Managing External Sharing in Google Workspace: An Admin's Guide

In Google Workspace, external sharing is controlled by admins in the Admin console under Drive and Docs sharing settings, where you can turn external sharing on or off, limit it to trusted domains, add warnings, and block "anyone with the link." But policy settings only govern new shares—they don't clean up the external access that already exists, which is where most real risk lives.

For an admin, this is the gap that matters. You can set a perfect sharing policy today and still have hundreds of files quietly shared with former clients, personal Gmail addresses, and partner domains from years of activity. Managing external sharing well means doing two things: setting sane policies going forward, and auditing what's already out there.

What "External Sharing" Actually Means

External sharing is any access granted to someone outside your organization's domain—a client's email, a contractor's personal Gmail, a partner company, or a public "anyone with the link" setting. It's not inherently bad; most organizations need to share with people outside the company. The risk comes from external access that's broader than intended, granted to the wrong people, or simply forgotten long after it was needed.

The job isn't to eliminate external sharing. It's to make sure every external share is intentional, scoped correctly, and reviewed over time.

The Admin Controls You Have

Google Workspace gives admins several levers in the Admin console, under Apps → Google Workspace → Drive and Docs → Sharing settings. These apply to organizational units or groups, so you can set different rules for different teams.

On or off. You can allow external sharing, turn it off entirely, or restrict it. Turning it off completely is rare outside high-security environments, but it's available.

Allowlisted (trusted) domains. Instead of all-or-nothing, you can limit external sharing to a list of specific trusted domains—say, your key partners and clients—and block everything else. This is one of the most useful middle-ground settings.

Target audiences. You can define groups that appear as recommended sharing options, nudging users toward "everyone in the company" rather than reflexively choosing "anyone with the link."

Warnings. You can have Drive warn users when they're about to share outside the organization, which catches accidental external shares at the moment they happen.

Link-sharing limits. You can restrict or disable "anyone with the link," so files can't be made broadly public, and control whether shared files can be downloaded, printed, or copied.

Together these shape what users can do going forward. What they don't do is reach back and fix existing shares—and that's the part that needs attention.

The Gap: Policy Doesn't Clean Up the Past

Here's the trap. An admin tightens the sharing policy, feels the problem is solved, and moves on. But every file shared before the policy change keeps its existing access. The "anyone with the link" document from two years ago is still public. The folder shared with a contractor who left is still shared. The policy governs new behavior; it has no effect on the accumulated access already in place.

This is why external-sharing incidents so often involve old files, not new ones. The exposure was created long ago and never reviewed. Auditing existing external access is the only way to close it.

How to Audit Existing External Sharing

Here are your options for finding what's already shared outside your organization.

Option 1: Scan With Overdrive

Finding every externally shared file by hand is slow and easy to get wrong, because the access is scattered across thousands of files and several sharing types. Overdrive scans your Drive and surfaces external shares in one place—files shared with outside domains, "anyone with the link" files, and forgotten shares with people who no longer need access—so you can review and revoke them in bulk instead of opening files one at a time. The initial scan is read-only, which matters when you're auditing rather than changing things.

Option 2: Audit Manually

For a smaller scope, you can work with Google's native tools. Use Drive search operators to surface shared files—to: finds files shared with a specific email, and you can look for files set to public or external sharing. Admins can also run sharing reports in the Admin console and review the audit logs for external-sharing events. It's thorough but labor-intensive, and it scales poorly across a large organization with years of history.

Whichever route you take, the workflow is the same: list everything shared externally, categorize each share (current partner, finished project, unknown), and revoke what's no longer needed. We walk through the full process in the Google Drive security audit checklist.

Building a Sustainable External-Sharing Policy

Settings and audits work best as a cycle, not a one-time project. A practical approach for most organizations looks like this. Set external sharing to trusted domains plus warnings, so routine collaboration is easy but accidental public shares get flagged. Disable or restrict "anyone with the link" for sensitive organizational units. Then schedule a recurring external-sharing audit—quarterly is reasonable for most teams—to catch shares that outlived their purpose.

Pair that with good offboarding. When someone leaves or a project ends, removing their access should be a checklist item, not an afterthought. A surprising share of external exposure traces back to people who simply were never removed. Our guide to revoking access for former employees covers the offboarding side in detail.

Think of it as two complementary motions working together: the policy settings act as a gate that controls what flows out from now on, and the recurring audit acts as a drain that clears what has already pooled. A gate without a drain leaves old exposure in place; a drain without a gate means you're forever cleaning up the same mess. Run both, on a schedule, and external sharing stays a managed, intentional part of how your organization works rather than a quiet source of risk.

Common External-Sharing Risks to Watch For

When you run your first audit, a handful of patterns show up again and again. Knowing them in advance tells you what to look for. Personal email shares are near the top—a contractor or employee shared a file to their personal Gmail for convenience, and it's still live long after they've gone. "Anyone with the link" on sensitive files is the classic exposure: a document set to link-sharing for a quick send, never changed back, now reachable by anyone who ever received the URL. Stale partner-domain access accumulates when collaborations end but access doesn't. And individually shared files inside otherwise-restricted folders create access paths that don't show up in folder or drive membership.

None of these are exotic; they're the natural residue of normal work. The point of an audit is to surface them so you can decide which to keep and which to revoke, rather than discovering them after an incident.

Communicating the Policy to Your Team

Technical controls work best alongside a little education. When you tighten sharing settings, tell people why and what changed—otherwise the warnings feel like friction and users look for workarounds. A short note explaining that external shares are now flagged, that "anyone with the link" is limited, and how to request an exception goes a long way. The goal is to make the secure path the easy, obvious one. Users rarely share externally out of carelessness; they do it because it's the fastest way to get their work done. Give them an equally fast sanctioned option and most accidental exposure disappears on its own.

It's also worth being clear about who owns the ongoing review. External access is not a set-and-forget task; it accumulates the moment you stop watching. Assigning a specific person or role to run the quarterly audit—and giving them a tool that surfaces external shares quickly—turns external-sharing hygiene from a good intention into something that actually happens on a schedule.

Frequently Asked Questions

Where do I control external sharing in Google Workspace?

In the Admin console under Apps → Google Workspace → Drive and Docs → Sharing settings. You can apply different rules to different organizational units or groups.

Can I allow sharing with some outside domains but not others?

Yes. Use allowlisted (trusted) domains to permit external sharing only with specific domains and block the rest.

Do sharing policy changes fix files that are already shared?

No. Policy settings only affect new shares. Files shared before the change keep their existing access, so you need to audit and clean those up separately.

How do I find files already shared outside my organization?

Use Drive search operators and Admin console sharing reports, or scan your Drive with a tool that surfaces external and link shares in one place so you can revoke them in bulk.

Should I turn off external sharing entirely?

Rarely. Most organizations need some external sharing. Restricting it to trusted domains with warnings is usually a better balance than a full block.