I wanted to setup external sharing in my Office 365 tenant for SharePoint & OneDrive so that only members of a specific group were allowed to share with external users.

This seems relatively straight forward in that the SharePoint Admin center -> sharing area had a setting called: “Who can share outside your organization” -> “Let only users in selected security groups share with authenticated external users” which seemed like exactly what I needed:

 

I used an existing Office 365 group that I have already created which I found from the address book/people picker.  Yet, I still received the following message whenever I tried sharing as a user in that existing group:

“Your organization’s policies don’t allow you to share with these users. Go to External Sharing in the Office 365 admin center to enable it. “

I checked all the normal sharing settings that should be enabled and they were all fine:

1.  The Office 365 Admin center -> Settings -> Services & add-ins -> Sites section:

2. The SharePoint Admin center -> sharing section:

3. The OneDrive Admin center -> sharing section:

 

4. The sharing settings for each of my site collections in the SharePoint Admin center:

 

 

These settings all seemed to be fine but I was still getting the same error.

Solution

Turns out that you can’t select any group (i.e. an existing Office 365 group) from the directory search/people picker to enable this “Who can share outside your organization” -> “Let only users in selected security groups share with authenticated external users” setting, it needs to be a Mail-enabled security group.  These groups can be created/configured and members added under the Groups section of the Office 365 Admin center.  I have already left feedback for Microsoft to update their user interface to make sure this is clear to users.

 

 

One thought on “A Mail-enabled security group must be used to allow the “Let only users in selected security groups share with authenticated external users” setting in SharePoint Online”

Leave a Reply

Your email address will not be published. Required fields are marked *