Collab365

4 SharePoint External Sharing Options for 2026 Security

Q: Can non-owners share documents externally?

Yes, but with restrictions. If global and site-level settings permit, members can share externally. Restrict via Site Permissions > Change how members can share to disable new guest invites.

Q: What happens to existing files if external sharing is turned off globally?

Previously shared external links stop working immediately, showing Access Denied. Links resume if sharing is re-enabled without recreation.

Q: How does the Entra B2B transition affect old One-Time Passcode (OTP) links?

From July 2026, OTP retires. Old links fail without guest accounts. Create Entra B2B guest and reshare to restore access.

C

Collab365 TeamAuthorPublished Apr 4, 2018

30

At a Glance

Target Audience: SharePoint Administrators and Site Owners
Problem Solved: Insecure external sharing leading to data leaks due to 2026 changes like OTP retirement, anonymous link risks, and lack of Entra B2B/DLP integration.
Use Case: Secure vendor/partner collaboration on SharePoint sites with sensitivity labels, domain restrictions, and guest expiration management.

In 2026, SharePoint Online offers four main external sharing types: New guests (one-time setup), Existing guests (repeat collaborators), Specific people (secure targeted), and limited Anyone links (use cautiously). Here's how to set them up securely.

As of 2026, default expiry is 30 days for anonymous links, and "Anyone" links are no longer the default sharing method.1 Furthermore, legacy SharePoint One-Time Passcodes (OTP) are retiring; all external users must now hold a Microsoft Entra B2B guest account to access files.2 Microsoft Purview Data Loss Prevention (DLP) actively blocks risky external shares across the tenant.4 The Collab365 team reviewed the latest Microsoft changes, and we have compiled this guide so you can set up these tools without risking your data.

TL;DR / Quick Answer

5 Key 2026 Updates:
1. Legacy One-Time Passcode (OTP) retires by August 2026; Entra B2B integration is mandatory.3
2. "Anyone" links default to a maximum 30-day expiry (capped at 180 days by the system).1
3. Microsoft Purview Data Loss Prevention (DLP) blocks Copilot prompts containing sensitive external data.5
4. Microsoft Defender's Tenant Allow/Block List now blocks specific external email addresses, not just domains.6
5. Company-wide "People in your organisation" links now feature mandatory expiration policies ranging from 7 to 730 days.7
Top 3 Best Practices:
1. Always pair external sharing with Microsoft Purview sensitivity labels to prevent oversharing.8
2. Select "Existing guests" as the default site-level option to prevent unchecked external identity sprawl.9
3. Audit SharePoint guest expiration settings regularly and extend access only when business needs dictate.10
Configuration Checklist:
- [ ] Verify global settings in the SharePoint Admin Centre.
- [ ] Confirm Entra B2B integration is active before the May 2026 cutoff.3
- [ ] Adjust site-level sharing options to match data sensitivity.
- [ ] Apply Purview DLP policies to govern external sharing actions.

Key Takeaway: The landscape of external collaboration has shifted dramatically. Relying on old methods like anonymous links without strict expiry dates is a guaranteed path to a data breach in 2026.

Who Is This Guide For? What Do You Need Before Starting?

This guide is written specifically for you, the SharePoint site owner or administrator with one to three years of experience. We know you frequently need to configure secure external sharing options because your current setup risks data leaks. Alternatively, your current setup might be far too restrictive, unnecessarily blocking collaboration with approved vendors and partners. The instructions provided here replace our older Collab365 guides, specifically addressing the massive changes rolled out across Microsoft 365 leading up to 2026.

Before we start altering any settings, your environment must meet several prerequisites. First, configuring global sharing policies requires Global Administrator or SharePoint Administrator permissions.11 Modifying site-specific settings requires Site Owner permissions. To fully use the advanced security features discussed here, such as Conditional Access and advanced sensitivity labels, your tenant must have a Microsoft Entra ID Premium P1 or P2 licence.9

Entra ID (which is the Azure AD rebrand) acts as the identity gatekeeper for everything you do in SharePoint.12 Without Entra ID Premium P1, you cannot enforce Conditional Access policies on your external guests. This means you would miss out on critical security layers like requiring multi-factor authentication for vendors.

Key Takeaway: Correct permissions and licensing form the foundation of secure external sharing. Check your Microsoft 365 licensing portal to ensure you have Entra ID P1 active before proceeding with advanced setups.

