OneDrive sharing permissions explained (without the IT jargon)

You click Share in OneDrive. A dialog appears with several toggles and a tiny "Anyone with the link can edit" headline at the top. Most people click Send without thinking — and end up either sharing a sensitive file with the entire internet, or sending a link that 90% of recipients can't open.

OneDrive sharing has six combinations of access type and permission, plus three optional restrictions. This guide breaks down what each option does, the right default for everyday work, and the gotchas around external recipients and link expiry.

The four "who can access" levels

When you click Share, the top of the dialog shows the current scope. Click it to switch:

1. Anyone with the link

The most permissive option. Anyone, anywhere, can open the file by clicking the link — including people the recipient forwards it to. No sign-in required. The link works for everyone until you revoke it.

Use only for genuinely public content (marketing flyers, public reports, recruiter take-home tests). Never for sensitive data.

2. People in [your organisation]

Only people with a sign-in to your Microsoft 365 tenant can open the link. If a colleague forwards the link to an external recipient, that external person hits a sign-in wall they can't pass.

This is the safe default for internal sharing. The link is unique to your tenant.

3. People with existing access

Doesn't grant any new permissions. The link is convenient for sharing with people who already have access via folder-level permissions or because they're in the same Teams channel. Failed sharing attempts (the recipient sees "Access denied") suggest you should have picked a more permissive option.

4. Specific people

You explicitly list email addresses; only those addresses can open the link. If a recipient forwards the link, the new recipient hits a sign-in wall.

Most secure mode. Use for sensitive documents, contracts, and personal data.

Permission level: Can edit vs Can view vs Can review

Independent of access scope, you set what people can do with the file:

• Can edit: full edit rights. They can change, save, share, and download.
• Can view: read-only. They can open the file in the browser; they cannot save changes back.
• Can review (Word documents only): they can add comments and tracked changes, not free edits.

For most external sharing, Can view is the right default. Switch to Can edit only when collaboration is genuinely required.

There's also a Block download option (hidden under more settings on some clients): the recipient can read in the browser but cannot save the file locally. Useful for confidential PDFs.

Quick steps to share a OneDrive file safely

1. Right-click the file in File Explorer → Share (or open it in OneDrive web → Share button).
2. At the top of the dialog, click the access scope (default is usually "People in [your org]").
3. Switch to Specific people if it's sensitive, or People in [your org] if internal.
4. Below, set the permission: Can view unless you really need edit access.
5. Optionally set an Expiration date (for time-limited access).
6. Optionally set a Password (recipient enters it once to open).
7. Type the recipient's email or name. For internal recipients, the name autocompletes. For external, type the full email.
8. Optionally add a message. Click Send.

The recipient gets an email with a link button. They click, sign in if required, and see the file.

External recipients: what to know

When you share with an email outside your tenant:

• The first time they receive a OneDrive share, they get a verification code via email. They have to enter it before reading the file.
• If they have a Microsoft account (personal or work), they can sign in with that — no code needed.
• External access is logged in your tenant's compliance centre. An admin can see every external share.
• Your admin may have a policy that disables external sharing for specific folders or for the whole tenant. If so, your share will be auto-restricted to internal only.

For repeated external collaboration, suggest the external person sign up for a free Microsoft account — they'll then get one-click access to all your shares.

Expiration dates and passwords

Two strong restrictions you should use more often:

• Expiration: the link works only until a date you set. After that, the recipient sees an error. Useful for time-limited proposals, contracts, or job interview material.
• Password: a passcode the recipient must enter to open the file. Useful for genuinely sensitive sharing; communicate the password via a separate channel (Signal, phone) so a forwarded link alone isn't enough.

Both are set in the same Share dialog before clicking Send. Once set, you can edit or remove them from Manage access (right-click the file → Manage access).

Manage access after the fact

To see who has access to a file or revoke a share:

1. Right-click the file → Manage access.
2. The pane on the right lists every link and every person who has access.
3. To stop a link from working, click the three dots next to it → Stop sharing.
4. To change a specific person's permission level, click their name → adjust → save.

This is how you handle "I sent them View access but they need to edit", or "we sent the link three months ago and I should revoke it now".

OneDrive vs Teams channel sharing

If the file you want to share is in a Teams channel, the file actually lives in SharePoint, and sharing permissions are governed by the team/channel settings — not by the OneDrive sharing dialog.

In a Teams channel:

• Everyone in the team has Edit access to the channel's files by default.
• For private channels, only invited people see the files.
• Sharing externally from a channel file uses the same Share dialog but the access scope defaults to the channel's permission set.

If you want a more restrictive share for a specific file in a channel, use Specific people and re-share — but realise that everyone in the team can still see and access the file via the channel's Files tab.

Common mistakes

• "Anyone with the link can edit" as the default share. Switch the scope and lock to View unless you genuinely need otherwise.
• Sharing a folder when you meant to share one file. A folder share gives access to every file in it, now and in the future. Share the specific file instead.
• Not revoking access when a contractor leaves. Set an expiration date when you create the share — the access cleans itself up.
• Sending the password in the same email as the link. Defeats the purpose. Send via a separate channel.

TL;DR

OneDrive's Share dialog has four access scopes (Anyone, People in your org, Existing access, Specific people) and three permissions (Edit, View, Review). The safe defaults: Specific people, Can view, and an expiration date unless you have a reason to be more permissive. Use Manage access to audit and revoke shares after the fact. For genuinely sensitive files, add a password and a short expiry.