Microsoft 365 external sharing design considerations


The purpose of this article is to present Microsoft 365 external sharing design considerations. When designing your Microsoft 365 tenant, you need to consider a number of factors for allowing or prohibiting access to your Microsoft 365 applications and data to a number of internal and external users. This article discusses the following design considerations by taking into account the relevant Microsoft best practices.

External sharing design considerations

The following external sharing design considerations should be made.

  • Collaborate on documents - Learn how to configure Microsoft 365 to allow sharing and collaboration with people outside your organization (both guests and unauthenticated users) on files and folders.
  • Collaborate in a site - Learn how to configure Microsoft 365 to enable sharing SharePoint sites with guests.
  • Collaborate as a team - Learn how to configure Microsoft 365 to enable guest collaboration in Teams.
  • Collaborate with external participants in a channel for collaborating with people outside the organization in a shared channel.
  • Best practices for sharing files and folders with unauthenticated users - Learn about best practices for sharing with unauthenticated users.
  • Limit accidental exposure - Learn how to reduce the chances of accidentally sharing sensitive content with people outside your organization.
  • Create a secure guest sharing environment - Learn about the tools provided in Microsoft 365 to help ensure that sharing with people outside your organization is done in a safe and secure manner and meets your governance requirements.
  • Limit sharing for guests. When you're working on a large project that involves guests from another organization, consider shared channels. Because shared channels do not use guest accounts, the users in the other organization can access the shared channel directly without having to log into your organization separately. If you have an ongoing vendor relationship in which guests are often changing, you can use entitlement management in Azure Active Directory to simplify guest management and allow the partner company to share in that responsibility. See Create a B2B extranet with managed guests for details.
  • If some of the sharing features in Microsoft 365 conflict with your governance policies, see Limit sharing in Microsoft 365 to learn about options for limiting sharing.

Additional external access settings

The following settings should also be configured appropriately, as per your organization's requirements.

Allow or deny guest user creation by everyone

The below setting is a general Microsoft 365 tenant setting, which can be configured from the main Microsoft 365 admin center portal.

Manage external sharing settings for Sharepoint Online sites

The below setting can be configured from the Sharepoint Online admin portal and can also be overwritten by each individual Sharepoint Online site.


Manage Azure AD guest invite settings

Use the Azure AD portal to configure guest invite settings, as shown below.

Microsoft Teams external and guest access settings

Microsoft teams features external and guest access, as explained below.

  • External access - A feature that allows users to find, call, and chat with people who have Microsoft identities, including those from other organizations. This corresponds to federated users for Teams, the same way that tenant federation worked in Skype for Business Server. For external access with other Microsoft 365 organizations you allow all domains (the default) or you can restrict external access by allowing or blocking specific domains, by blocking all domains (which turns external access off) or by limiting which users can use external access. You can also allow external access (federation) with Skype identities and Skype for Business identities.
  • Guest access - A feature that allows you to invite people from outside your organization to join a team. Guests can also call, chat, and meet with people in your organization and you can share files and folders with them. Invited people get an Azure AD B2B collaboration guest account in your directory. Guests are added to your organization's Azure Active Directory as B2B collaboration users. They must sign in to Teams using their guest account. If the normally use Teams with another Microsoft 365 organization, they need to switch organizations in Teams to interact with your organization.

The Microsoft Teams admin portal provides the following settings for external access settings.

The Microsoft Teams admin portal provides the following settings for guest access settings.