In today’s interconnected business landscape, collaboration often extends beyond the boundaries of an organization. SharePoint Online and OneDrive for Business, both integral parts of Microsoft 365, provide powerful tools for sharing and collaborating on documents, files, and resources.
While these tools offer numerous benefits, security and data governance remain top priorities. One essential feature for maintaining control over shared content is the ability to configure external user access expiration.
This feature ensures that shared resources are only accessible for the intended duration, enhancing data security and compliance. In this article, we will delve into configuring external user access expiration in SharePoint Online and OneDrive.
Table of Contents
External users (or guest users) are individuals who do not belong to your organization but must collaborate on specific projects, documents, or resources. SharePoint Online and OneDrive allow sharing of content with these external users by generating shareable links.
While sharing is crucial for collaboration, it’s equally important to have mechanisms in place to revoke access when it’s no longer needed.
External user access expiration is a vital security feature that allows administrators to set an expiration date for shared content. This means that external users’ access to the shared resources will be automatically revoked after a predefined period.
This feature is handy when collaborating with contractors, clients, or partners for a limited time. Once the collaboration is complete, access is terminated without manual intervention, reducing the risk of unauthorized data exposure.
What are the benefits?
- Enhanced Security: By automatically revoking access after a set period, the risk of unauthorized access is significantly reduced.
- Data Compliance: In regulated industries, the ability to enforce access expiration contributes to data compliance efforts.
- Simplified Management: Administrators don’t need to manually monitor access periods and revoke permissions, leading to more efficient resource allocation.
- User-Friendly Collaboration: External users appreciate transparency, knowing upfront when their access will end.
Note. Changes to the OneDrive and SharePoint guest access expiration settings are not retroactive. The new expiration settings only apply to newly added guests to the site or OneDrive. The previously added guests’ access will retain the old expiration settings.
Related post. How to Find SharePoint Online External Users using PowerShell
You can configure both OneDrive and SharePoint guest access expiration in the SharePoint admin center.
- Log in to your tenant’s SharePoint admin center. The URL is https://-admin.sharepoint.com.
- Once logged in, navigate to Policies → Sharing.
- Under External sharing, expand the “More external sharing settings” section.
- Check the “Guest access to a site or OneDrive will expire automatically after this many days” box and enter the number of days you prefer the external user access will expire. For example, the default is 60 days.
- Scroll to the bottom of the page and click Save.
As a SharePoint administrator, you can override the tenant-level SharePoint guest access expiration per site. Follow these steps.
- Navigate to the Sites → Active Sites in the SharePoint admin center and click the site name.
- Under the site’s Settings tab, click the “More sharing settings” link.
- Expand the “Advanced settings for external sharing” section.
- Uncheck the “Same as organization-level setting” box.
- Select the “Guest access expires automatically after this many days” option.
- Enter the number of days.
- Click Save.
A site owner can also extend the SharePoint guest access expiration individually. But note that this method only extends the external user access by one day.
- Open the SharePoint Online site as the site owner.
- Click the gear icon (Settings) → Site permissions.
- Under the “Guest Expiration” section, click the “Manage” link.
- Select one or more or all external users and click Extend.
- On the confirmation prompt, click “Yes, extend.”
- The SharePoint guest access for the selected external users is extended by one more day. Close the Access Expiration flyout page.
Site-Level OneDrive External Sharing Access Expiration (OneDrive User)
Like a SharePoint site owner, users can extend external user access to their OneDrive.
- Open your OneDrive site in the web browser. The URL is https://-my.sharepoint.com.
- Click the gear icon (Settings) → OneDrive settings.
- Click More Settings → Manage guest expiration.
- Select one or more or all external users and click Extend.
- On the confirmation prompt, click “Yes, extend.”
- The OneDrive external sharing access for the selected external users is extended by one more day. Close the Access Expiration flyout page.
Administrators can configure the external user access expiration in PowerShell using the SharePoint Online Management Shell or PnP PowerShell. We’ll cover both methods in the following sections.
Assuming both modules are installed, you can run the following command to connect to SharePoint Online.
