Skip to content

Control 2.12: External Sharing and Guest Access Governance

Control ID: 2.12 Pillar: Security & Protection Regulatory Reference: GLBA 501(b), SEC Reg S-P Last Verified: 2026-02-17 Governance Levels: Baseline / Recommended / Regulated

Objective

Govern external sharing and guest access settings across Microsoft 365 to control what content Copilot can surface to external guests and what externally shared content Copilot can reference for internal users. External sharing configurations directly impact Copilot's behavior: guests with access to shared sites can use Copilot to query that content, and internal users' Copilot responses may include content from sites shared with external parties. This control supports compliance with GLBA customer information safeguards and SEC Reg S-P privacy requirements.

Why This Matters for FSI

  • GLBA 501(b) requires safeguards to protect customer information from unauthorized disclosure — external sharing configurations determine whether Copilot could expose customer data to guests, contractors, or third parties
  • SEC Reg S-P (Rule 248.30) requires financial institutions to protect customer nonpublic personal information (NPI) — guest access to Copilot-accessible content must be governed to prevent NPI disclosure
  • SEC Reg S-P (Rule 248.14-15) provides customers with opt-out rights for certain information sharing — Copilot must not circumvent these privacy choices by surfacing shared content to external parties
  • FINRA Rule 3110 (Supervision) requires supervision of external communications — Copilot-generated content shared with external parties requires supervisory oversight
  • OCC Third-Party Risk Management Guidance expects controls over third-party access to customer information — guest access to M365 represents third-party access that must be governed
  • State privacy laws may restrict sharing of consumer financial information with third parties

Control Description

External sharing in Microsoft 365 determines how content can be shared with people outside the organization. These settings directly affect Copilot because:

  1. Guest users with Copilot licenses can use Copilot to query content they have access to
  2. Internal users' Copilot responses may include content from externally shared sites
  3. Copilot Pages and Loop components can potentially be shared externally

External Sharing Impact on Copilot

                External Sharing Configuration
            ┌────────────┴────────────┐
            │                         │
     Guest Access                Internal User
     to Copilot                  Copilot Behavior
            │                         │
     ┌──────┴──────┐          ┌──────┴──────┐
     │             │          │             │
  Guest has    Guest has   Content from  Content from
  Copilot      no Copilot  shared sites  shared sites
  license      license     included in   excluded from
     │             │        responses     responses
     │             │          │             │
  Can query    Cannot use  May expose    Reduced
  shared       Copilot     sensitive     grounding
  content      (no AI      data context  scope
               access)

Sharing Levels in SharePoint/OneDrive

Sharing Level Description Copilot Impact FSI Recommendation
Disabled No external sharing No guest Copilot access to this content Use for highest-sensitivity sites
Existing guests only Only guests already in directory Limited, controlled guest population Recommended minimum for most FSI sites
New and existing guests Guests can be invited and added Expanding guest population with Copilot access Use only where business need is documented
Anyone Anonymous access via link Anonymous users could access content referenced by Copilot Never appropriate for FSI — disable org-wide

Guest Access Governance Framework

Governance Area Control Configuration
Guest invitation Who can invite guests Restrict to admins and guest inviter role
Guest Copilot access Whether guests can use Copilot Copilot license assignment controls
Guest site access Which sites guests can access Site-level sharing settings
Guest access review Periodic review of guest permissions Entra ID Access Reviews
Guest expiration Automatic guest account expiration Entra ID guest lifecycle
Guest MFA MFA requirement for guest access Conditional Access policies
B2B collaboration Cross-tenant access settings Entra ID Cross-Tenant Access

External Sharing Configuration Matrix for FSI

Content Type Sharing Setting Guest Copilot Justification
Client data sites Disabled No Customer NPI must not be accessible to guests
Regulatory/compliance sites Disabled No Examination and regulatory content is internal only
M&A deal rooms Existing guests only No Deal counterparties may need limited access
Vendor collaboration sites Existing guests only No Vendor access to specific project content
Marketing/public content New and existing guests No External collaboration on public materials
Intranet sites Disabled No Internal communications only
Executive sites Disabled No Strategic content is internal only

Copilot Surface Coverage

M365 Application Guest Copilot Access Sharing Controls External Sharing Governance Notes
Microsoft 365 Copilot Chat Controlled Yes Yes Guest Copilot Chat limited to accessible content
Word Controlled Yes Yes Co-authoring with guests governed
Excel Controlled Yes Yes Shared workbooks governed
PowerPoint Controlled Yes Yes Shared presentations governed
Outlook N/A Yes Yes Email sharing is separate from file sharing
Teams Controlled Yes Yes Guest access in Teams channels
OneNote Controlled Yes Yes Shared notebooks governed
Loop Controlled Yes Yes External Loop sharing governed
Copilot Pages Controlled Yes Yes Pages sharing with externals governed
SharePoint (Agents) Controlled Yes Yes Agent access for guests governed

Governance Levels

Level Requirement Rationale
Baseline Set org-wide external sharing to "Existing guests only" maximum; disable "Anyone" links org-wide; disable external sharing for sites containing customer data; restrict guest invitations to admins; do not assign Copilot licenses to guest accounts; quarterly guest access review Restricts the external sharing surface — prevents uncontrolled guest access to Copilot-accessible content
Recommended All Baseline requirements plus: implement Entra ID Access Reviews for guest accounts (quarterly); configure cross-tenant access policies for B2B collaboration; site-level sharing overrides with business justification required; guest access expiration (90 days, renewable); guest MFA via Conditional Access; external sharing audit report monthly; DLP policies for externally shared content Comprehensive external sharing governance with lifecycle management — suitable for firms that need external collaboration capabilities
Regulated All Recommended requirements plus: external sharing requires compliance approval; all guest access logged and monitored; guest access reviews monthly; no Copilot access for any guest users; external sharing disabled by default (opt-in per site with documented approval); annual external sharing audit by compliance; guest access included in regulatory examination packages Maximum restriction on external sharing — designed for firms where external access to any Copilot-accessible content is unacceptable without explicit approval