External sharing is not a single toggle switch. It is a layered security model. When properly configured, it allows external users to collaborate seamlessly on documents, lists, and data without compromising your internal data.13

It is also important to note that trial tenants have restricted external sharing scopes to prevent abuse.13 You must be on a fully licensed Microsoft 365 commercial tenant to use all the features we discuss today. Any Microsoft Entra Conditional Access policies you have in place must be configured to be compatible with guests.14

We also recommend communicating with your network team. If your organisation uses shared channels or cross-cloud meetings, you must configure cross-tenant access settings in Microsoft Entra ID.15 These settings allow access for each specific organisation you want to collaborate with.

Key Takeaway: Always test these changes in a sandbox or development site first. Modifying global sharing settings can instantly revoke access for existing vendors if you are not careful.

External sharing in SharePoint follows a strict hierarchy. You, as a site owner, cannot share a document with an external guest if the global tenant settings forbid it.13 Therefore, the first step in securing external collaboration is to inspect and configure the global sharing policies.

To adjust these settings, a SharePoint Administrator must navigate to the SharePoint Admin Centre. From there, expand the Policies menu on the left, and select Sharing.11 This page displays a vertical slider that dictates the most permissive sharing level allowed across your entire organisation.13 We recommend familiarising yourself with this slider immediately.

The slider offers four distinct levels for your organisation:

Anyone: This is the most permissive setting. It allows users to create shareable links that do not require the recipient to log in or authenticate.
New and existing guests: Guests must sign in or provide a verification code. This level permits your staff to invite external users who do not already exist in your organisation's Microsoft Entra directory.16
Existing guests: Sharing is restricted to external users who already have a guest account in your directory. We find this is an excellent middle-ground for security.9
Only people in your organisation: This disables external sharing completely across the tenant.9

Key Takeaway: The global sharing slider acts as an absolute ceiling. If your global setting is restricted to "Existing guests", no individual site owner can bypass it to share with "Anyone".

In 2026, the underlying mechanics of these global settings shifted significantly due to the mandatory transition to Microsoft Entra B2B collaboration.2 Previously, SharePoint managed external authentication independently using legacy One-Time Passcodes (OTP). Under the new 2026 model, when global sharing is set to "New and existing guests", every external invitation actively creates a guest account in your tenant's Microsoft Entra ID directory.14

This transition is not optional. Starting in May 2026, SharePoint and OneDrive integration with Microsoft Entra B2B is enabled for all tenants automatically.17 By July 2026, the legacy SPO OTP authentication method begins retiring.3 External users without a guest account will get an access denied message on previously shared specific people links.3 The retirement will be completed by August 31, 2026.3

If you have external vendors relying on old OTP links, you need to act now. To restore access, a guest account must be created in Entra B2B.3 An allowed user in your organisation must then share or re-share at least one file, folder, or site with that vendor to trigger the new authentication flow.3

Key Takeaway: The death of the One-Time Passcode means all external sharing is now strictly tied to your Entra ID directory. You must plan for increased guest account management.

Administrators must also review the advanced global settings on this same page. These include default link types, expiration mandates, and file download restrictions.11 For instance, you can set a mandatory expiration limit for company-wide links using the Set-SPOTenant PowerShell cmdlet.7 This enforces link nullification after a set period, such as 30 days.7

You can define the MaxExpirationInDays and RecommendedExpirationInDays for both SharePoint and OneDrive workloads.7 The expiration period can be configured anywhere between 7 and 730 days.7 This is a massive win for administrators trying to clean up stale links.

We also suggest reviewing the OneDrive global settings on this page. OneDrive sharing settings are governed by SharePoint settings.13 They can be the same as or more restrictive than the SharePoint settings, but never more permissive.13 If you restrict SharePoint to "Existing guests", OneDrive will automatically inherit that ceiling.

Key Takeaway: Use the Set-SPOTenant PowerShell cmdlet to enforce expiration limits on company-wide links. This prevents internal links from lingering forever and reduces insider risk.

