Requirement: Configure external user expiration policy for SharePoint Online and OneDrive for Business.
How to configure expiration for External users?
The guest access expiration settings in SharePoint Online helps to prevent external users from having indefinite access to your SharePoint and OneDrive sites. Once the external user reaches the configured expiration date, he’ll lose this access to the site. If needed, You can extend the guest user’s access or re-invite the external user again.
Follow these steps to set external user expiry to SharePoint Online and OneDrive for Business:
- Login to SharePoint Admin Center site at: https://YOURTENANT-admin.sharepoint.com
- Click on the “Policies” and then the “Sharing” link in the left navigation.
- On the Sharing page, expand the “More external sharing setting” and enable the checkbox “Guest access to a site or OneDrive will expire automatically after this many days” and then set the number of days. E.g. 60 in my case. By default, this setting is disabled.
Please note, this change may take up to 24 hours to reflect and applies to both SharePoint Online and OneDrive, And is applicable only to guest users who were added after you turned ON this setting. Microsoft documentation says:
The guest expiration policy only applies to guests who use sharing links or guests who have direct permissions to a SharePoint site after the guest policy is enabled. The guest policy does not apply to guest users that have pre-existing permissions or access through a sharing link before the guest expiration policy is applied.Manage guest expiration for a site
Set Guest User Expiry at the tenant level using PowerShell
Here is the PowerShell script to set the guest user expiry date at the tenant level.
#Connect to Tenant Admin Connect-SPOService -Url "https://crescent-admin.sharepoint.com" #Set External User Expiration Settings Set-SPOTenant -ExternalUserExpirationRequired $True -ExternalUserExpireInDays 120
It’s also possible to override the external user expiration settings configured to the tenant level at the site collection level.
- Login to SharePoint Admin Center >> Click on Sites >> Active Sites
- Select the site collection from the list >> Click on “Sharing” from the toolbar.
- Now, expand the “Advanced settings for external sharing” and you can override the guest user expiration settings under “Expiration of guest access”.
The PowerShell script to the above action would be:
#Parameters $AdminCenterURL = "https://Crescent-admin.sharepoint.com" $SiteURL = "https://Crescent.sharepoint.com/sites/marketing" #Connect to Tenant Admin Connect-SPOService -Url $AdminCenterURL #Set External User Expiration Settings for the site Set-SPOSite -Identity $SiteURL -OverrideTenantExternalUserExpirationPolicy $True -ExternalUserExpirationInDays 730
Find All Guest Users whose Access is going to Expire
Once you have invited and collaborated with external users, You may want to find the expiration date of their user access. You can find the expiring external user access from:
- From the OneDrive site, Click on Settings gear >> choose “OneDrive Settings”.
- Click on “More Settings”>> Click on “Manage guest Expiration”. This gives a list of external users whose access going to expire with the expiration date.
Similarly, If you enabled sharing with “Anyone”, then the sharing link expiration is controlled by the “These links must expire within this many days” setting under “Choose expiration and permission options for anyone links” on the same page. Again, this applies to both SharePoint Online and OneDrive for business.
Here is more info on link expiration settings: How to Set OneDrive for Business link expiration shared with Anyone?