SharePoint External Sharing Problems

When sharing files or folders with external partners, users often encounter errors such as “Your organization’s policy doesn’t allow sharing with these users”, or external guests are prompted to request access despite having a direct sharing link.

This guide covers the root causes of SharePoint Online external sharing failures, walks you through browser-based fixes for guests, and provides PowerShell admin commands (compatible with Windows and macOS) to resolve policy restrictions.

1. Understand SharePoint External Sharing Problems

External sharing failures usually trace back to tenant policies, site permissions, or guest authentication conflicts:

• Tenant-Level Block: The global Microsoft 365 sharing settings may be configured to block guest access entirely, or restrict sharing to specified domain whitelists.
• Site-Level Restriction: Site-level sharing settings cannot be more permissive than tenant-level settings. If the tenant allows “Anyone” sharing but the site is locked to “Only people in your organization,” external links will fail.
• Account Collision: Guests who receive sharing links on their corporate email (e.g., partner@company.com) may be logged into a personal Microsoft account (e.g., partner@outlook.com) in their active browser session. SharePoint rejects the token due to this mismatch.
• Guest Access Expiration: Security policies may automatically expire guest access after a set period (e.g., 30, 90, or 730 days), requiring the link to be regenerated or the guest re-verified.
• Entra ID B2B Restrictions: Global Azure Active Directory (Microsoft Entra ID) external collaboration settings may prevent sending invitations to external domains.

2. Diagnose Tenant and Site-Level Sharing Policies

Before modifying local caches, administrators must ensure sharing is enabled at the site collection level.

Step 1: Verify Site Sharing Status in SharePoint Admin Center

1. Log in to the SharePoint Admin Center (https://<tenant>-admin.sharepoint.com) as a Global or SharePoint Admin.
2. Go to Sites → Active sites.
3. Select the target site and click Sharing in the top menu.
4. Verify the sharing level:
   • Anyone: Files/folders can be shared using links that do not require sign-in.
   • New and existing guests: Guests must sign in or provide a verification code.
   • Existing guests: Only guests already in your organization’s directory.
   • Only people in your organization: External sharing is disabled.
5. If the option you need is greyed out, it is blocked by your Tenant-Level sharing policy (configurable under Policies → Sharing in the Admin Center).

3. Resolve Guest Account and Link Mismatches

If sharing is allowed by policy but the guest still cannot access the files, the issue is client-side authentication.

Step 1: Force Session Separation (Guest Action)

Have the external guest bypass cookie caching:

1. Copy the sharing link received via email.
2. Open a private/incognito browser window.
   • Windows/macOS (Chrome): Ctrl + Shift + N / Cmd + Shift + N
   • Windows/macOS (Edge): Ctrl + Shift + N / Cmd + Shift + N
3. Paste the URL.
4. If prompted, request a one-time passcode. Enter the code sent to the email address where the invitation was originally delivered.

Step 2: Clear Browser DNS and Cache

On the client machine (Windows or macOS), flush active host files and connection caches if redirects are failing:

For Windows Users: Open Command Prompt (Admin) and flush the resolver cache:

ipconfig /flushdns

For macOS Users: Open Terminal and run:

sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder

# Install the official Microsoft SharePoint Online Management Shell module
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope CurrentUser -Force

Step 2: Connect and Modify Site Sharing Settings

Replace <tenant> and <site-name> with your actual details:

# Connect to your SharePoint Admin center
Connect-SPOService -Url "https://yourtenant-admin.sharepoint.com"

# Check the current sharing capability of a specific site
Get-SPOSite -Identity "https://yourtenant.sharepoint.com/sites/site-name" | Select Url, SharingCapability

# Enable external sharing (New and Existing Guests) for the site
Set-SPOSite -Identity "https://yourtenant.sharepoint.com/sites/site-name" -SharingCapability ExternalUserAndGuestSharing

# Alternatively, enable "Anyone" sharing (anonymous links) for the site
Set-SPOSite -Identity "https://yourtenant.sharepoint.com/sites/site-name" -SharingCapability ExternalUserSharingOnly

Step 3: Remove Expired Guest Users from Site Collection

If a guest account is corrupted or stuck in an access-denied loop, purge their guest profile from the site collection to force a fresh invite:

# Remove a specific user from the site collection permissions cache
Remove-SPOUser -Site "https://yourtenant.sharepoint.com/sites/site-name" -LoginName "partner_company.com#EXT#@yourtenant.onmicrosoft.com"

5. Summary Checklist for External Sharing