Setup & Configuration

Step 1: Configure Org-Wide Sharing Settings

Portal: SharePoint Admin Center > Policies > Sharing

# Connect to SharePoint Online
Connect-SPOService -Url "https://contoso-admin.sharepoint.com"

# Set org-wide external sharing level
Set-SPOTenant -SharingCapability ExistingExternalUserSharingOnly

# Disable "Anyone" links
Set-SPOTenant -RequireAnonymousLinksExpireInDays 0

# Set default sharing link type to "Specific people"
Set-SPOTenant -DefaultSharingLinkType Direct

# Restrict guest invitations
Set-SPOTenant -SharingDomainRestrictionMode AllowList `
  -SharingAllowedDomainList "partner1.com partner2.com"

Step 2: Configure Site-Level Sharing Overrides

# Disable external sharing for sensitive sites
Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/ClientData" `
  -SharingCapability Disabled

Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/Compliance" `
  -SharingCapability Disabled

Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/Executive" `
  -SharingCapability Disabled

# Allow limited sharing for collaboration sites
Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/VendorProject" `
  -SharingCapability ExistingExternalUserSharingOnly

Step 3: Configure Guest Invitation Restrictions

Portal: Microsoft Entra Admin Center > External Identities > External collaboration settings

  1. Set "Guest invite restrictions" to "Only users assigned to specific admin roles can invite guest users"
  2. Configure collaboration restrictions to allow specific domains only
  3. Enable email one-time passcode authentication for guests

Step 4: Configure Entra ID Access Reviews

Portal: Microsoft Entra Admin Center > Identity Governance > Access reviews

  1. Create access review for all guest users
  2. Frequency: Quarterly (Recommended) or Monthly (Regulated)
  3. Reviewers: Site owners or designated business sponsors
  4. Auto-apply results: Remove access for guests not confirmed

Step 5: Configure Guest Account Lifecycle

Portal: Microsoft Entra Admin Center > External Identities > External collaboration settings

  1. Set guest account expiration (90 days recommended)
  2. Configure notification to sponsors before expiration
  3. Require re-invitation for expired guest accounts

Step 6: Copilot License Governance for Guests

  1. Verify that Microsoft 365 Copilot licenses are NOT assigned to guest accounts
  2. Create a license assignment policy that excludes guest user types
  3. Monitor license assignments to detect accidental guest licensing
# Check for guest users with Copilot licenses
Get-MgUser -Filter "userType eq 'Guest'" -All |
  ForEach-Object {
    $licenses = Get-MgUserLicenseDetail -UserId $_.Id
    if ($licenses.SkuPartNumber -contains "Microsoft_365_Copilot") {
      Write-Output "WARNING: Guest $($_.DisplayName) has Copilot license"
    }
  }

Financial Sector Considerations

  • Client Data Protection: Customer NPI must never be accessible to guest users via Copilot. This means sites containing client data must have external sharing disabled entirely, not just restricted. A guest user with Copilot access to a client data site could use AI to rapidly aggregate and extract client information.
  • Vendor Access Management: Financial firms frequently collaborate with external vendors (auditors, consultants, technology providers). Vendor access should be scoped to specific project sites with external sharing enabled only for those sites, and vendor guest accounts should never have Copilot licenses.
  • M&A Transaction Access: During M&A transactions, deal counterparties may need access to data rooms. These sites should have external sharing configured to "Existing guests only" with specific named guests, and must be excluded from Copilot grounding scope (see Control 2.5).
  • Regulatory Examination Access: Regulators (FINRA, SEC, OCC, state regulators) may request access to firm systems during examinations. Provide examination access through controlled, temporary guest accounts with explicit site-level access — never through Copilot.
  • B2B Collaboration with Other Financial Institutions: Cross-institutional collaboration (e.g., syndicated lending, joint ventures) requires careful sharing governance. Use Entra ID cross-tenant access policies to control B2B collaboration boundaries.
  • Guest Access Audit Trail: Maintain comprehensive logs of guest account creation, access patterns, and account removal. This audit trail supports GLBA safeguard monitoring and provides examination evidence.
  • Annual Sharing Policy Review: Review the organization's external sharing policy annually in the context of Copilot capabilities. As Copilot features expand, the risk profile of external sharing may change.

Verification Criteria

  1. Org-Wide Sharing Level: Verify the org-wide external sharing level is set to "Existing guests only" or more restrictive
  2. Anonymous Links Disabled: Confirm "Anyone" links are disabled org-wide
  3. Sensitive Site Sharing: Verify that sites containing client data, regulatory content, and executive materials have sharing set to "Disabled"
  4. Guest Copilot Licensing: Confirm no guest accounts have Microsoft 365 Copilot licenses assigned
  5. Guest Invitation Restriction: Attempt to invite a guest as a standard user — verify the invitation is blocked
  6. Access Reviews Active: Confirm Entra ID Access Reviews for guest accounts are configured and running on schedule
  7. Guest Account Expiration: Verify guest account expiration is configured and functioning
  8. Domain Restrictions: Verify that allowed domain lists are configured and only approved domains can receive sharing invitations
  9. Audit Logging: Confirm external sharing events appear in the Unified Audit Log and are monitored
  10. Policy Documentation: Verify that external sharing policies are documented, approved by compliance, and reviewed annually

Additional Resources