After the global boundaries are set, you must choose the specific external sharing option that fits your site's purpose. In the modern SharePoint Admin Centre, navigate to Active sites, select your specific site, and click on the Settings tab.19 From there, select More sharing settings.19

You will see the same four options we discussed globally, but these apply only to this specific site. The following table compares the four options available in 2026 so you can make an informed choice:

Option	Security Level	Use Case	Risks	2026 Changes
New and existing guests	Medium	Broad vendor collaboration and onboarding new external partners.	Unmonitored guest account creation in Entra ID.	Entra B2B integration is mandatory; all new shares create permanent guest accounts.2
Existing guests	High	Ongoing projects with established, pre-approved external partners.	Can cause friction if a vendor needs to add a new team member quickly.	Aligns seamlessly with Identity Governance and Access Reviews in Entra ID.9
Only people in your organisation	Very High	Highly sensitive internal projects, HR data, or financial records.	Users might resort to shadow IT (unapproved file-sharing tools) if they urgently need to share data.20	Company-wide links now support mandatory expiration dates up to 730 days.7
Anyone (Anonymous)	Low	Public-facing brochures, marketing assets, or open RFPs.	High risk of data leaks if links are forwarded to unauthorised parties.	Links now default to "People you choose"; Anyone links require a strict expiration date.1

Deep Dive: New and Existing Guests

Setting a site to allow "New and existing guests" is the most common choice for active collaboration sites. Prior to 2026, sharing a document with a new external user might have triggered a simple email with a One-Time Passcode. Beginning May 2026, and fully enforced by August 2026, this behaviour changes completely.3

When you share a file with a new email address, SharePoint communicates directly with Microsoft Entra ID to create a B2B guest account.14 This enables consistent identity management. The guest account links to a member account at the other organisation, meaning they only need to remember their own username and password.14

Key Takeaway: The shift to Entra B2B means external users are now visible directory objects. This greatly improves security visibility but requires you to actively manage the lifecycle of these guest accounts.

To configure this securely, navigate to the site permissions panel. Ensure the site is set to "New and existing guests". Train your staff to share using the "Specific people" link type, typing the external vendor's exact email address. The external user receives an invitation, consents to your tenant's privacy terms, and authenticates via their own Microsoft or work account.16

If they do not have a Microsoft Entra B2B guest account, they will see an access denied message starting July 2026.21 A guest account is created when at least one file or site is shared with them.21 They must hold an account in the same cloud environment (e.g., Azure Commercial or Azure Government) as your content.14

Deep Dive: Existing Guests

For sites holding sensitive but collaborative data, "Existing guests" is highly recommended. This setting prevents site members from indiscriminately inviting new external parties.9 It forces a controlled onboarding process where your IT team or a designated sponsor must first add the external user to the directory.

To configure this, open the SharePoint Admin Centre and locate the site under Active sites. Select Settings, then More sharing settings. Choose the "Existing guests" radio button.9 When users attempt to share a document, the interface will only accept email addresses that are already registered as guests in the tenant.

Key Takeaway: We recommend starting with "Existing guests" as per our tenant tests. It adds a slight administrative hurdle, but it drastically reduces the number of rogue guest accounts in your system.

Deep Dive: Specific People Links

Regardless of the site-level setting, we encourage the use of "Specific people" links for file and folder sharing.13 Unlike company-wide links, "Specific people" links require the recipient to prove their identity.16 You can share with people inside and outside of the organisation by specifying their exact name, group, or email address.1

If an external user forwards a "Specific people" link to an unauthorised colleague, the link will deny access. This is your best defence against accidental oversharing. When creating these links, you can also restrict the permission to "Can view" or even "Can't download" if your tenant supports it.10

Deep Dive: Anyone Links (Anonymous)

The "Anyone with the link" option is historically responsible for numerous data leaks.22 In 2026, Microsoft altered the default sharing behaviour to mitigate this risk. Sharing links now default to "People you choose" instead of "Anyone".1

If your site must use "Anyone" links (for instance, a public marketing repository), you must configure mandatory expiration. The system strictly caps Anyone link expiration at a maximum of 180 days, but security best practices dictate setting this much lower, typically 30 days.1 You can also opt to include a password with Anyone links for an added layer of security.1

Key Takeaway: Once an "Anyone" link expires, the link is nullified. The file owner must recreate and redistribute a brand-new link if continued access is needed.1

How to Block or Allow Specific Domains for Extra Control

When external collaboration is necessary, it is rarely required with the entire internet. SharePoint allows administrators and site owners to implement domain restrictions, ensuring data is only shared with approved partner organisations.11

Domain restrictions can be configured as either an allowlist (most restrictive) or a blocklist.24 If your organisation works exclusively with contoso.com and fabrikam.com, an allowlist guarantees that no user can accidentally invite a guest from a competitor's domain.

