How to make external file sharing in SharePoint secure
How to securely share with external users in SharePoint without complex setup or links. Lock use to devices and locations, prevent copying & unauthorized sharing.
Many business users and admins will be intimately familiar with using SharePoint in their internal workflow. The SharePoint document library provides a secure place to store and share files with co-workers. However, as soon as SharePoint files need to be shared with external parties, things get a bit confusing. Questions often arise surrounding how to achieve SharePoint external sharing securely and whether doing so is either achievable or scalable.
Here we cover SharePoint file sharing and how to securely share with external users in SharePoint without complex setup or insecure links. How to lock use to devices and locations, prevent copying and unauthorized sharing, and block printing.
How to share SharePoint sites with external users
SharePoint has external sharing settings at both the organization level and the site level. To share files from a site, the site owner must enable external sharing on an organization-level. They can then disable it on the individual site or sites they want to keep internal.
Overall, then, not too difficult, but this warning from Microsoft throws a spanner in the works:
“If you have confidential information that should never be shared externally, we recommend storing the information in a site that has external sharing turned off. Create additional sites as needed to use for external sharing. This helps you to manage security risk by preventing external access to sensitive information.”
In other words, Microsoft does not have much confidence that its security controls will hold up when users outside your internal SharePoint environment can access them. This is not particularly surprising, since even internal documents can be copied from, printed, and edited offline regardless of whether they have been assigned “view only” permissions – we cover this in SharePoint security. Additionally, though it sounds simple, choosing the correct permission level across various sites and documents can be challenging and mistakes are often made.
Fundamentally, then, the struggle of businesses is less about how to achieve SharePoint security and more about how to share files in SharePoint securely.
How to share SharePoint files with external users securely
SharePoint does have some built-in ways to share files with third parties more securely. You can, for example, add a user to your directory and let them sign into the site through a user account. It is also possible to send a link to a specific file or folder and require a password for them to access it.
Both of these methods are unfortunately flawed from a security point of view.
The user can share either their user account or the link and password with others to grant them access. As mentioned before, they can then copy and paste from the document to extract information, print, or edit offline.
In theory, when using links for sharing, you can block downloads and printing. However, there are ways to bypass this – see SharePoint security & blocking SharePoint downloads.
Due to these limitations, you will have to look to third-party DRM (Digital Rights Management) or IRM (Information Rights Management) solutions to protect your files before you upload them to your document library or team site.
Secure SharePoint external sharing with Locklizard
A DRM solution can be used to protect a document before you upload it, encrypting its contents and ensuring that only those on authorized devices can open the file. Additionally, users who are allowed to view the file will only be able to do so on your terms. Unlike SharePoint, an effective DRM solution can stop editing, screenshots, printing, and copying, enforce an expiration date or time period, and allow admins to choose which controls they do and do not want to enforce.
A good document DRM solution will enable this regardless of where the document is stored or who is using it. It won’t require the document to be inside of an enterprise network or for the admin to have control over the end user’s PC. This is because protection is locked into the document itself. Most DRM solutions also support document expiry, manual revocation, tracking, etc.
With the right DRM solution, SharePoint file sharing security can be achieved quickly and easily for external users. You can grant third parties access to your SharePoint documents without having to set up additional sites or compromize your security. Existing guests can be granted access to individual or groups of documents regardless of where they are stored in your SharePoint site or library.
How to securely share a SharePoint site with external users
Locklizard Safeguard is a DRM solution that allows you to quickly prevent the sharing, printing, screenshotting, editing and copying of PDF files. Unlike SharePoint, the process to protect documents is quick and intuitive. Here’s how to publish a PDF securely using the Safeguard Writer application:
- Right-click on the PDF and choose “make secure PDF”.
- Protect the document from unauthorized use by ticking the relevant controls. We recommend that you add a watermark to identify users. Safeguard creates permanent dynamic watermarks that cannot be removed using PDF editing software.
- Locklizard will automatically protect a PDF from copying, but you may want to take additional steps to protect from screen capture. Without screen capture protection, a user can screengrab your document and import it into an OCR tool to make the text editable. To prevent this, open the “Environment Controls” tab and tick “Disallow screen capture”.
- Press the Publish button at the bottom of the window.
Your protected file will output to its source folder in the .pdc format and you can safely share it knowing that nobody can access it without a valid license.
- Add a user account and send them their license via the Safeguard admin portal.
See how to add a new user and grant them document access.
- Send the external user a link to the document via SharePoint.
You don’t have to worry about the security implications of link sharing anymore since even if the recipient sends the link to others they won’t be able to open the document.
How to disable or limit printing in SharePoint
There are several options to control printing built into Locklizard Safeguard. You can:
- Disable printing entirely
- Limit printing to a number of copies
- Allow printing only in black and white or greyscale
- Automatically revoke access to the document after a specific print limit
Let’s take a quick look at how this can be achieved:
- In the Printing & Viewing tab, check or uncheck the ‘Allow Printing’ box.
- If you want to allow a specific number of prints, check the option ‘Limit number of copies to’ and enter a number. Tick “No access after print copies depleted” if you want to revoke access to the document after these are used up.
- Optionally, select the OS that users can print on, enforce degraded printing (black & white or greyscale), and log print requests.
- Press the Publish button.
How to prevent copying in SharePoint documents
Preventing copying in SharePoint requires more than simply disabling copy and paste. If users can screenshot, print, or even take a picture of their screen, they can still copy. You must prevent or deter all of these methods if you want to stop sensitive documents from being shared outside of the enterprise or prevent external users sharing unauthorized copies with others.
