Microsoft 365 guest sharing settings reference

This article provides a reference for the various settings that can affect guest sharing for the Microsoft 365 workloads: Teams, Office 365 Groups, SharePoint, and OneDrive. These settings are located in the Azure Active Directory, Microsoft 365, Teams, and SharePoint admin centers.

Azure Active Directory

Admin role: Global administrator

Azure Active Directory is the directory service used by Microsoft 365. The Azure Active Directory Organizational relationships settings directly affect sharing in Teams, Office 365 Groups, SharePoint, and OneDrive.

Note

These settings only affect SharePoint when SharePoint and OneDrive integration with Azure AD B2B (Preview) has been configured. The table below assumes that this has been configured.

Organizational relationships settings

Navigation: Azure Active Directory admin center > Azure Active Directory > Organizational relationships > Settings

Screenshot of Azure Active Directory Organizational Relationships Settings page

Setting Default Description
Guest users permissions are limited Yes This setting affects the directory tasks that a guest can perform.
Admins and users in the guest inviter role can invite Yes When set to Yes, admins can invite guests via Azure AD and via Microsoft 365 sharing experiences such as Teams and SharePoint; when set to No, they cannot.
Members can invite Yes When set to Yes, Azure AD members can invite guests via Azure AD; when set to No, they cannot. When set to Yes, Office 365 Group members can invite guests with owner approval; when set to No, Office 365 Group members can invite guests with owner approval but owners must be global administrators to approve.

Note that Members can invite refers to members in Azure AD (as opposed to guests) and not to site or group members in Microsoft 365.

This is identical to the Let users add new guests to the organization setting in Microsoft 365 Security & privacy.
Guests can invite Yes When set to Yes, guests in the directory can invite other guests to collaborate on Azure AD resources and on files and folders in SharePoint and OneDrive; when set to No, they cannot.

Note that Allow external users to find user accounts in the directory by typing in exact email address matches must be turned on in the SharePoint admin center for guests to share files and folders with other guests.
Enable Email One-Time Passcode for guests (Preview) No When set to Yes, guests without an MSA or a work or school account can authenticate with Azure AD using a one-time passcode; when set to No, users will need to create a Microsoft account in order to authenticate. This setting must be set to Yes for SharePoint and OneDrive integration with Azure AD B2B (Preview) to work.
Collaboration restrictions Allow invitations to be sent to any domain This setting allows you to specify a list of allowed or blocked domains for sharing. When allowed domains are specified, then sharing invitations can only be sent to those domains. When denied domains are specified, then sharing invitations cannot be sent to those domains.

This setting affects Microsoft 365 sharing experiences such as Teams and SharePoint. You can allow or block domains at a more granular level by using domain filtering in SharePoint or Teams.

These settings affect how users are invited to the directory. They do not affect sharing with guests who are already in the directory.

Microsoft 365

Admin role: Global administrator

The Microsoft 365 admin center has organization-level settings for sharing and for Office 365 Groups.

Sharing

Navigation: Microsoft 365 admin center > Settings > Security & privacy > Sharing

Screenshot of the security and privacy guest sharing setting in the  Microsoft 365 admin center

Setting Default Description
Let users add new guests to the organization On When set to Yes, Azure AD members can invite guests via Azure AD; when set to No, they cannot. When set to Yes, Office 365 Group members can invite guests with owner approval; when set to No, Office 365 Group members can invite guests with owner approval but owners must be global administrators to approve.

Note that Members can invite refers to members in Azure AD (as opposed to guests) and not to site or gorup members in Microsoft 365.

This is identical to the Members can invite setting in Azure Active Directory Organizational relationships settings.

Office 365 Groups

Navigation: Microsoft 365 admin center > Settings > Services & add-ins > Office 365 Groups

Screenshot of Office 365 Groups guest settings in  Microsoft 365 admin center

Setting Default Description
Let group members outside your organization access group content On When set to On, guests can access groups content; when set to Off, they can't. This setting should be On for any scenario where guest users are interacting with Office 365 Groups or Teams.
Let group owners add people outside your organization to groups On When On, Owners of Office 365 Groups or Teams can invite new guests to the group. When Off, owners can only invite guests who are already in the directory.

