Administrators can govern how sharing will be configured for the organization, under the following categories:
- Anyone: Users can create links to files that can be shared with people without requiring any type of authentication.
- New and existing external users: Users can invite existing or external users that aren't enrolled in their organization directory.
- Existing external users: Users can only invite external users who have already accepted an invitation.
- Only people in your organization: Users can invite internal users only. This means files can't be shared with external users.
OneDrive, SharePoint site administrators, and Team owners can invite internal and external users (if the overall tenant settings are configured to allow it).
However, if needed, organizations can leverage a Guest Inviter role, granting non-administrators the ability to invite guests.
While many settings can be configured globally, exceptions can still be made for groups of individuals. Sharing controls can be modified to give different levels of permissiveness between SharePoint (which also governs Teams) and OneDrive, though the OneDrive setting may never be more permissive than the overall SharePoint setting, as shown in the following screenshot:
Several best practices can be considered to protect the organization while allowing guests to collaborate with them. Among them are the following:
- Defining group and team classifications (such as Internal Only, Confidential, and so on) and limiting which groups are eligible for guest access
- Defining authentication requirements for guests, such as multi-factor authentication
- Forcing guests to accept terms of use
- Frequently reviewing guest access to enforce that only allowed users are guests (such as with Access Reviews)
- Defining client access requirements for guests
- Frequently reviewing activities in the audit log search
Security, compliance, and governance conversations should include strategy on guest access.