How to control the time period of shared content for external users in SharePoint Online and OneDrive

Microsoft SharePoint’s external sharing features enable users within your organization to share content with people outside the organization such as partners, vendors, clients, or customers. If your organization has more than one Microsoft 365 subscription, you can also use external sharing to share between licensed users on different subscriptions.

A tenant can define a policy that governs how long a sharing link remains active after a user shares content with an Azure AD guest account that is created automatically when sharing with an external user. The expiring access policy is not enabled by default. In the Sharing section of the SharePoint Online admin center, a tenant or SharePoint administrator must enable it and define the sharing period from 30 to 730 days.

How the external sharing settings work

External sharing options are available in SharePoint at both the organization and site levels. External sharing on any site must be enabled at the organizational level. Other sites’ external sharing can then be restricted. If the external sharing option for a site and the organization-level sharing option does not match, the most restrictive value is always used. Regardless of which option you select at the organization or site level, the more restrictive functionality remains available. For example, if you enable unauthenticated sharing via “Anyone” links, users can still share with guests who sign in and internal users.

In case we have confidential information that should never be shared externally, we recommend storing it on a site that does not allow external sharing. We have to create additional sites for external sharing as needed. This assists us in managing security risks by preventing unauthorized access to sensitive information.

The expiring access policy does not apply to guest accounts that access content through their Microsoft 365 group membership (teams). Instead of a sharing link, the guest’s ability to work with content in SharePoint Online is controlled by their membership.

Guest Expiration Policy

Guest membership applies at the Microsoft 365 group level, guests with permission to view a SharePoint site or use a sharing link may also have access to a Microsoft Teams team or security group. As a result, even if access to a SharePoint site or sharing link expires, some guest users may still have access to a Team or security group elsewhere. After the guest policy is enabled, the guest expiration policy only applies to guests who use sharing links or have direct permissions to a SharePoint site. The guest policy does not apply to guest users who have pre-existing permissions or gain access via a sharing link before the guest expiration policy takes effect.

How to implement guest expiration for SharePoint Online sites

The guest expiration policy is a general tenant setting that can be overridden on a site-by-site basis, as is typical for SharePoint Online settings. To create the tenant-wide policy, we will navigate to the Policies section of the SharePoint Online admin center, then to Sharing, and finally to More external sharing settings. After that, we will see the option to enable the policy to control guest access to a site or OneDrive will expire automatically after this many days. We will set the checkbox and choose an expiration period between 30 and 730 days to enable the policy.

In our example, we set the guest expiration policy to 90 days.

There is also a PowerShell command that may we use:

Set-SPOTenant -ExternalUserExpireInDays 90 -ExternalUserExpirationRequired $True

More info:

Leave a Reply

Your email address will not be published. Required fields are marked *