As you know, external sharing can be controlled at site collection level to allow or not sharing with external users. However, until now, if you allow sharing, it is by default with the entire world. The sharing invitation will be sent to the e-mail address of the person you're sharing the site/document with. When that person clicks on the invite, she is invited to login with either a Microsoft Account, either an Organizational Account which is created in the AAD. Afterwards, the user is added to the group/assigned direct permissions.