Some business tasks require sharing files with people outside the organization using SharePoint and OneDrive. This can offer better convenience and productivity, but it can also turn into a security risk when access permissions are not monitored regularly. Therefore, it becomes a crucial responsibility for IT administrators, Managed Service Providers (MSPs), and sysadmins to balance functional collaboration and security compliance.
Keep reading to learn various steps for managing OneDrive and SharePoint external sharing settings, from using the Microsoft 365 admin center for setting global defaults to using command-line tools for verification and troubleshooting.
How to regulate SharePoint and OneDrive external sharing settings at scale
Managing external sharing settings in platforms like SharePoint and OneDrive requires a multi-layer approach. This will ensure you are always aligned with your organization’s collaboration goals and security needs. Below are some methods you can use to improve your existing management processes.
📌 Prerequisites:
- Microsoft 365 tenant with SharePoint and OneDrive enabled
- Administrator role/s (Global Admin, SharePoint Admin, or Compliance Admin)
💡 Tip: Check Things to look out for before proceeding.
📌 Recommended deployment strategies:
Method 1: Configure default external sharing settings via Microsoft 365 admin center
This method sets tenant-wide baseline policies for external file and folder sharing in SharePoint and OneDrive. Admins will get better control over anonymous access and link expiration.
📌 Use Cases:
- Onboarding new Microsoft 365 tenants
- Enforcing organization-wide collaboration policies
📌 Prerequisite: Access to the Microsoft 365 admin center
- Go to Sharing in SharePoint admin center.
- Sign in using an account with admin permissions for your organization.
- Under External sharing, choose from the four available sharing levels:
- Anyone (most permissive)
- New and existing guests
- Existing guests
- Only people in your organization
💡 Note: Site-specific settings can override the tenant-level default.
- Set default link settings:
- View
- Edit
- Set link expiration durations for anonymous links.
- Repeat these steps under OneDrive > Sharing.
- Save the changes to apply globally.
Method 2: Configure site-level sharing policies via PowerShell
This PowerShell method applies or restricts external sharing settings at the site level, especially when site-specific sensitivity requires stricter policies. It offers granular control for sensitive sites. Additionally, this overrides tenant defaults for mass deployment as necessary.
📌 Use Cases:
- Managing access to sensitive project or legal sites
- Regulating sharing on sites serving external contractors or clients
📌 Prerequisites:
- SharePoint Online Management Shell
- Site URLs and access to PowerShell
- After installing and importing the SharePoint Online PowerShell Module, connect to SharePoint Online on an elevated PowerShell:
Connect-SPOService -Url https://yourtenant-admin.sharepoint.com
- View the current sharing settings to audit existing policies before making changes:
Get-SPOSite -Identity https://yourtenant.sharepoint.com/sites/marketing | Select SharingCapability
- Set your desired external sharing policy:
Set-SPOSite -Identity https://yourtenant.sharepoint.com/sites/marketing -SharingCapability ExternalUserSharingOnly
💡 Note: Available -SharingCapability options are as follows:
- Disabled
- ExternalUserSharingOnly
- ExternalUserAndGuestSharing
- ExistingExternalUserSharingOnly
- Apply the policy across all sites:
Get-SPOSite -Limit All | ForEach-Object {
Set-SPOSite -Identity $_.Url -SharingCapability ExternalUserSharingOnly
}
Method 3: Automate sharing policy audits with Microsoft Graph
This method lets admins audit and monitor who is sharing what, with whom, and when, across SharePoint and OneDrive using Microsoft Graph PowerShell. This enables MSPs to generate compliance reports, detect over-sharing, and audit external access at scale.
📌 Use Cases:
- Creating monthly external sharing reports
- Investigating suspected data leaks
- Ensuring proactive compliance enforcement
📌 Prerequisites:
- Microsoft Graph PowerShell SDK
- App registration with the correct scopes (Sites.Read.All and Reports.Read.All)
- After installing the Microsoft Graph PowerShell SDK, connect to Microsoft Graph and use it to pull site and sharing metadata on an elevated PowerShell:
Connect-MgGraph -Scopes "Sites.Read.All"
⚠️ Important: If you use app-based (non-interactive) authentication, you must register an app in Azure AD and grant API permissions.