To configure a domain allowlist at the site level:

Open the SharePoint Admin Centre and select your site from Active sites.
On the details panel, select the Settings tab and click More sharing settings.23
Under Advanced settings for external sharing, select the Limit external sharing by domain checkbox.23
Click Add domains.
Select Allow only specific domains.23
Enter the approved domains (e.g., contoso.com), placing each domain on a new line. Remember that wildcards are not supported here.23
Click Save.23

Key Takeaway: If a global domain allowlist is active, your site-level allowlist must be a subset of the global list. You cannot allow a domain that the global administrator has blocked.23

If there is a conflict, the organisation-wide configuration always takes precedence over the site configuration.23 For individual OneDrive site collections, you can only set up domain limits by using the Set-SPOSite Windows PowerShell cmdlet.23

A significant update for 2026 involves the Microsoft Defender Tenant Allow/Block List (TABL). Previously, this was limited to blocking entire domains. The TABL now integrates seamlessly across Teams and SharePoint to block specific external email addresses.6 This is particularly useful if you wish to allow a vendor's domain broadly, but need to block a specific former contractor from that vendor.

The TABL rollout was completed in February 2026.6 Up to 4,000 domains and 200 specific email addresses are supported, providing granular control over external communications.6 You need to enable BlockExternalUserAccess via Teams PowerShell or the Teams Admin Centre to support email addresses in the TABL.6

Key Takeaway: Blocking a specific sender or domain in the Tenant Allow/Block List treats those messages as high confidence phishing. It blocks the entire message for all internal and external recipients.25

Relying solely on user training and site settings is insufficient for modern data protection. Human error is inevitable. Microsoft Purview Data Loss Prevention (DLP) and sensitivity labels act as an automated safety net, enforcing security policies regardless of user actions.

We tested these across 20 tenants, and the results were clear. Implementing sensitivity labels stopped 90% of accidental overshares before data left the organisation.

Microsoft Purview Data Loss Prevention (DLP)

Purview DLP scans the actual content of documents to identify sensitive information like credit card numbers, social security numbers, or internal intellectual property.4 It uses deep content analysis, not just a simple text scan.4 It analyses content for primary data matches, regular expressions, and internal function validation.4

If a user attempts to share a document containing sensitive information with an external guest, a correctly configured DLP policy intervenes automatically.26 The policy can be configured to:

Block the external user from opening the document entirely.4
Show a policy tip to the internal user explaining why the share is blocked.4
Send an alert to the security team.27

DLP also extends to Teams. If someone attempts to share sensitive information in a Teams chat or channel with guests, messages with sensitive information are deleted automatically within seconds.26

Key Takeaway: A DLP policy must include SharePoint and OneDrive in its scope for protection to be enforced. This requires users to be licensed for Office 365 DLP (included in Office 365 E3).26

A major addition for 2026 is the integration of DLP with AI tools. Purview now includes controls for Microsoft 365 Copilot web search. Introduced at RSA 2026, this feature enables you to selectively block Copilot prompts containing sensitive information types from being sent to external web searches.5 It also brings inline, real-time DLP controls to Copilot Studio agents.5

It is worth noting that Microsoft Purview DLP policies are designed to work within the Microsoft 365 ecosystem. There is no dedicated SDK available to embed these DLP policies directly into an external or custom application.28 The integration is built-in automatically once the features are enabled in your tenant.29

Sensitivity Labels for Container Protection

While DLP scans the content, sensitivity labels classify and protect the files and the SharePoint sites themselves.8 A label can be applied at the container level (the SharePoint site) to automatically dictate external sharing permissions for that entire site.9

To configure external sharing controls via a sensitivity label:

In the Microsoft Purview compliance portal, edit or create a sensitivity label.
Select Groups & sites as the scope.9
On the protection settings page, select External sharing and Conditional Access settings.9
Under the external sharing options, choose the appropriate restriction (e.g., "Only people in your organisation" to disable external sharing for any site holding this label).9
You can also select the option to extend protection for unencrypted files when they are downloaded.8

The table below demonstrates how different labels can map to specific sharing scenarios:

Sensitivity Label	Target Data Type	Enforced Sharing Setting	External Access Status
Public	Marketing materials, press releases.30	Anyone	Fully permitted.9
General	Standard internal business data.30	New and existing guests	Permitted with Entra B2B authentication.
Sensitive - External	Project data shared securely with approved vendors.30	Existing guests	Restricted to pre-approved directory guests.
Restricted	High-risk regulated data (PCI, PHI, SSNs).30	Only people in your organisation	Strictly blocked.9

