank you for reading
/Simon