Aug 01
Granular External Sharing Controls in SharePoint Online

A Long Time Coming

One of SharePoint Online's greatest strengths has always been its ability to easily share with users external to your organization. Yet this ease often brings with it concerns about excessive sharing. SharePoint Online has historically addressed this by allowing companies to turn off sharing either at the tenant level, or by placing restrictions at the site collection level.

In addition to totally enabling or disabling sharing, companies have also had the ability to add organizations to either a tenant level Allowed or Denied list by specifying their email domains. Until now, however, this capability has not applied at the site collection level.

Microsoft has just started rolling out site collection level allowed/denied lists. If this has been enabled in your tenant, you will now see a much richer experience when you configure sharing options for your site collections. To see this new experience, go into your Office 365 administration portal, and select SharePoint Administration:

This will usually default to your site collection list. Highlight a site collection, and click the Sharing icon on the ribbon:

Note that this option will not light up until you select a site collection.

Once you click the button, the enhanced sharing dialog will appear. Clicking one of the Allow options, as shown below, will then display the checkbox that lets you limit sharing by domain. Checking that box then lets you choose to set the list of domains that are enabled or blocked.

This gives your SharePoint Online admin tremendous flexibility.

One thing to keep in mind. In keeping with most other SharePoint security settings, tenant-wide policies always trump less restrictive site collection policies, but your site collection settings can be more restrictive. For example:

  • If your tenant is mute on allowed/blocked domains, you can configure anything you want at the site collection level.
  • If you have a tenant-wide Allowed list, then you can only create a site collection Allowed list. In addition, any sites selected at the site collection level must also be members of the tenant allowed list. (Thus, a subset of the tenant list)
  • If you have a tenant-wide Denied list, you can configure either an allowed or blocked list, but you cannot "allow" at the site collection something that is "blocked" at the tenant.

Overall, this is a great addition to Office 365's governance capabilities.