- Get a list of all SharePoint sites:
Get-MgSite -All -Property "Id, WebUrl, DisplayName, SharingCapability"
Each site object should include metadata, such as site ID, web URL, and display name.
- Optional: Export results to CSV to create reports on who shared what, with whom, and when.
- Automate script execution using scheduled tasks or NinjaOne RMM scripting.
Method 4: Use Group Policy to disable file sync with unauthorized accounts
This method prevents users from syncing personal or unmanaged OneDrive accounts on corporate endpoints. It ensures only organizational accounts are used and prevents data leakage through personal accounts.
📌 Use Cases:
- Managing settings on corporate-owned laptops and desktops
- Regulating sharing in highly regulated industries, such as finance, healthcare, and legal
📌 Prerequisites:
- An Active Directory environment
- Group Policy Management Console (GPMC)
- Intune (optional alternative)
- Open the Group Policy Management Console (GPMC).
- Navigate to:
Computer Configuration > Administrative Templates > OneDrive
- Enable the following settings:
- Prevent users from syncing personal OneDrive accounts (Blocks all sync activity from personal Microsoft accounts)
- Silently sign in users to the OneDrive sync app with their Windows credentials (Automatically signs users into the OneDrive sync client using their domain or Azure AD account, so their OneDrive is set up without manual sign-in)
- Run
gpupdate /forceon target machines to apply the changes.
Method 5: Use Registry Editor to support policy enforcement
This method implements hard controls by modifying the Windows Registry to restrict OneDrive behavior on endpoints. The change locks down endpoints in non-domain or BYOD environments by adding another enforcement layer beyond GPO. This is particularly useful for RMM automation.
📌 Use Case: Managing sharing on devices not joined to AD and for temporary contractors’ or consultants’ machines
📌 Prerequisites:
- Admin rights on the endpoint
- Registry access
- Open the Registry Editor as Administrator. Press Windows key + R, type “regedit,” and press Ctrl + Shift + Enter.
- On the left pane, follow this path:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\OneDrive
- Create or update the following DWORD keys with the appropriate values:
- DisablePersonalSync = 1
- SilentAccountConfig = 1
- BlockExternalSync = 1
These keys restrict sync behavior and external upload destinations. They are useful in locked-down environments.
Method 6: Use CMD for compliance checks and sync client visibility
This method uses command-line tools to verify sync client status, test policy application, and force configuration updates. It can help admins troubleshoot sync or policy issues during post-deployment validation.
📌 Use Cases:
- Verifying GPO or registry success
- Diagnosing sync failures
📌 Prerequisites:
- Access to the Windows Command Prompt
- OneDrive client installed
- Open Command Prompt. Press Windows key + R, type “cmd,” and press Enter.
- Check OneDrive sync status:
%localappdata%\Microsoft\OneDrive\OneDrive.exe /status
This will confirm whether OneDrive is running, active, and in sync with Microsoft 365.
- List current folders being synced to help detect non-compliant personal account usage on the device:
dir %userprofile%\OneDrive* /a /s
- Force a OneDrive policy refresh to make GPO changes take effect immediately:
gpupdate /force
Use these commands to verify GPO or registry changes and to troubleshoot sharing sync issues.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Oversharing sensitive or regulated data |
|
|
| Guest user sprawl and orphaned access |
|
|
| Inconsistent sharing controls across sites |
|
|
Why manage external sharing at scale?
There are many reasons to manage SharePoint and OneDrive external sharing settings, such as the following:
- Preventing sensitive or regulated data leakage from uncontrolled sharing, anonymous linking, and broad guest access
- Ensuring consistent security policies across sites and users to reduce gaps, minimize misconfigurations, and enforce organization-wide rules for data protection
- Improving visibility and auditability by tracking and recording who shared what, with whom, and when
- Ensuring compliance with frameworks like GDPR, HIPAA, and CMMC
- Reducing operational overhead for IT and MSPs managing hundreds of users or sites
Quick-Start Guide
NinjaOne can provide insights about managing external sharing settings in SharePoint and OneDrive with NinjaOne SaaS Backup:
– NinjaOne offers AutoDiscover functionality for SharePoint and OneDrive
– Users can selectively back up and manage SharePoint sites and OneDrive data
– Provides flexibility in excluding specific sites or drives from backup
SharePoint Backup Details:
– Runs three times per day
– Backs up: Communication Sites, Team Sites, Documents, Files, Text-based content, Images, Videos, Notebooks, Site Pages, Lists, File permissions
OneDrive Backup Features:
– Enabled by default
– Can be excluded from backup if needed
– Supports:
- Restoring entire OneDrive
- Restoring specific folders/files
- Point-in-time restoration
- Flexible destination options (same or different user drive)
External Sharing Management:
While the documentation doesn’t explicitly detail external sharing settings, NinjaOne provides granular control through:
– AutoDiscover toggle
– Site/drive exclusion options
– Selective backup capabilities
Additional considerations when adjusting OneDrive and SharePoint external sharing settings
If you want long-term success in managing external sharing policies, you must be aware of additional strategies for detecting gaps, enforcing behavior, and aligning with regulatory frameworks.
