Managing Guest Visibility in SharePoint: The ShowPeoplePickerSuggestionsForGuestUsers Setting

If you manage external sharing in SharePoint Online, you may have noticed that guest users do not automatically appear in the People Picker when your users try to share a file or site. This is not a bug. It is a deliberate default, controlled by the ShowPeoplePickerSuggestionsForGuestUsers setting, and understanding why it exists matters before you consider changing it.

Why Is It Disabled by Default?

Microsoft disables this feature globally for two reasons.

Privacy and directory exposure. When enabled, any internal user can start typing in the People Picker and see a list of every guest user in your Microsoft Entra ID tenant (formerly Azure AD). That means your entire roster of vendors, contractors, and external clients is visible to anyone in the organization who knows how to use the share dialog. This is a meaningful data privacy risk, particularly in regulated environments.

Historical architecture. SharePoint has never treated external users the same as internal directory members. The default off-state preserves that expected separation. Guests are provisioned into your tenant through specific invitation flows, not discovered through a general-purpose search interface.

Before You Change Anything: Check SharingCapability First

This is a step many administrators skip, and it creates significant confusion. The People Picker setting and the actual sharing permissions on a site are two separate controls. Enabling guest suggestions in the People Picker does not grant sharing rights. If a site’s SharingCapability is set to Disabled or ExistingExternalUserSharingOnly, users can search for a guest all day long and SharePoint will still block the share.

Before touching the People Picker setting, verify what the site is actually allowed to do.

Check a single site:

Get-SPOSite -Identity "https://<yourtenant>.sharepoint.com/sites/<yoursite>" |
    Select-Object SharingCapability

The four possible values are:

Audit across all sites:

Get-SPOSite -Limit ALL |
    Select-Object Title, Url, SharingCapability |
    Sort-Object SharingCapability |
    Export-Csv -Path "C:\Reports\SharingSummary.csv" -NoTypeInformation

If the site is set to Disabled or ExistingExternalUserSharingOnly and the business need is to invite new guests, the SharingCapability needs to be addressed first. Enabling People Picker suggestions on top of a restrictive sharing policy achieves nothing except user frustration.

To update the sharing capability on a site before enabling People Picker suggestions:

Set-SPOSite -Identity "https://<yourtenant>.sharepoint.com/sites/<yoursite>" `
    -SharingCapability ExternalUserSharingOnly

Managing ShowPeoplePickerSuggestionsForGuestUsers with PowerShell

Once you have confirmed the underlying sharing capability is appropriate, you can evaluate whether enabling People Picker suggestions makes sense. All of this is managed through the SharePoint Online Management Shell.

Prerequisites:

# Install the module if needed
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Force

# Connect to your admin center
Connect-SPOService -Url "https://<yourtenant>-admin.sharepoint.com"

The Recommended Path: Site Collection Level

Scoping this change to a single site collection limits directory exposure to only those collaboration spaces where it is specifically warranted. This is the correct approach for the vast majority of use cases.

Check the current status:

Get-SPOSite -Identity "https://<yourtenant>.sharepoint.com/sites/<yoursite>" |
    Select-Object ShowPeoplePickerSuggestionsForGuestUsers

Enable for a specific site:

Set-SPOSite -Identity "https://<yourtenant>.sharepoint.com/sites/<yoursite>" `
    -ShowPeoplePickerSuggestionsForGuestUsers $true

The Unadvised Path: Tenant Level

Applying this at the tenant level changes the default behavior for all site catalogs across your organization. It also does not retroactively affect sites that were already provisioned; it only changes the default for new sites going forward. For any organization with compliance obligations or strict data governance requirements, this path is difficult to justify.

Check tenant status:

Get-SPOTenant | Select-Object ShowPeoplePickerSuggestionsForGuestUsers

Enable globally (not recommended):

Set-SPOTenant -ShowPeoplePickerSuggestionsForGuestUsers $true

Better Alternatives to Consider

Changing the People Picker behavior is often the path of least resistance, but it is rarely the right one. Before enabling directory enumeration for guests, consider whether any of the following approaches address the actual business need more cleanly.

Enforce exact email entry. Keep the setting disabled and require internal users to type the full, exact email address of the person they are sharing with. This is intentional friction that reduces accidental exposure and ensures files only go to explicitly known recipients. Most sharing workflows do not require type-ahead suggestions.

Use Microsoft 365 Groups and Teams. When external users are added as guests to a specific Team, their visibility is scoped to the members of that group rather than exposed tenant-wide. This is a significantly better containment model for ongoing project-based collaboration.

Implement Entra ID Access Packages. For organizations with mature governance requirements, Entitlement Management is the right answer. Access Packages let external users request access to specific resources through an approval workflow, automatically provisioning them into the correct groups without any manual People Picker interaction. This approach eliminates the directory visibility problem entirely and produces a clean audit trail.

Summary

The ShowPeoplePickerSuggestionsForGuestUsers setting is off by default because Microsoft Entra guest users are not meant to be broadly discoverable by your internal population. Before considering any change to this setting, verify the site’s SharingCapability first; enabling People Picker suggestions on a site that cannot actually share externally solves nothing. When a change is warranted, scope it to the specific site collection rather than the tenant, and document the business justification clearly. In most cases, the alternatives above, particularly exact email enforcement or Entitlement Management, address the underlying need without any increase in directory exposure.