How to Share OneDrive for Business Folder with External Users (w/Examples) + FAQs

Yes, you can share a OneDrive for Business folder with external users, and Microsoft 365 gives you several secure, compliant ways to do it without emailing attachments or spinning up a third-party file transfer tool. The fastest path is to right-click the folder in OneDrive, choose Share, set the link type to Specific people, add the external recipient’s email, and click Send. That creates a tracked, revocable, permissioned link that works for clients, vendors, contractors, auditors, and partners anywhere in the world.

External sharing in OneDrive is controlled by a stack of settings that reaches from the Microsoft 365 admin center down to the individual folder. The SharePoint admin center sharing controls set the ceiling for what is allowed tenant-wide, while the OneDrive admin controls and per-user settings tighten things further. Violating these controls can cause data leaks, failed audits under HIPAA, SOX, GLBA, FERPA, CMMC 2.0, and ITAR, and in regulated industries it can trigger civil penalties that run into the millions.

A recent Verizon Data Breach Investigations Report found that the human element is involved in roughly 68% of breaches, and misconfigured cloud sharing remains one of the most common root causes. That one number is why every admin, owner, and end user in a U.S. organization needs to know how external OneDrive sharing really works.

Here is what you will learn in this guide:

• 🔐 How tenant, site, and folder-level controls stack to govern every external share
• 🧭 The step-by-step click paths for admins and end users in the 2026 admin UI
• 📨 The difference between Anyone links, Specific people links, and Guest access via Microsoft Entra B2B
• ⚖️ How HIPAA, SOX, FERPA, CMMC, ITAR, and state privacy laws shape your sharing choices
• 🚫 The seven most common mistakes that trigger data leaks, audit findings, and lost clients

Why External Sharing in OneDrive for Business Matters

OneDrive for Business is the personal file library that ships with every licensed Microsoft 365 Business and Enterprise seat, and it sits on top of the same SharePoint Online service that powers Teams and SharePoint sites. When you share a folder with someone outside your company, you are not emailing a copy of the file. You are granting that person a time-limited, revocable permission to reach into your tenant and open the live document.

That distinction is the entire reason external sharing exists. Emailing a 40 MB PDF to a client creates an uncontrolled copy the moment it leaves your outbox, and you lose the ability to revoke, audit, or update it. A shared OneDrive link keeps the file in your tenant, logs every open in the unified audit log, and lets you pull access back with one click.

Federal regulators treat this difference as meaningful. The HHS Office for Civil Rights guidance on cloud computing expects covered entities to control access to electronic protected health information, and uncontrolled email attachments rarely meet that bar. For SEC registrants, SOX Section 404 internal control expectations push the same way: auditable, revocable access beats emailed copies every time.

A practical example brings this to life. Jordan, a compliance manager at a Chicago broker-dealer, needs to send quarterly trade blotters to outside counsel. If Jordan emails the spreadsheet, the firm loses control the instant the message sends. If Jordan shares a OneDrive folder with a Specific people link that expires in 30 days, the firm keeps custody, logs every open, and can revoke access the moment the engagement ends.

External sharing also drives revenue. A Forrester Total Economic Impact study of Microsoft 365 found that organizations using modern collaboration tools closed deals faster because customers and partners could co-edit proposals in real time. That speed only works if external sharing is turned on, configured correctly, and used by staff who understand the rules.

The Governing Rules Behind External Sharing

Every external share in OneDrive for Business is governed by a layered set of controls, and you have to understand the layers before you change a setting. The tenant-level control is the ceiling, the site-level control is the wall, and the item-level control is the door. No one can open a door that a wall forbids, and no wall can reach above the ceiling.

Tenant-Level Controls in the SharePoint Admin Center

The SharePoint admin center external sharing page gives you four sliders: Anyone, New and existing guests, Existing guests, and Only people in your organization. The slider you choose sets the most permissive option available anywhere in the tenant. If you choose Existing guests, no user in the company can send an Anyone link, no matter how hard they try.