These settings are at the organization level. See Create settings for a specific group for information about how to change these settings at the group level by using PowerShell.

Teams

The Teams master guest access switch, Allow guest access in Teams, must be On for the other guest settings to be available.

Admin role: Teams service administrator

Guest access

Navigation: Teams admin center > Org-wide settings > Guest access

Screenshot of Teams guest access toggle

Setting Default Description
Allow guest access in Teams Off Turns guest access on or off for Teams overall. This setting can take 24 hours to take effect once changed.

Guest calling

Navigation: Teams admin center > Org-wide settings > Guest access

Screenshot of Teams guest calling options

Setting Default Description
Make private calls On When On, guests can make peer-to-peer calls in Teams; when Off, they can't.

Guest meeting

Navigation: Teams admin center > Org-wide settings > Guest access

Screenshot of Teams guest meeting settings

Setting Default Description
Allow IP video On When On, guests can use video in their calls and meetings; when Off, they can't.
Screen sharing mode Entire screen When Disabled, guests can't share their screens in Teams. When set to Single application, guests can only share a single application on their screen. When set to Entire screen, guests can choose to share an applicaion or their entire screen.
Allow Meet Now On When On, guests can use the Meet Now feature in Teams; when Off, they can't.

Guest messaging

Navigation: Teams admin center > Org-wide settings > Guest access

Screenshot of Teams guest messaging settings

Setting Default Description
Edit sent messages On When On, guests can edit messages they previously sent; when Off, they can't.
Delete sent messages On When On, guests can delete messages they previously sent; when Off, they can't.
Chat On When On, guests can use chat in Teams; when Off, they can't.
Use Giphys in conversations On When On, guests can use Giphys in conversations; when Off, they can't.
Giphy content rating Moderate When set to Allow all content, guests will can insert all Giphys in chats, regardless of the content rating. Wnen set to Moderate guests can insert Giphys in chats, but will be moderately restricted from adult content. When set to Strict guests can insert Giphys in chats, but will be restricted from inserting adult content.
Use Memes in conversations On When On, guests can use memes in conversations; when Off, they can't.
User stickers in conversations On When On, guests can use stickers in conversations; when Off, they can't.
Allow immersive reader for viewing messages On When On, guests can view messages in Immersive Reader; when Off, they can't.

SharePoint and OneDrive (organization-level)

Admin role: SharePoint administrator

These settings affect all of the sites in the organization. They do not affect Office 365 Groups or Teams directly, however we recommend that you align these settings with the settings for Office 365 Groups and Teams to avoid user experience issues. (For example, if guest sharing is allowed in Teams but not SharePoint, then guests in Teams will not have access to the Files tab because Teams files are stored in SharePoint.)

SharePoint and OneDrive sharing settings

Because OneDrive is a hierarchy of sites within SharePoint, the organization-level sharing settings directly affect OneDrive just as they do other SharePoint sites.

Navigation: SharePoint admin center > Sharing

Screenshot of SharePoint organization-level sharing settings

Setting Default Description
SharePoint Anyone Specifies the most permissive sharing permissions allowed for SharePoint sites.
OneDrive Anyone Specifies the most permissive sharing permissions allowed for OneDrive sites. This setting cannot be more permissive than the SharePoint setting.

SharePoint and OneDrive advanced sharing settings

Navigation: SharePoint admin center > Sharing

Screenshot of SharePoint organization-level additional sharing settings

Setting Default Description
Limit external sharing by domain Off This setting allows you to specify a list of allowed or blocked domains for sharing. When allowed domains are specified, then sharing invitations can only be sent to those domains. When denied domains are specified, then sharing invitations cannot be sent to those domains.

This setting affects all SharePoint and OneDrive sites in the organization.
Guests must sign in using the same account to which sharing invitations are sent Off Prevents guests from redeeming site sharing invitations using a different email address than the invitation was sent to.