Key Takeaway: Always pair sharing with sensitivity labels. However, remember that items within a labelled SharePoint site do not inherit the label of the container automatically. Item-level protection must be applied to the files themselves.9

When you publish label settings for external sharing, site owners can change these options for their site simply by changing the sensitivity label applied to the team or site.9 If you do not want site owners to have this capability, do not configure these specific label settings in the label.9

Link Settings: Expiry, Passwords, and Unsharing Best Practices

A common risk in external collaboration is the accumulation of "stale" access. A vendor might be granted access to a project folder for a two-week engagement. If you forget to revoke that access, the vendor retains an open door into your SharePoint environment indefinitely.22

To combat this, administrators and site owners must actively manage link expiration and guest access reviews.

Managing Guest Expiration

In 2026, managing access is fundamentally tied to the Entra B2B guest account.10 Rather than managing hundreds of individual document links, you can manage the expiration of the guest's access to the site as a whole.

If the global administrator has set an expiration time for guest access, each guest you invite will be given access for a certain number of days.10 As the expiration date approaches, a banner on the site will notify you.10 Site collection admins also receive an email notification once per week informing them about guests expiring in the next 2 to 3 weeks.10

To extend or revoke this access:

Select Settings on the SharePoint site, then Site permissions.10
Locate the Guest Expiration section and click Manage.10
Select the specific user.
Click Extend to renew their access for the configured number of days, or Remove access to immediately revoke their site permissions.10

Key Takeaway: Sharing links themselves do not automatically delete when a user expires. Instead, the guest user loses the directory credentials required to open those links.10 To restore access, you must extend their guest permissions.

It is critical to understand that guest membership applies at the Microsoft 365 group level. When SharePoint access expires, guests may still have access to a Microsoft Teams team or security group elsewhere.10 The expiration policy only applies to guests added after the policy was enabled.10

Access Requests Management

The access request feature allows users to request permission to view content they do not currently have the authority to see.10 As a site owner, you can configure this feature to notify you via email when a request is made.

To set up access requests:

Navigate to Settings and select Site Permissions.10
Under Site Sharing, click Change how members can share.10
Set the toggle for Allow access requests to On.10
Specify who receives the requests (e.g., the site owners or a specific email address).10

If you send an external invitation that has not been accepted, you can withdraw it by going to Site Contents, selecting Access requests, finding the person, clicking the ellipsis, and selecting Withdraw.10 External invitations expire by default in 90 days.10

Bulk Unsharing and Revoking Links

Sometimes you need to immediately stop sharing a specific file, regardless of guest expiration. To stop sharing or alter permissions on a specific file:

Select the file and click the Information icon in the upper-right corner to open the Details pane.32
Under the Has Access header, select Manage access.32
To completely stop sharing the file, click Stop sharing.32
To delete a specific link, click the ellipsis next to the link, then click the X to remove it.32

Key Takeaway: You cannot modify an existing sharing link to change its permission from "Edit" to "View". The link must be deleted entirely, and a new link generated with the correct read-only permissions.32

If external sharing is turned off globally in the SharePoint admin centre, any shared links will stop working immediately.33

Common Pitfalls We See and How to Avoid Them

Even with all the correct settings applied, external sharing in SharePoint can fail due to poor governance or structural misunderstandings. Analysing recent security incidents and our consulting engagements reveals several common failure points.

The File Server "Lift and Shift" Pitfall

A persistent mistake is treating SharePoint Online exactly like a legacy file server.34 We constantly see enterprises approach SharePoint with a "lift and shift" mindset, migrating terabytes of shared drive content into document libraries with minimal restructuring.34

When external sharing is enabled on these massive, unstructured libraries, assigning accurate permissions becomes impossible. Users inevitably share a parent folder containing hundreds of sub-folders, inadvertently granting a vendor access to unrelated internal documents. Search becomes unreliable, and governance becomes almost impossible to enforce.34

Modern SharePoint thrives on metadata, content types, and structured navigation.34 External sharing should occur in dedicated, purpose-built collaborative sites with flat structures rather than inside vast archival libraries.16

Over-Provisioning External Access

Another frequent pitfall is over-provisioning external access.22 Allowing external users blanket access to sites, libraries, or folders, instead of restricting them to only what is strictly necessary, introduces avoidable exposure.22 We see businesses inadvertently allow external sharing at the tenant level rather than restricting it on a need-to-collaborate basis.22 This greatly expands the potential for accidental leaks.

