What is SharePoint External Sharing?
The SharePoint External Sharing feature allows users to be able to share (give access to) users outside of your organization. The External User(s) maybe suppliers or customers that you wish to share content with. In practice this is a great feature as it means external users that you work with will be able to access content such as a site, list, document without you having to constantly email attachments to them which of course become out-of-date.
Who can Share Content Externally?
By default user who is within the Members group can Share the Site, Lists/Library, Folder/Document. A request is made to share the content externally, which must be approved by the Site Owner. Note that by default, It is the members group that can Share Externally and not the Edit permission. If a user is granted the Edit permissions explicitly, but is not within the members group, they will not be able to share externally.
The users who can share externally can be changed from within the SharePoint admin center under ‘sharing’. This option allows you to restrict external sharing to specific security groups which would affect all site collections.
At Site Collection Level, you can also specify whether it is just ‘Site Owners’ who are allowed to Share Externally.
How Do I know What External Users Can See?
By default, users that has been granted permissions through external sharing will receive ‘Edit’ permissions. They will be added to the members group which by default gives them ‘Edit’ permissions to anything that members groups is permissioned against. Therefore if you shared a site with an external user, it is likely that they will have edit permissions to the site, also some subsites, as well as documents, lists, libraries etc. They will also be able to delete lists due to the ‘Edit’ permission level having ‘Manage Lists’ permission. Note that this external user, would also have the permission to share externally themselves.
It is therefore imperative that you have a good handle on your SharePoint permissions and especially permissions granted via SharePoint External Sharing.
Using SharePoint Natively, you can navigate to Site Settings, Access Requests and Invitations to view Pending Requests and External User Invitations. The report will show you who approved the access request as well as the permission granted.
What the report does not show you, is what else the external user has access to.
How Does DeliverPoint Help?
DeliverPoint for SharePoint Online allows Site Collection Administrators to report on SharePoint External Users.
The Discover All Permissions report can then be produced and filtered by the External User. This then shows all content that the user has permissions to:
A Unique Permissions report also allows you to focus on the individuals account, but display only those objects that the user has actually been granted permissions to. You then have the option to remove all or some of the permissions if you wish to stop sharing.
You can download a trial of DeliverPoint for your Office 365 tenant from: https://lightningtools.com/products/sharepoint-online-permissions-management-tool/