The consequence of leaving this slider on Anyone is that any employee can publish a link that works for the entire internet, with no sign-in required. The consequence of setting it to Only people in your organization is that external collaboration stops cold, which breaks client workflows and pushes staff to use shadow tools like personal Gmail or Dropbox.

A common misconception is that OneDrive has its own independent slider. It does, but the OneDrive slider can only be equal to or more restrictive than the SharePoint slider, never more permissive. That is documented in the Microsoft Learn OneDrive sharing settings article.

Site-Level and User-Level Controls

Each user’s OneDrive is a SharePoint site behind the scenes, and admins can set per-user sharing limits with the Set-SPOSite PowerShell cmdlet. That means a general counsel’s OneDrive can be locked to Only people in your organization while the marketing team’s OneDrive stays open to Anyone.

The consequence of skipping this layer is that a single careless share from a sensitive account can leak privileged material. A real-world scenario: Priya, a paralegal, drops a settlement draft into her OneDrive and shares it with opposing counsel using an Anyone link. Without a per-user cap, nothing stops her. With a per-user cap set to Specific people, the link simply cannot be created.

Item-Level Controls and Sensitivity Labels

At the folder and file level, Microsoft Purview sensitivity labels can force encryption, block external sharing entirely, or require a justification before sharing. A label called Confidential – Internal Only can make a folder un-shareable no matter what the tenant slider says.

The consequence of ignoring labels is that your tenant-wide policy becomes the only line of defense, and tenant policies are blunt instruments. Labels let the Highly Confidential folder behave one way and the General folder behave another, inside the same OneDrive.

A common misconception is that labels are only for Enterprise E5 tenants. Microsoft 365 Business Premium now includes Purview Information Protection labeling, which means small and midsize firms can use the same control stack that the Fortune 500 uses.

Step-by-Step: How an Admin Turns On External Sharing

Before any end user can share a folder with an outsider, an admin must confirm the tenant allows it. The process takes about ten minutes and lives in two admin centers. Skipping a step is the single most common reason a Share button is missing or greyed out.

Step 1: Set the SharePoint Tenant Slider

Open the SharePoint admin center sharing page and move the external sharing slider to the most permissive setting your policy allows. Most U.S. professional services firms land on New and existing guests, which forces every external recipient to verify their identity with a one-time code or a sign-in.

The consequence of picking Anyone is that links become unauthenticated and forwardable. The consequence of picking Existing guests is that new clients cannot be onboarded without an admin first creating a guest account.

Step 2: Set the OneDrive Slider

On the same page, set the OneDrive slider to match or tighten the SharePoint choice. A common pattern is SharePoint set to Anyone for marketing sites and OneDrive set to New and existing guests for personal files, because personal files tend to hold sensitive drafts.

Step 3: Configure Link Defaults

Under File and folder links, set the default link type to Specific people and set a default expiration, often 30 or 90 days. The Microsoft Learn link settings article explains how each choice behaves.

The consequence of leaving defaults on Anyone with the link is that every share is one click away from being a public link. Most breach-ready tenants set the default to Specific people.

Step 4: Restrict Domains

Use the Limit external sharing by domain feature to create an allow-list of client domains or a block-list of known competitor or consumer domains like gmail.com, yahoo.com, and proton.me. This feature is documented in the Microsoft Learn domain restrictions guide.

Step 5: Configure Entra External ID

In the Microsoft Entra admin center External Identities settings, set guest invite restrictions, multi-factor requirements, and terms-of-use acceptance. A guest who refuses MFA simply cannot open the link.

Step 6: Enable Auditing and Alerts

Turn on the unified audit log and create Microsoft Defender for Cloud Apps policies that alert on mass external shares, sharing to new domains, or sharing of labeled content. Without alerts, a runaway share can sit undetected for months.

