· Jon Barclay · 8 min read
That SharePoint guest visibility setting everyone keeps asking about
Every semester, someone in my class asks why guest users don’t show up in SharePoint’s People Picker. And every time a sysadmin friend calls me about it, the conversation goes the same way: “I turned on external sharing but guests still don’t appear in search.” Then I ask if they’ve checked SharingCapability and there’s a long pause.
The setting they’re looking for is ShowPeoplePickerSuggestionsForGuestUsers. It’s off by default, and Microsoft had good reasons for that.
Why it’s off by default
Privacy, mostly. When you flip this on, every internal user who opens the People Picker can browse your entire guest roster. Every vendor, every contractor, every external client — your tenant’s guest directory, searchable by anyone who knows how to click “Share.” In a regulated environment, that’s a real problem. Even outside regulated industries, most orgs don’t want their whole contractor list visible to every employee.
There’s also an architectural reason. SharePoint has never treated external users the same as internal directory members. Guests come in through invitation flows, not general directory search. The default preserves that separation.
Check SharingCapability first (seriously)
This is where most people trip up. The People Picker setting and actual sharing permissions are two separate controls. Enabling guest suggestions in the People Picker does not grant sharing rights. If a site’s SharingCapability is set to Disabled or ExistingExternalUserSharingOnly, users will see the guest in search and SharePoint will still block the share. You’ll get a support ticket instead of a thank-you.
Check what the site can actually do before touching anything else.
Single site:
Get-SPOSite -Identity "https://<yourtenant>.sharepoint.com/sites/<yoursite>" |
Select-Object SharingCapabilityThe four values:
| Value | What it means |
|---|---|
Disabled | No external sharing at all |
ExistingExternalUserSharingOnly | Only guests already in your directory (default for M365 Group sites) |
ExternalUserSharingOnly | New and existing guests, sign-in required |
ExternalUserAndGuestSharing | Anyone, including anonymous links |
Audit all sites at once:
Get-SPOSite -Limit ALL |
Select-Object Title, Url, SharingCapability |
Sort-Object SharingCapability |
Export-Csv -Path "C:\Reports\SharingSummary.csv" -NoTypeInformationIf you need to invite new guests and the site is locked to Disabled or ExistingExternalUserSharingOnly, fix that first:
Set-SPOSite -Identity "https://<yourtenant>.sharepoint.com/sites/<yoursite>" `
-SharingCapability ExternalUserSharingOnlyEnabling People Picker suggestions on top of a restrictive sharing policy just creates confusion.
The PowerShell
Once you’ve confirmed the sharing capability makes sense, here’s how to manage the People Picker setting.
Connect first:
# Install the module if needed
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force
# Connect to your admin center
Connect-SPOService -Url "https://<yourtenant>-admin.sharepoint.com"Per-site (do this)
Scope the change to one site collection. This limits directory exposure to the specific collaboration space that needs it.
Check current status:
Get-SPOSite -Identity "https://<yourtenant>.sharepoint.com/sites/<yoursite>" |
Select-Object ShowPeoplePickerSuggestionsForGuestUsersEnable:
Set-SPOSite -Identity "https://<yourtenant>.sharepoint.com/sites/<yoursite>" `
-ShowPeoplePickerSuggestionsForGuestUsers $trueTenant-wide (think twice)
This changes the default for all new site collections. It does not retroactively affect existing sites, which surprises a lot of people. For any org with compliance obligations, it’s hard to justify.
Check:
Get-SPOTenant | Select-Object ShowPeoplePickerSuggestionsForGuestUsersEnable globally (I’d push back on this):
Set-SPOTenant -ShowPeoplePickerSuggestionsForGuestUsers $trueYou probably don’t need to change it at all
Honestly, most of the time when someone asks me about this setting, the real answer is they shouldn’t touch it. Here’s what I usually suggest instead.
Just type the email address. Keep the setting disabled and have users type the full email of the person they’re sharing with. Yes, it’s slower. That’s the point. Files go to the person you intended, not to a similarly named contractor you picked from autocomplete.
Use Teams for ongoing external collaboration. When you add a guest to a specific Team, their visibility is scoped to that group’s members. They don’t show up tenant-wide, which is usually what people actually want.
Look into Entra ID Access Packages if you need something more structured. Entitlement Management lets external users request access through an approval workflow, provisions them into the right groups automatically, and gives you an audit trail. Sidesteps the whole People Picker question.
The short version
ShowPeoplePickerSuggestionsForGuestUsers is off because guest users aren’t meant to be browsable by your whole org. Before changing it, check the site’s SharingCapability — turning on guest search for a site that can’t actually share externally helps nobody. If you do need it, scope it to the specific site, not the tenant. And consider whether typing an email address or using Teams would solve the problem without exposing your guest directory.