The Sharing Problem
SharePoint Online's default sharing settings are permissive by design. Microsoft optimises for collaboration, not for regulatory compliance. Out of the box, any user can generate an "Anyone" link that requires no authentication, set no expiration, and share it with the entire internet. For a regulated firm - financial services, legal, healthcare - this is an unacceptable posture.
Audits regularly reveal tenants where more than 40% of externally shared links were "Anyone" links with no expiration. In one case, a link to a due diligence folder had been indexed by Google because a user had pasted it into a public Trello board. The client discovered this during a regulatory examination.
Here are five controls that should be standard on every engagement. None of them are optional.
Control 1: Tenant-Level Sharing Restriction
The first action is to restrict the tenant-level sharing setting. Navigate to SharePoint admin center > Policies > Sharing. The slider offers four positions:
- Anyone - Anonymous links, no authentication required
- New and existing guests - Requires sign-in, but any external email can be invited
- Existing guests - Only external users already in your Entra ID directory
- Only people in your organization - No external sharing at all
For most regulated firms, the recommended tenant default is Existing guests only. This means external sharing is possible but only with pre-approved external identities that have been added to Entra ID through a governed process.
# Connect to SharePoint Online
Connect-SPOService -Url "https://contoso-admin.sharepoint.com"
# Set tenant sharing to "Existing guests only"
Set-SPOTenant -SharingCapability ExistingExternalUserSharingOnly
# Verify
Get-SPOTenant | Select-Object SharingCapability
# Expected output: ExistingExternalUserSharingOnly
Control 2: Site-Level Overrides
The tenant setting is the ceiling, but individual sites can be more restrictive. For highly sensitive sites (board documents, M&A workstreams, legal matter files), external sharing should be disabled entirely at the site level.
# Disable external sharing on a specific site
Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/board-docs" -SharingCapability Disabled
# For a site that needs controlled external sharing (e.g., client collaboration)
Set-SPOSite -Identity "https://contoso.sharepoint.com/sites/client-project-alpha" -SharingCapability ExistingExternalUserSharingOnly
# Audit all site sharing settings across the tenant
Get-SPOSite -Limit All | Select-Object Url, SharingCapability, Owner | Export-Csv -Path "C:\Audit\site-sharing-settings.csv" -NoTypeInformation
The critical point: site-level settings can only be equal to or more restrictive than the tenant setting. If the tenant is set to "Existing guests," no individual site can be set to "Anyone." This is by design and it is the right architecture.
Control 3: Link Expiration
Every sharing link must have an expiration date. The recommended setting is 30 days for most organisations, 7 days for highly regulated environments.
Navigate to SharePoint admin center > Policies > Sharing > Advanced sharing settings and set Links must expire within this many days.
# Set link expiration to 30 days
Set-SPOTenant -RequireAnonymousLinksExpireInDays 30
# For guest access link expiration
Set-SPOTenant -ExternalUserExpireInDays 30
Set-SPOTenant -ExternalUserExpirationRequired $true
Without expiration, shared links accumulate indefinitely. Audits regularly uncover tenants with sharing links dating back to 2018 - to projects that completed years ago, with recipients who have long since left the external organisation. Each one is a latent data breach.
Control 4: Eliminate "Anyone" Links
"Anyone" links are the single biggest sharing risk in SharePoint Online. They require no authentication, cannot be audited to a specific recipient, and can be forwarded without restriction.
Set the default link type to "Specific people" and disable "Anyone" links entirely:
# Disable "Anyone" links tenant-wide
Set-SPOTenant -SharingCapability ExistingExternalUserSharingOnly
# Set default link type to "Specific people"
Set-SPOTenant -DefaultSharingLinkType Direct
# Set default link permission to "View" (not Edit)
Set-SPOTenant -DefaultLinkPermission View
Navigate to SharePoint admin center > Policies > Sharing and under "File and folder links," select Specific people (only the people the user specifies). This ensures that even when a user clicks "Share," the default is the most restrictive option.