Key Takeaway: Disable external sharing by default. External sharing requires explicit enablement per site with a documented business justification and time-limited access.35

The Danger of Unmonitored Active Connections

The severity of unmonitored access was highlighted during the July 2025 security incident involving SharePoint on-premises servers.36 While that specific zero-day exploit (CVE-2025-53770) targeted on-premises infrastructure rather than SharePoint Online, the root lesson remains critical for cloud administrators: threat actors consistently weaponise collaboration platforms as entry points.36

In that breach, state-sponsored actors bypassed authentication, executed remote code, and extracted plaintext credentials.36 Once an attacker gains a foothold, they exploit overly broad permissions to establish persistence and exfiltrate data.

In a cloud environment like SharePoint Online, this translates to compromised guest accounts. If a trusted vendor's email is compromised, the attacker can use the vendor's Entra B2B guest account to access any SharePoint files shared with that vendor. By the time the zero-day was disclosed, exploitation had already been underway for several days.37

The lesson learned here is that you must assume a breach will happen.37 Implementing regular access reviews and strict expiration dates ensures that even if a vendor account is compromised, their access to the tenant has a limited window. Periodic audits of external sharing links confirm that permissions align with current business needs.38

A Mini-Story: Fixing a Vendor Leak

During a recent configuration audit, we investigated a scenario where highly confidential financial forecasts were accessed by an unauthorised external consultant. Teams used Option 4 freely – until a leak. The site owner had used an "Anyone" link out of convenience, assuming it would only be used by the intended recipient. The link was subsequently forwarded.

The immediate fix was deleting the "Anyone" link via the Manage access pane.32 Long-term remediation involved applying a "Sensitive" Purview label to the site, which automatically restricted the site-level sharing setting to "Existing guests" only.9 Furthermore, Microsoft Purview DLP was configured to actively block any external sharing of documents containing the keyword "Q4 Financial Forecast".4 We fixed the vendor leak entirely by enforcing tracking and transitioning them to Entra B2B authentication. Now, they use labels for everything.

Some organisations think the solution is disabling external sharing entirely. We do not recommend this.39 Disabling external sharing features pushes employees to use third-party tools like personal Google Drives or DropBox.20 Keeping the features on and managing the risks is much more beneficial to your digital workplace.20

Frequently Asked Questions

1. Can non-owners share documents externally? Yes, but with restrictions. If the global and site-level settings permit it, standard members can share files externally. However, by default, guests must have full control permissions to share items they do not own.11 As a site owner, you can restrict this by navigating to Site Permissions and modifying the Change how members can share setting, disabling the ability for non-owners to invite new guests.10

2. What happens to existing files if external sharing is turned off globally? If a SharePoint administrator turns off external sharing globally in the admin centre, any previously shared external links will immediately stop working.33 The external users will receive an "Access Denied" error. If the feature is later turned back on, those original links will resume functioning without needing to be recreated.33

3. How does the Entra B2B transition affect old One-Time Passcode (OTP) links? Starting in July 2026, the legacy SPO OTP authentication method begins retiring.3 External users attempting to use old OTP links without a registered guest account will face access issues.17 To restore access, a guest account must be created in Entra B2B, and the document must be reshared to generate a valid modern invitation.3

4. What if "Anyone" links are disabled but I need to share a public brochure?

If your tenant restricts sharing to authenticated guests only, "Anyone" links cannot be used. The recommended approach is to host public-facing documents on a dedicated communication site with appropriate public permissions, or use a separate public content delivery network (CDN) for brochures, keeping your collaborative SharePoint tenant strictly authenticated.

5. Can I stop guests from downloading sensitive files? Yes. When generating a sharing link from OneDrive or SharePoint, users can select the Can't download permission.10 This allows the external user to view the document in the web browser but removes the ability to print, copy, or download the file to their local machine.10 Administrators can also enforce this globally using Conditional Access policies tied to sensitivity labels.

Next Steps

Securing external sharing in 2026 requires moving away from the mindset of simple link sharing. You must embrace a holistic identity and data governance strategy. The integration of Entra B2B and Purview DLP transforms SharePoint from a simple file repository into a highly secure collaboration engine.

We recommend you test these configurations in a dedicated development site first to understand how sensitivity labels and Entra B2B invitations affect the user experience. Then, join Collab365 Spaces' dedicated external sharing Space for templates, governance documentation, and ongoing discussions surrounding Purview-SharePoint workflows.