In SharePoint Online, external sharing allows organizations to collaborate securely with users outside their tenant. PnP PowerShell provides an efficient way to grant external users access to a SharePoint site.
This guide covers:
✔️ Enabling external sharing on a site
✔️ Adding external users to a SharePoint group
✔️ Assigning permissions to external users
Prerequisites
Before proceeding, ensure:
PnP PowerShell is installed
You have SharePoint Admin or Global Admin rights
The external sharing feature is enabled on the site
Step 1: Install and Import PnP PowerShell
If you haven’t installed PnP PowerShell, run:
Install-Module -Name PnP.PowerShell -Scope CurrentUser -AllowClobber -Force
Then, import the module:
Import-Module PnP.PowerShell
PnP PowerShell is ready!
Step 2: Connect to SharePoint Online
Use the following command to connect to your SharePoint Online site:
Connect-PnPOnline -Url "https://yourtenant.sharepoint.com/sites/yoursite" -Interactive
🔹 Replace "yourtenant" with your SharePoint tenant name
🔹 Replace "yoursite" with your actual site name
Connected successfully!
Step 3: Enable External Sharing on the Site
Before granting external users access, ensure external sharing is enabled:
Set-PnPTenantSite -Url "https://yourtenant.sharepoint.com/sites/yoursite" -SharingCapability ExternalUserSharingOnly
🔹 Available options for SharingCapability:
Disabled→ No external sharingExistingExternalUserSharingOnly→ Only previously invited external usersExternalUserSharingOnly→ Any external users with an invitation (Recommended)ExternalUserAndGuestSharing→ Anyone with a sharing link
External sharing is now enabled!
Step 4: Invite an External User
To invite an external user, use:
# Define variables
$externalUserEmail = "externaluser@gmail.com"
$siteUrl = "https://yourtenant.sharepoint.com/sites/yoursite"
$role = "Read" # Options: Full Control, Edit, Read
# Invite the external user
New-PnPUser -LoginName $externalUserEmail -Email $externalUserEmail -Role $role -Site $siteUrl
External user invited!
Step 5: Add External User to a SharePoint Group
Instead of assigning individual permissions, it’s best practice to add users to a group:
# Define variables
$externalUserEmail = "externaluser@gmail.com"
$groupName = "Visitors" # Example: "Members", "Owners", "Visitors"
# Add user to the group
Add-PnPUserToGroup -LoginName $externalUserEmail -Group $groupName
External user added to the group!
Step 6: Verify External User Access
To check if the external user has access:
# Check if the external user has access
Get-PnPUser -Identity "externaluser@gmail.com"
If the user appears in the results, access is successfully granted!
Access verified!
Step 7: Remove External User (If Needed)
To remove an external user from the site:
# Define variables
$externalUserEmail = "externaluser@gmail.com"
# Remove user from the site
Remove-PnPUser -LoginName $externalUserEmail
🔹 If you want to remove the user from a specific group, use:
Remove-PnPUserFromGroup -LoginName $externalUserEmail -Group "Visitors"
External user removed successfully!
Common Errors & Solutions
| Error | Cause | Solution |
|---|---|---|
Access Denied | Insufficient admin rights | Ensure you are a SharePoint Admin |
User not found | Incorrect email or user doesn’t exist | Verify the email address |
Cannot add external user | External sharing disabled | Run Set-PnPTenantSite -SharingCapability ExternalUserSharingOnly |
Permission denied | User lacks correct permissions | Assign the correct role or group membership |