External Sharing in SharePoint Online is a fantastic collaboration tool. Working with external parties on projects through SharePoint using features such as co-authoring and version control is invaluable when it comes to increasing productivity through Office 365. One topic that is constantly brought up in the planning phase is governance around what external parties we allow our users to share with.
We can control this at a tenancy level quite easily using the options in the SharePoint Online Admin Center. On the Sharing page of the SharePoint Online Admin Center we can select the option to ‘Limit external sharing using domains’
From here we can select our top level domain restrictions/
This can be quite effective for smaller companies which deal with a few external parties. What about when we have a large amount of Site Collections with different types of data subject to different restrictions? If Vendor ‘A’ needs access to Site Collection ‘A’ but we need to ensure they cannot access Site Collection ‘B’, even if a member of staff attempts to share with them.
To implement Site Collection specific restrictions, we need to first, allow all domains on the top level as below. Be careful doing this and consider how it will impact existing data restrictions.
Now that the top level restriction is removed, create a new site collection or choose an existing Site Collection to restrict.
We need to use the SharePoint Online Management Shell to configure Site Collection Specific Allow or Block Lists. If you do not have the module you can download the latest version here.
Using the SharePoint Online Management Shell, connect to SharePoint Online using the ‘Connect-SPOService’ commandlet. This will prompt you for your administrator credentials.
Once connected, verify you can get your SPO Site details using the ‘Get-SPOSite’ commandlet with the ‘-Identity’ Parameter as in the below screenshot. For the Identity parameter, provide the URL of your Site Collection.
When you confirmed you are connected and can access the site, use the below commandlet to configure the sharing settings for the Site Collection.
To Configure a list of allowed domains (most restrictive):
Set-SPOSite -identity <Site Collection URL> -SharingDomainRestrictionMode “AllowList” -SharingAllowedDomainList <Space delimited list of allowed Domains>
To Configure a list of blocked domains (least restrictive):
Set-SPOSite -identity <Site Collection URL> -SharingDomainRestrictionMode “BlockList” -SharingBlockedDomainList <Space delimited list of blocked Domains>
Then verify the settings using the ‘Get-SPOSite’ commandlet again.
Now to test our settings, create a folder in a Document Library of the Site Collection you just restricted
Attempt to share the folder with someone on the allow list you created and you should see the below, no issues sharing.
Now attempt to share with somebody not on your allowed list for the Site Collection and you should see the below message, preventing sharing.
If the above steps are built into your Site Collection provisioning and governance process we can add an extra layer of security around external sharing through SharePoint Online.