SharePoint and OneDrive integration with Azure AD B2B (Preview) does not use this setting because all guests are added to the directory based on the email address that the invitation was sent to. Alternate email addresses cannot be used to access the site.
Allow guests to share items they don't own On When On, guests can share items that they don't own with other users or guests; when Off they cannot. Guests can always share items for which they have full control.

When files and folders are shared in SharePoint and OneDrive, sharing recipients are sent a link with permissions to the file or folder rather than being granted direct access to the file or folder themselves. Several types of links are available, and you can choose the default link type presented to users when they share a file or folder. You can also set permissions and expiration options for Anyone links.

Navigation: SharePoint admin center > Sharing

Screenshot of SharePoint organization-level files and folders sharing settings

Setting Default Description
File and folder links Anyone with the link Specifies which sharing link is shown by default when a user shares a file or folder. Users can change the option before sharing if they want. If the default is set to Anyone with the link and Anyone sharing is not allowed for a given site, then Only people in your organization will be shown as the default for that site.
These links must expire within this many days Off (no expiration) Specifies the number of days after an Anyone link is created that it expires. Expired links cannot be renewed. Create a new link if you need to continue sharing past the expiration.
File permissions View and edit Specifies the file permission levels available to users when creating an Anyone link. If View is selected, then users can only create Anyone file links with view permissions. If View, and edit is selected, then users can choose between view and view and edit permissions when they create the link.
Folder permissions View, edit, and upload Specifies the folder permission levels available to users when creating an Anyone link. If View is selected, then users can only create Anyone folder links with view permissions. If View, edit, and upload is selected, then users can choose between view and view, edit, and upload permissions when they creat the link.

SharePoint and OneDrive security group settings

If you want to limit who can share with guests in SharePoint and OneDrive, you can do so by limiting sharing to people in specified security groups. These settings do not affect sharing via Office 365 Groups or Teams. Guests invited via a group or team would also have access to the associated site, though document and folder sharing could only be done by people in the specified security groups.

Navigation: SharePoint admin center > Sharing > Limit external sharing to specific security groups

Screenshot of SharePoint organization-level sharing security group settings

Setting Default Description
Let only users in selected security groups share with authenticated external users Off When On, only the people in the specified security groups can share with external users. Only Specific people links are available. Anyone sharing is effectively disabled unless Let only users in selected security groups share with authenticated external users and using anonymous links is also On
Let only users in selected security groups share with authenticated external users and using anonymous links Off When On, only the people in the specified security groups can share with guests. Both Anyone and Specific people links are available.

Both of these settings can be used at the same time. If a user is in security groups specified for both settings, then the greater permission level prevails (Anyone plus Specific user).

SharePoint (site level)

Admin role: SharePoint administrator

Site sharing

You can set guest sharing permissions for each site in SharePoint. This setting applies to both site sharing and file and folder sharing. (Anyone sharing is not available for site sharing. If you choose Anyone, users will be able to share files and folders by using Anyone links, and the site itself with new and existing guests.)

Navigation: SharePoint admin center > Active sites > select the site > Sharing

Screenshot of SharePoint site external sharing settings

Setting Default Description
Site content can be shared with Varies by site type (see the table below) Indicates the type of external sharing allowed for this site. Options available here are subject to the organization-level sharing settings for SharePoint.

Because these settings are subject to the organization-wide settings for SharePoint, the effective sharing setting for the site may change if the organization-level setting changes. If you choose a setting here and the organization-level is later set to a more restrictive value, then this site will operate at that more restrictive value. For example, if you choose Anyone and the organization-level setting is later set to New and existing guests, then this site will only allow new and existing guests. If the organization-level setting is then set back to Anyone, this site would again allow Anyone links.

The table below shows the default sharing setting for each site type.

Site type Default sharing setting
Classic Only people in your organization
OneDrive Anyone
Group-connected sites (including Teams) New and existing guests if the Office 365 Groups setting Let group owners add people outside the organization to groups is On; otherwise Existing guests only
Communication Only people in your organization
Modern sites with no group (#STS3 TeamSite) Only people in your organization

See also

SharePoint and OneDrive external sharing overview

Guest access in Microsoft Teams

Adding guests to Office 365 Groups