Step-by-Step: How an End User Shares a Folder

Once the tenant is configured, end users have three main paths to share a folder, and the right choice depends on who the recipient is and how sensitive the content is.

Path 1: Share Through the OneDrive Web App

Sign in at onedrive.live.com/business, right-click the folder, and choose Share. In the Send link dialog, click the Settings gear to pick the link type, set an expiration date, add a password, and block downloads if needed. Add the external email, type a short message, and click Send.

The recipient receives an email from [email protected], clicks the link, verifies with a one-time code or signs in with their work account, and lands inside the folder. They see only what the link grants, with no access to anything else in the user’s OneDrive.

Path 2: Share Through File Explorer on Windows

If the OneDrive sync client is installed, right-click the synced folder in File Explorer and choose OneDrive → Share. The dialog is almost identical to the web dialog. The consequence of using this path is that you never have to open a browser, which speeds up repeat sharing for busy users.

Path 3: Share Through Microsoft Teams

Drop the folder link into a Teams chat with the external guest. If the tenant has Teams external access and guest access turned on, the guest can open the folder inside Teams without leaving the conversation. This path is popular for long-running client engagements because the folder lives beside the chat history.

Example Scenarios

How the Three Main External Link Types Compare

The choice between link types is the single most consequential decision in any external share. Each type has a different security posture, a different audit trail, and a different failure mode.

The Specific people link is the default for a reason. It binds access to an identity, which is the only way to produce a defensible audit trail under NIST SP 800-53 access control families AC-3 and AC-6.

The Anyone link is the fastest to create and the easiest to leak. A single forwarded email can expose the folder to the entire internet. The Verizon DBIR repeatedly lists misconfigured cloud links as a leading cause of confirmed data disclosure.

The People in existing organizations option, sometimes called Organization links, is ideal when two companies have already set up an Entra B2B cross-tenant access policy. It cuts out the one-time code dance and keeps the experience smooth for long-running engagements.

Guest Access Through Microsoft Entra B2B

When an external user needs more than a link, such as edit rights on a Teams site or long-term access to a document library, the right answer is to add them as a guest in Microsoft Entra ID. A guest has a real identity in your tenant, shows up in the directory with a #EXT# suffix, and can be assigned to groups, labeled files, and conditional access policies.

The consequence of skipping guest accounts for long-term collaboration is that you end up with dozens of ad-hoc links, each with its own expiration, and no central place to review who has access to what. Guest accounts consolidate that sprawl into a single identity you can disable in one click.

A practical example: Ravi, a general counsel, works with outside counsel at a large firm for six months on a merger. Ravi invites the five outside lawyers as guests, adds them to a Teams channel, and applies a Highly Confidential – Deal Team sensitivity label. When the deal closes, Ravi disables the five guest accounts and every file and channel they touched becomes inaccessible instantly.

Guest access also plays well with conditional access policies. You can require guests to be on a compliant device, to use MFA, or to accept a terms-of-use statement before they can open any shared resource. That lifts external collaboration from link-level security to identity-level security.

The common misconception is that guest access is expensive. Microsoft’s Entra External ID monthly active user billing gives you 50,000 free monthly active guests per tenant, which covers almost every SMB and midmarket scenario.

Compliance Considerations for U.S. Organizations

External sharing sits on top of U.S. federal and state privacy law, and the rules matter before the clicks do. The following frameworks drive most sharing decisions in American companies.

HIPAA and Protected Health Information

The HIPAA Security Rule at 45 CFR Part 164 requires access controls, audit controls, and transmission security for electronic protected health information. A signed Microsoft Business Associate Agreement covers the platform, but the covered entity still has to configure sharing correctly.

The consequence of a misconfigured share is a reportable breach under the HHS Breach Notification Rule, with fines that can reach 1.5 million dollars per violation category per year. A real-world example: a small clinic that shares patient charts with a billing company using an Anyone link. The link leaks, the breach is reported, and the clinic pays six figures.

