How to Share Files Securely with Clients Using Microsoft Teams

Microsoft Teams lets you share files and collaborate with people outside your organization without giving them access to your internal systems. Setting up external sharing correctly ensures clients get what they need while your internal data stays protected. This guide walks through each method, the admin settings that control it, and the security practices that keep your business safe.

What You Need

• Microsoft 365 admin access to configure external sharing policies
• Understanding of your organization's current external access settings
• A clear picture of what you need to share and with whom

Understanding External Access vs. Guest Access

Microsoft Teams has two separate mechanisms for working with people outside your organization. Picking the right one avoids confusion and security mistakes.

External access allows chat and calls with people in other Microsoft 365 organizations. They stay in their own tenant and use their own Teams app. They cannot see your channels, files, or internal conversations. Use this for quick one-on-one communication where you do not need to share files or collaborate on documents.

Guest access invites an external person into a specific Team or channel within your tenant. They can see the files, conversations, and shared resources within that specific channel. They cannot see other channels or Teams unless you explicitly add them. Use this for ongoing project collaboration where you need to share files, track conversations, and work together in a shared space.

Neither option gives external users access to your entire tenant. Both are scoped to what you explicitly grant.

Step 1: Check Your Tenant's External Sharing Settings

Before inviting any external users, verify that your admin settings allow the type of sharing you need. There are two admin centers to check.

Teams Admin Center

1. Go to admin.teams.microsoft.com
2. In the left sidebar, click Users > External access
3. Review the settings. The default allows communication with all external Microsoft 365 organizations. You can restrict this to specific domains if you only work with known partners.
4. Next, click Users > Guest access
5. Verify that Allow guest access in Teams is set to On
6. Review the individual permissions for guests: calling, meeting, and messaging capabilities

SharePoint Admin Center

File sharing through Teams relies on SharePoint's external sharing settings. If SharePoint sharing is restricted, Teams file sharing will be blocked too.

1. Go to admin.microsoft.com > Admin centers > SharePoint
2. Click Policies > Sharing
3. Set the SharePoint external sharing level. For most businesses, New and existing guests provides the right balance of accessibility and control. Avoid Anyone (anonymous links) for business files.
4. Under More external sharing settings, enable Guests must sign in using the same account to which sharing invitations are sent for added security

Step 2: Create a Dedicated Channel for Client Collaboration

The safest way to share files with a client is to create a channel specifically for that collaboration. This keeps client-facing work isolated from your internal conversations and files.

1. Open Microsoft Teams and go to the Team that handles client work (e.g., "Operations" or "Client Projects")
2. Click the three dots next to the Team name and select Add channel
3. Name the channel clearly (e.g., "Client - Smith Law Firm" or "Project - Website Redesign")
4. Set the privacy to Standard (visible to all Team members) or Private (visible only to selected members)
5. Click Add

Adding the Client as a Guest

1. Click the three dots next to the Team name and select Add member
2. Enter the client's email address
3. Teams will recognize it as an external address and label them as a Guest
4. Click Add

The client will receive an email invitation. Once they accept and sign in, they can see only the channels you have added them to. They cannot see your other channels, other Teams, or any internal conversations.

Sharing Files in the Channel

1. Go to the channel's Files tab
2. Click Upload to add files, or drag and drop files directly into the tab
3. Both your team and the client can now access, view, and edit the files in this channel
4. All activity is logged, so you have an audit trail of who uploaded, edited, or downloaded each file

This is better than emailing files back and forth for several reasons: everyone works on the same version, you have a complete conversation history alongside the files, and you can revoke access at any time by removing the guest from the Team.

Step 3: Use SharePoint Sharing Links for One-Off Files

When you need to share a single file without adding someone as a guest to your entire Team, SharePoint sharing links give you precise control.

1. In Teams, navigate to the file you want to share
2. Right-click the file and select Share or click the Share button
3. Click People you specify (do not use "Anyone with the link" for business files)
4. Enter the client's email address
5. Set permissions: Can edit or Can view
6. Optionally, set an expiration date on the link. This is recommended for sensitive files so the link stops working after the project is complete.
7. Optionally, set a password on the link for an additional layer of protection
8. Click Send

The client receives an email with the link. They sign in with their email address to access the file. If they do not have a Microsoft account, they will be prompted to verify their identity through a one-time passcode sent to their email.

Avoid using "Anyone with the link" sharing for business files. These links can be forwarded to anyone and are impossible to audit. "People you specify" ensures only the intended recipient can access the file.

Step 4: Apply Sensitivity Labels to Control What Recipients Can Do

If your organization uses Microsoft 365 Business Premium, you have access to sensitivity labels that control what recipients can do with your files after you share them. This is important for legal documents, financial data, or confidential project materials.

Sensitivity labels can:

• Prevent recipients from downloading or printing the file (view-only in the browser)
• Prevent forwarding or copying content
• Add watermarks to documents
• Encrypt the file so only authorized recipients can open it
• Automatically expire access after a set period

To apply a sensitivity label:

1. Open the file in Word, Excel, PowerPoint, or the Teams Files tab
2. Click Sensitivity in the toolbar (or the shield icon)
3. Select the appropriate label (e.g., "Confidential - External Sharing Allowed" or "Highly Confidential - View Only")
4. Save the file

Your admin configures the available sensitivity labels in the Microsoft Purview compliance portal. Athencia deploys Microsoft 365 Business Premium for all managed clients, which includes the licensing for sensitivity labels. Business Basic and Business Standard do not include this capability.

Step 5: Set Up Guest Access Policies with Conditional Access

For organizations on Microsoft 365 Business Premium, Conditional Access policies in Entra ID can enforce security requirements for guest users, not just your internal team.

Useful policies for guest access include:

• Require MFA for all guest sign-ins: Guests must verify their identity with a second factor every time they access your resources. This prevents a compromised client email account from accessing your files.
• Block guest access from specific countries: If your clients are all domestic, block guest sign-ins from countries where you have no business relationships.
• Require terms of use acceptance: Present guests with a terms-of-use agreement before they can access shared resources.

To create a guest-specific Conditional Access policy:

1. Go to entra.microsoft.com > Protection > Conditional Access > Policies
2. Click + New policy
3. Under Users, select Guest or external users
4. Under Target resources, select All cloud apps
5. Under Grant, select Require multifactor authentication
6. Set the policy to Report-only first to test, then switch to On after reviewing the results
7. Click Create

Security Best Practices for External Sharing

Review guest access quarterly. Go to entra.microsoft.com > Identity > Users > All users and filter by user type "Guest." Remove any guests who no longer need access. Stale guest accounts are a common security blind spot.

Set expiration policies for guest accounts. Configure automatic expiration so guests lose access after 90 days of inactivity. Go to Identity > External Identities > External collaboration settings to configure this.

Disable guest access for internal-only Teams. If a Team contains purely internal information, go to the Team settings and disable guest permissions for that specific Team.

Never share files through personal OneDrive or consumer cloud services. Files shared outside the company should go through SharePoint or Teams, where your organization retains control, visibility, and audit trails.

Monitor external sharing activity. The SharePoint admin center includes an external sharing report under Reports > Sharing. Review this monthly to catch unexpected sharing or overly broad permissions.

Common Issues

Need Help?

Setting up secure external sharing involves coordinating settings across Teams, SharePoint, and Entra ID. If you want help configuring external sharing policies or reviewing your current setup for security gaps, contact Athencia. We configure these settings as part of every Microsoft 365 deployment.