# Connect to SharePoint Online Management Shell Import-Module Microsoft.Online.SharePoint.PowerShell Connect-SPOService -Url https://<tenant>-admin.sharepoint.com # Connect to PnP PowerShell Import-Module PnP.PowerShell Connect-PnPOnline -Url https://<tenant>-admin.sharepoint.com
Once you’ve connected, let’s confirm the following properties on the tenant:
- ExternalUserExpirationRequired – This property indicates whether the external user access expiration is enabled on the tenant.
- ExternalUserExpireInDays– This property indicates the days when the external user access expires.
# Using SharePoint Online Management Shell Get-SpoTenant | Format-List ExternalUserExpirationRequired, ExternalUserExpireInDays # Using PnP PowerShell Get-PnPTenant | Format-List ExternalUserExpirationRequired, ExternalUserExpireInDays
For reference, these are the values behind the settings in the SharePoint admin center.
Related post. PowerShell: Upload File to SharePoint Online
The following commands use the Set-SPOTenant and Set-PnPTenant cmdlets to configure the external user access expiration. In this example, the expiration is set to 90 days.
# Using SharePoint Online Management Shell Set-SPOTenant -ExternalUserExpirationRequired $true -ExternalUserExpireInDays 90 # Using PnP PowerShell Set-PnPTenant -ExternalUserExpirationRequired:$true -ExternalUserExpireInDays 90
Administrators can override the organization-level external user access expiration settings per site and OneDrive. This method uses the Set-SPOSite and Set-PnPTenantSite cmdlets.
# Define the SharePoint and/or OneDrive URL $spoSiteUrl = 'https://lazyexch.sharepoint.com/sites/DataAnalyticsLab' $odbSiteUrl = 'https://lazyexch-my.sharepoint.com/personal/june_lazyexchangeadmin_cyou' # Using SharePoint Online Management Shell Set-SPOSite -Identity $spoSiteUrl -OverrideTenantExternalUserExpirationPolicy:$true -ExternalUserExpirationInDays 90 Set-SPOSite -Identity $odbSiteUrl -OverrideTenantExternalUserExpirationPolicy:$true -ExternalUserExpirationInDays 90 # Using PnP PowerShell Set-PnPTenantSite -Identity $spoSiteUrl -OverrideTenantExternalUserExpirationPolicy:$true -ExternalUserExpirationInDays 90 Set-PnPTenantSite -Identity $odbSiteUrl -OverrideTenantExternalUserExpirationPolicy:$true -ExternalUserExpirationInDays 90
Conclusion
In an era where collaborative endeavors often transcend organizational boundaries, the significance of secure and controlled data sharing cannot be overstated. SharePoint Online and OneDrive for Business equip businesses with robust tools for seamless cooperation on files and resources. But, alongside these conveniences, the critical matters of data security and governance must remain at the forefront of any organization’s priorities.
The capability to configure external user access expiration stands as a pivotal feature in maintaining meticulous control over shared content. This article has delved comprehensively into the process of implementing external user access expiration in SharePoint Online and OneDrive, underscoring its indispensable role in bolstering data security and compliance.
Organizations achieve a dual benefit by setting predefined expiration dates for external users’ access to shared resources: fortifying data security against potential breaches and adhering to regulatory standards, particularly pertinent in industries that mandate strict compliance measures. The advantages extend beyond mere security, leading to streamlined administrative management. This efficiency frees administrators from the need for manual monitoring and permissions revocation and translates into optimal resource allocation across the organization.
For users interacting with shared content, the transparency inherent in knowing the exact duration of their access lends an air of user-friendliness and predictability to the collaboration experience.
It is important to note that while implementing access expiration settings is a forward-looking process, the enhancements do not apply retroactively. Therefore, existing external user access settings for SharePoint Online and OneDrive will remain under their original expiration periods.
Lastly, configuring external user access expiration in SharePoint Online and OneDrive transcends being a mere technical procedure; it is a strategic move that embodies an organization’s commitment to safeguarding its data assets and nurturing a culture of responsible collaboration. As businesses navigate the intricate landscape of modern collaboration, integrating these security measures is a cornerstone of a comprehensive approach to information governance and risk management.