SOX and Financial Reporting

Sarbanes-Oxley Section 404 requires public companies to document and test internal controls over financial reporting. External sharing of audit workpapers, close calendars, and consolidation files must produce an audit trail your external auditor can read.

The consequence of sloppy sharing is a material weakness finding, which drops share prices and ends careers. The unified audit log captures every share, open, download, and permission change, which is often enough to satisfy auditors.

FERPA for Schools and Universities

The Family Educational Rights and Privacy Act restricts the disclosure of student education records. A faculty member who shares a grade book with a parent outside the approved process creates a FERPA violation.

The consequence of a FERPA violation is the potential loss of federal funding. Schools usually set OneDrive to Existing guests only and require department-level approval for new guest invitations.

CMMC 2.0 and Defense Contractors

The Cybersecurity Maturity Model Certification 2.0 Level 2 framework mandates controls based on NIST SP 800-171. Controlled Unclassified Information cannot leave a compliant boundary, which in Microsoft terms means Microsoft 365 GCC High.

The consequence of sharing CUI from a commercial tenant is contract loss, debarment, and in severe cases, False Claims Act exposure.

ITAR and Export Controls

The International Traffic in Arms Regulations forbids releasing technical data to foreign persons without a license. External sharing to a non-U.S. email address can constitute an unlicensed export, even if no file crosses a physical border.

The consequence is criminal penalties of up to 1 million dollars per violation and twenty years in prison. ITAR-regulated companies typically block external sharing outright and route collaboration through a licensed GCC High tenant.

State Privacy Laws

State laws like the California Consumer Privacy Act, the Colorado Privacy Act, and the Texas Data Privacy and Security Act add data minimization and deletion duties. Sharing customer data with a vendor without a data processing agreement can trigger enforcement.

Mistakes to Avoid

External sharing fails the same way over and over. The following mistakes drive most leaks, audit findings, and lost clients.

• Using Anyone with the link as the default link type, which turns every share into a public link that anyone with the URL can open.
• Skipping link expiration dates, which leaves access live long after the engagement ends and produces dead links in your audit log that nobody owns.
• Failing to block download on highly sensitive folders, which lets the recipient keep a local copy forever even after you revoke the link.
• Inviting consumer email addresses like gmail.com or yahoo.com to regulated content, which bypasses the recipient company’s own security stack and breaks most chain-of-custody requirements.
• Ignoring sensitivity labels, which leaves your tenant slider as the only defense and forces a one-size-fits-all policy across every folder.
• Over-relying on passwords on links, which get shared in the same email as the link itself and provide almost zero real security.
• Forgetting to review the Manage access panel quarterly, which lets stale shares accumulate until a former contractor still has access to live client files.

Do’s and Don’ts for External Sharing

Do

• Default every external link to Specific people, because identity-bound access is the only defensible approach under NIST SP 800-53.
• Set a 30 to 90 day expiration on every link, because time-boxed access dramatically limits leak windows.
• Apply a sensitivity label before sharing, because labels travel with the file and enforce rules even after download.
• Review the OneDrive Manage access panel every quarter, because stale shares are silent risks.
• Log and alert on every new external domain, because first-time recipients are the highest-risk population for phishing and misdirection.

Don’t

• Do not paste Anyone links into public Teams channels, because the link will be indexed, screen-shotted, and forwarded.
• Do not share directly from a mapped network drive, because permissions on mapped drives rarely match OneDrive permissions.
• Do not rely on link passwords as a primary control, because they end up in the same email as the link.
• Do not disable MFA for external guests, because the Microsoft Digital Defense Report shows MFA blocks more than 99% of identity attacks.
• Do not keep former contractors as guests after an engagement ends, because abandoned guest accounts are a favorite target for attackers.