Finding Existing "Anyone" Links
Before tightening controls, audit what is already shared:
# Search for existing anonymous sharing links in the audit log
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-90) -EndDate (Get-Date) -Operations "AnonymousLinkCreated" -ResultSize 5000 | ForEach-Object {
$data = $_.AuditData | ConvertFrom-Json
[PSCustomObject]@{
Date = $_.CreationDate
User = $_.UserIds
File = $data.ObjectId
SiteUrl = $data.SiteUrl
}
} | Export-Csv -Path "C:\Audit\anonymous-links.csv" -NoTypeInformation
Review this report with the data owner of each site. In practice, at least 60% of "Anyone" links are created by accident, the user did not understand the sharing dialog and chose the default, which in an unconfigured tenant is "Anyone with the link."
Control 5: Conditional Access for External Users
Even with sharing restricted to existing guests, you need to control the conditions under which external users access your data. Create a Conditional Access policy in Microsoft Entra admin center > Protection > Conditional Access > Policies:
Policy: External User Access Controls
- Users: Guest or external users > B2B collaboration guest users
- Target resources: Office 365 SharePoint Online
- Conditions: None (apply to all access)
- Grant: Require multifactor authentication, require compliant device OR require approved app
- Session: Set sign-in frequency to 4 hours, disable persistent browser sessions
This ensures that external users must authenticate with MFA every four hours and cannot maintain a persistent session. If they close their browser, they must re-authenticate.
For highly sensitive sites, add an additional Conditional Access policy that blocks external access from non-UK locations:
Policy: Block External Access from Outside UK
Users: Guest or external users
Target resources: Office 365 SharePoint Online
Conditions: Locations > Any location, Exclude: UK named locations
Grant: Block access
Real-World Breach Scenarios
Scenario 1: The Forwarded Link
A solicitor shared an "Anyone" link to a property transaction folder with the opposing party's solicitor. That solicitor forwarded the link to their client, who forwarded it to a mortgage broker, who forwarded it to an administrator. The original folder contained draft contracts, financial due diligence, and personal identity documents for all parties. None of those downstream recipients were authorised.
Fix: "Specific people" links with 7-day expiration. The link only works for the named recipient.
Scenario 2: The Departed Employee's Guest Account
An external consultant's Entra guest account remained active for 14 months after their engagement ended. During that time, they retained access to 23 SharePoint sites. The organisation only discovered this during an ISO 27001 A.9 access review.
Fix: External user expiration policy (ExternalUserExpirationRequired) combined with quarterly access reviews via Entra ID Governance.
Scenario 3: The Google-Indexed Folder
As mentioned in the introduction, a user pasted an "Anyone" link on a public-facing project management tool. Google indexed the link. The folder contained client financial data.
Fix: Eliminate "Anyone" links entirely. No anonymous link means no indexable URL.
Auditing Your Current Sharing State
Before implementing any of these controls, run a comprehensive sharing audit:
# Get a sharing report for all sites
Get-SPOSite -Limit All | ForEach-Object {
$site = $_
$externalUsers = Get-SPOExternalUser -SiteUrl $site.Url -PageSize 50 -ErrorAction SilentlyContinue
[PSCustomObject]@{
SiteUrl = $site.Url
SharingCapability = $site.SharingCapability
ExternalUserCount = ($externalUsers | Measure-Object).Count
Owner = $site.Owner
}
} | Export-Csv -Path "C:\Audit\sharing-audit.csv" -NoTypeInformation
Present this report to your information security committee before making changes. The conversation is always easier when you can show the board that 340 external users have access to SharePoint and nobody can explain who 180 of them are.
Summary
These five controls - tenant restriction, site-level overrides, link expiration, "Anyone" link elimination, and Conditional Access for guests - form the minimum viable external sharing posture for any regulated organisation. They take approximately two hours to implement and fundamentally change your risk exposure. There is no reason to delay.