External sharing in Sharepoint

When sharing a document with external users (or internal users for that matter), the default settings in SharePoint will often lead to breaking of inherited permissions on the document.

The main problem with this is that if the permissions for the document library is changed later, these permissions will not propagate to the documents with broken inheritance.

There is no way to prevent user with Owner/Full Control permissions to break inheritance if they really want to.

There is however steps to be taken to prevent other users from breaking inheritance and making it more difficult for owners to break inheritance.

Changing Access Request Settings

When sharing a document the sharing box look like this:

image-20240516-100522.png

The user is able to change the way the document is shared:

image-20240516-100601.png

When sharing in this manner, the inheritance will break.

You can prevent users with members permissions to break inheritance by doing the following:

Go to Site Settings -> Site Permissions -> Access Request Settings

image-20240516-100712.png

By removing the checkmark for “Allow members to share the site and individual files and folders” ordinary users will be prevented from breaking inheritance anywhere on the site.

image-20240516-100804.png

The sharing box will look like this:

image-20240516-100835.png

 

If the user tries to manually add an email address of an external user the following error page appears:

 

image-20240516-100935.png

Changing default settings for sharing

If the default setting for sharing is changed to “People with existing access”, it will make it more difficult for users with Owner/Full Control to break inheritance.

The setting is changed in SharePoint admin center and can only be accessed with a SharePoint Admin user.

In SharePoint Admin Center chose Sites -> Active sites -> The site to change -> Settings à More sharing settings

image-20240516-101044.png

Default sharing link type is usually set to “Anyone with the link”.

Remove the checkmark and choose “People with existing access” and Save.

image-20240516-101208.png

With this setting the inheritance will not break as the sharing will be with users that already have access and no change in permissions is necessary.