To achieve this with Locklizard Safeguard, you should:
- Select ‘Disallow screen capture’ and ‘Add screen mask’ in the Environment Controls tab of Safeguard Writer.
- In the View Watermarks tab, add a dynamic watermark that displays the user’s name and email address.
- Disable printing or add a dynamic, identifying print watermark.
- Publish your document and grant access only to trusted users.
On publication, Safeguard Writer will output your PDF in the .PDC format, which can only be opened in the Safeguard Viewer app or Secure Web Viewer, and can’t be copy and pasted from or edited.
Can you prevent SharePoint downloading?
Some of the security issues in SharePoint stem from users’ ability to download documents and take them outside the SharePoint browser environment. You can turn off the download option by toggling “block download” when you share a document via a link:
SharePoint also allows you to turn off downloads using the “Restricted View” privilege on each site.
However, there are several things to keep in mind when blocking SharePoint downloads:
- Content is displayed in the browser and just like secure data rooms, it does not prevent copying and pasting of text. Users can highlight text and copy it in the browser’s development mode.
- Users can still screenshot documents and created a downloaded copy that way. Scripts are available online that automate this process.
- Preventing downloads may cause productivity issues for recipients who travel.
We cover all of the points above in our blog on SharePoint security. Rather than trying to prevent downloads, it’s better to ensure the files that are downloaded have proper protection. This is where a PDF DRM solution can help again.
Protecting SharePoint downloads with Locklizard
Protecting your documents with Locklizard ensures that when users download your PDF files from SharePoint, they cannot copy and paste, screenshot, print, or otherwise share them (unless you decide otherwise). Documents are locked to the devices of authorized users and even screen photos can be deterred through the use of dynamic watermarks.
To prevent the misuse of downloaded documents, select the following options in the Safeguard Writer application:
- Untick ‘Allow Printing’ in the Printing & Viewing tab (this is disabled by default).
- Tick ‘Disallow screen capture’ in the Environment Controls tab.
- Tick ‘Add Text Watermark’ in the ‘View Watermarks’ tab and make sure the “UserName% variable is included in the watermark text.
Once you publish your document, editing, and copy-pasting will be automatically disabled. You can then add the users or user groups you want to have access to your document in your Safeguard admin portal. Locklizard-protected files can be downloaded and used offline since they have the same degree of protection as online ones.
The best way to protect SharePoint files
Though Locklizard Safeguard cannot make up for Microsoft’s failings with its own document formats, it does provide a significant security upgrade for PDF files on SharePoint sites. By protecting PDF files with Safeguard before upload, you ensure that they cannot be copied, edited, screenshotted, printed, or shared and that they only remain accessible for the period you define. All of this can be achieved without time-consuming policy configuration.
With the additional ability to restrict documents to locations and IP addresses, add dynamic watermarks and track document opens and prints, Safeguard represents the best choice for SharePoint security when you want to share with external users.
Does external sharing in SharePoint put files at risk?
Yes. The users you share sensitive files with via SharePoint have numerous routes to share them with others. This can lead to confidential and sensitive information becoming accessible to unauthorized persons or even the public.
To minimize the risk when sharing externally with SharePoint, protect your files with a DRM solution before uploading them. For PDF files, you can use Safeguard PDF DRM.
Can external users you share documents with from SharePoint open files in Word?
Yes, by default, external users can open SharePoint files in Word Online or download the file and use it in Word desktop. You can disable the download option, but a better option is to encrypt the file with a DRM solution before upload.
How do I turn off external sharing in SharePoint?
You can turn off SharePoint external sharing by logging in to your SharePoint admin center and changing “Sharing” in the “Policies” section to “Only people in your organization”.
Is SharePoint Online more secure than SharePoint?
Not especially. SharePoint Online simply refers to the cloud version of SharePoint, rather than an on-premise solution. You could argue that Microsoft is more likely to have the expertise to keep its servers secure than other businesses, but this may be balanced by the fact that you’re uploading files to third-party servers that you do not have visibility over.
Is OneDrive more secure than SharePoint external sharing?
No. OneDrive offers less security than SharePoint external sharing due to Sharepoint’s customizable permissions and built-in auditing tools. However, neither solutions are enough to protect your confidential documents when sharing them with outside parties.
Is Azure Rights Management / Azure AD better for external sharing than SharePoint?
Perhaps, but not by much. As explained in our Azure Rights Management blog, users who are allowed to view a document can strip its editing and copying protection using a publicly available program.
Does Microsoft Teams have better external sharing tools than SharePoint?
No. Files that you upload to a channel are stored in your team’s SharePoint folder. They have broadly the same protection as other Microsoft 365 services.
Do external SharePoint users need a Microsoft account or subscription?
External parties need a Microsoft account to access SharePoint sites. When you share individual documents, it depends on the link settings you choose when you share the file:
- If you choose “Anyone with the link,” then external parties will be able to access it without any verification.
- If you choose “Specific people”, external users can access the document by entering a one-time verification code sent to their specified email (this does not have to be opened in Outlook, it can be any email system).
Does Locklizard support external collaboration?
Locklizard has several collaborative tools, including the ability to highlight and comment on PDFs. However, it does not support collaboration through the direct editing of protected files, as this would compromize security.
Does Locklizard provide document management?
Locklizard is not a document management system – you have to use SharePoint for this. Alternatively, you can send protected files via email or upload them to a web site or to a different document management system or communication site. It does not matter where they are stored since only an authenticated external user (or an internal user) can access them.
Does Locklizard use policies and sharing levels?
No. There is no concept of a sharing level and we don’t use complex policy controls. Individual users are given direct access to documents. You don’t have to worry about best practises for link sharing since only those authorized in the Safeguard Admin system will be able to access your protected files.