Pros and Cons of OneDrive External Sharing

Pros

• Keeps a single source of truth, because the file never leaves your tenant and every edit is version-controlled in the OneDrive version history.
• Produces a complete audit trail through the unified audit log, which is often enough to satisfy SOX, HIPAA, and FTC Safeguards Rule auditors.
• Supports real-time co-authoring in Word, Excel, and PowerPoint, which speeds proposals, contracts, and financial models.
• Scales to 50,000 free monthly active guests per tenant under Entra External ID billing, which covers nearly every SMB scenario.
• Integrates with Microsoft Purview Data Loss Prevention so that the platform can block shares of credit card numbers, Social Security numbers, and patient records automatically.

Cons

• Requires careful admin configuration, because defaults out of the box may be more permissive than your policy allows.
• Can confuse end users who are used to emailing attachments, which drives short-term adoption friction.
• Guest experience depends on the recipient’s own IT setup, and some corporate tenants block cross-tenant access entirely.
• Sensitivity label enforcement requires a license tier that smaller firms may not yet hold, though Business Premium now covers most needs.
• External sharing logs can be noisy, which means your SIEM needs tuning to separate routine shares from real incidents.

Recap of Relevant Enforcement and Precedent

Enforcement actions involving cloud file sharing are now common, and they shape how U.S. organizations configure OneDrive. The HHS OCR resolution agreements page lists multiple settlements involving misdirected or over-permissive sharing of ePHI.

The FTC enforcement action against Drizly highlighted the agency’s willingness to hold executives personally accountable for cloud misconfigurations. The SEC cybersecurity disclosure rules require public companies to disclose material cyber incidents within four business days, which includes cloud sharing breaches.

In the state arena, the New York Department of Financial Services cybersecurity regulation 23 NYCRR Part 500 requires covered financial institutions to control third-party access, and misconfigured OneDrive shares have been cited in examination findings.

Frequently Asked Questions

Can I share a OneDrive for Business folder with someone who does not have a Microsoft account?

Yes. A Specific people link sends the recipient a one-time code to their email, letting them verify their identity and open the folder without ever creating a Microsoft account.

Can my admin block me from sharing externally?

Yes. Admins can disable external sharing at the tenant, site, or individual OneDrive level, and they can restrict it to specific domains using the domain restrictions feature.

Can I set an expiration date on an external share?

Yes. Every link supports a custom expiration date, and admins can enforce a mandatory maximum expiration through SharePoint sharing policy settings.

Can external users edit files or only view them?

Yes. You can grant view, edit, or review permissions on any shared folder, and the permission choice is made in the same Send link dialog before you click Send.

Can I revoke a shared link after sending it?

Yes. Right-click the folder, choose Manage access, and delete the link or remove the specific person, which cuts access immediately and logs the change in the audit log.

Can external sharing meet HIPAA requirements?

Yes. A signed Microsoft Business Associate Agreement plus Specific people links, sensitivity labels, audit logging, and MFA produce a HIPAA-aligned sharing workflow.

Can I require a password on an external share?

Yes. The Send link dialog offers a password field, though passwords should be used as a secondary control, never as the only defense on sensitive folders.

Can external users download files I share with them?

Yes. Downloads are the default, but you can toggle Block download in the link settings, which forces the recipient to view files only in the browser or Office web apps.

Can I track who has opened or downloaded my shared folder?

Yes. The unified audit log in Microsoft Purview captures every FileAccessed, FileDownloaded, SharingSet, and SharingInvitationAccepted event for up to 180 days or longer with premium retention.

Can ITAR-regulated files be shared externally from a commercial OneDrive?

No. ITAR-controlled technical data must stay within a GCC High tenant, and sharing from a commercial tenant risks criminal penalties under 22 CFR 120-130.

Can I share a folder with an entire external company at once?

Yes. Use a Microsoft Entra B2B cross-tenant access policy or a security group that contains the partner’s guest accounts, then share the folder with that group.

Can guests access my other OneDrive folders after I share one folder?

No. External guests see only the specific folder or file you share, and OneDrive enforces a strict item-level permission model that hides everything else in your library.