- Auditing and alerts: Consider enabling audit logging via Purview and Microsoft 365 Compliance Center, then set up alert policies for anonymous sharing. This should enhance real-time threat detection and support investigations and incident response.
- Link expiration policies: It is good practice to limit the time externally shared links remain active to reduce the risk of lingering external access.
- Terms of use for external users: To provide legal coverage for shared data, require guest users to accept terms and conditions, such as disclaimers and confidentiality clauses, before accessing shared content.
- Access reviews: Periodically review and confirm whether external users still need access using Microsoft Entra ID Governance to schedule automated access reviews or Microsoft Graph PowerShell to script access evaluations.
Troubleshooting common issues
Users are still able to share externally despite restrictions
This is usually because site-level sharing settings are less restrictive than the expected policy. Check your site-level settings or group-level permissions, such as those granted via Microsoft 365 Groups or Teams, and modify as needed.
Sync client bypasses restrictions on personal accounts
First, confirm that local GPO or registry edits are applied, as there may be a delay in policy propagation, errors in registry modifications, or the change requires a reboot. Re-push the policy with Intune, NinjaOne, or a script if needed.
External guests are not prompted for MFA
Enforce Conditional Access policies at the tenant level under Microsoft Entra Admin Center > Security. Here, you can create a policy targeting specific users or apps. After making changes, make sure to test the guest sign-in experience with a disposable external account.
Graph API calls are denied
This may be due to the application registration’s lack of required permissions (for Sites.Read.All and Files.Read.All). Ensure the PowerShell app has the correct permissions via Azure AD > App Registrations. Here, you can assign the required Graph API permissions and select Grant Admin Consent.
NinjaOne services that can help with scalable external sharing management
It’s crucial for MSPs and IT teams to manage external sharing policies across Microsoft 365 environments. However, this can be a complex and time-consuming task, especially for larger organizations. NinjaOne offers various capabilities that can help improve automation, control, and monitoring.
| NinjaOne capability | Purpose | Use cases and benefits |
| Automation and scripting | Deploy PowerShell or audit scripts across devices and tenants | Enforce or remediate sharing settings at scale (e.g., Set-SPOSite, Graph audits), which is ideal for MSPs managing many clients |
| Endpoint policy enforcement | Apply GPOs and registry keys remotely | Block personal OneDrive sync, control file save behavior, and enforce sharing restrictions on unmanaged endpoints |
| Compliance monitoring | Alert on policy violations or sync misbehavior | Detect unauthorized account syncs, missing registry keys, or unconfigured devices to ensure compliance across environments |
| Multi-tenant visibility | Centralized dashboards across all clients | Quickly identify which tenants, sites, or devices are compliant or need remediation; ideal for large-scale MSP visibility |
| Audit trail integration | Tie alerts to tickets or incident workflows | Link external sharing changes (such as an anonymous link created) to audit logs or service desk tickets for faster response |
Taking steps toward safer collaboration
When managing external sharing in SharePoint and OneDrive for businesses, approach it with layered and scalable methods to succeed. From setting global defaults to auditing access, you must carefully follow some steps to minimize risk and ensure consistency while still enabling collaboration. If you execute this task properly, you can balance security with usability when working with parties outside your organization.
Related topics:
- The Administrator’s Handbook to SharePoint Group Permissions: Setup, Management, and Best Practices
- How to Stop Sharing OneDrive Files and Folders in Windows 11
- How to Sync Folders to OneDrive in Windows 10 & 11
- How to Change the Location of your OneDrive Folder in Windows
- How to Add and Remove a Network Location in Windows 10
