How IT Organizations Can Avoid Risky Oversharing in Microsoft SharePoint

Three main reasons contribute to oversharing of content:

1. Default SharePoint Settings

The default settings in SharePoint for “Copy Link” and “Share” are configured so that the recipients have the least-restrictive level of access: ANYONE – internal or external – can EDIT!

2. New Links Are Easy to Create but Cause Big Problems

Most untrained users default to using the “Copy Link” or “Share” features. And why not? They are conveniently accessed, and seem to achieve their goal of sharing. However, there are unseen but substantial impacts.

Each time a user clicks “Copy Link” or “Share,” a NEW UNIQUE LINK is created, even if the end user already has access to the content! This “explicit link” overrides the site settings for the file! In other words, the new duplicate link has created unique permissions that are independent of any other file, folder, library, or site. If a user’s access to the file, folder, library, or site is removed—but they have an explicit link—they still have access to the content!

 Three of the four types of “sharing” links generate unique permissions! Unique item-level permissions are harder to manage and more prone to access problems.

• The only type of sharing link that does not override site permissions is “People with existing access.”

In this image, “Contoso” is the name of the organization.

Explicit access can also be granted through indirect sharing. For example:

 Sharing links forwarded in Outlook emails will grant recipients explicit access to target files.
 Sharing links sent by other means will grant recipients explicit access to target files once clicked.
 Even files shared in MS Teams can be another source of oversharing, as selecting “copy link” will give anyone access by default. (MS Teams runs on SharePoint, after all!)

3. Copilot AI Reveals All

The powerful search capacity of AI tools such as Microsoft Copilot can magnify this issue. While Copilot does not change existing permissions, it can surface content that users didn’t know they had the ability to access. If this content is sensitive or confidential, real problems can emerge.

Oversharing: What Could Possibly Go Wrong?

Ever hear that line in a movie, “What could possibly go wrong?” Immediately, you know the characters are in for a rough ride. Well, here we go…

Put yourself in the shoes of a CIO in any industry. (To get your mind going, how about: government, financial services, healthcare, legal, technology, or education.)

Firing up your computer Monday morning, you discover that—due to default sharing settings—confidential information has been overshared within your organization, and also with your contracted vendors!

Your mind starts racing with all the ricocheting impacts.

How soon will this hit the press? Then what?

Best Practices and Solutions

It is clearly in your best interest to avoid oversharing content! So where to start?

Starting Clean with Best Practices

The following recommendations and settings can enable successful content sharing and minimize the increased risk of oversharing.

General users:

• Take notice of your organization’s SharePoint settings for collaborative content.
• Be mindful when sharing content and copying links – SharePoint will tell you what type of sharing link you are creating, and you can change the default option.
• Talk to your IT department if you have not received SharePoint training.
• Talk to your IT department if sharing links default to something other than “People with existing access.”

IT Admin:

For best results, we recommend training your users on the preferred method of sharing content. Additionally, we recommend that the Microsoft SharePoint settings be configured as follows.

It is important to note that changing the Microsoft SharePoint settings will only impact content going forward. It will not change the sharing links of existing content.

The default settings set by your organization’s IT team are important. Default sharing settings should not elevate access or change permissions – users can change the default type of sharing link if that is their intention!

There are 4 types of Sharing Links

• Anyone
  • • Anyone with the link can access the content, inside or outside of the organization.
    • This type of sharing link will create unique permissions on the shared item.

  Potential for oversharing content!

• Organization sharing links (will display as “People in ”)
  • • Anyone in the organization with the link can access the content, regardless of site permissions.
    • This type of sharing link will create unique permissions on the shared item.

  Potential for oversharing content!

• People with existing access
  • • This link works for anyone who already has access to the content.

  This type of link will not create unique permissions on the shared item.

• Specific people/People you choose (same type of link known by two names)
  • • This link only works for the people whose name you enter when sharing.
    • This type of sharing link will create unique permissions on the shared item.

  Potential for oversharing content!

Tenant Settings

Settings below are located at SharePoint Admin center > Policies > Sharing

• External sharing
  • Set to the lowest level acceptable for your organization. Do you need “Anyone” links?
• Default Sharing Link type
  • We recommend “Specific People” as the other two options both encourage oversharing. (The Tenant level does not offer “People with existing access.)
• Default link permission
  • We recommend “View” access – users can set to Edit on shared links as needed.
• Set guest access expiration (see site gear icon > permissions > guest expiration)
  • https://sharepointmaven.com/how-to-set-up-expiration-for-guest-access-to-sharepoint-and-onedrive/

Per-Site Settings

Per-site settings are set through the UI (User Interface) at these locations:

• Admin center > sites > site settings > external file sharing
• Admin center > sites > site settings > external file sharing > more sharing settings > Advanced settings for external sharing

External Sharing

• We recommend restricting external sharing (from the tenant default) where possible. Disable on all sites except where needed.
• If sharing externally, limit sharing to specific domains for each site.
• Default Sharing Link type – we recommend “people with existing access.”Default link permission – we recommend “view” (can leave as “inheriting from tenant” if you set that to View already).

️PowerShell for configuring these same options:

• Set-SPOSite or Set-PnPTenantSite -Url “Site_URL” -SharingCapability “Sharing_Capability”
• SharingDomainRestrictionMode[None,AllowList,BlockList]
• SharingAllowedDomainList
• DefaultLinkToExistingAccess[$true,$false]
• Sharing_Capability Options
  • Disabled
  • ExistingExternalUserSharingOnly
  • ExternalUserSharingOnly
  • ExternalUserAndGuestSharing

Cleaning Up Overshared Content

How can you fix the existing overshared content problem? Unfortunately, it’s not simple or easy to unravel the current spaghetti-like tangle of links to shared content.

• Content shared with “Everyone” or “Everyone except external users.”
• Existing sharing links (“Anyone” links, “organization” links).
• External user access.

• Default usage reports show # sharing links per site
  • Need to fix report with script: https://learn.microsoft.com/en-US/microsoft-365/admin/activity-reports/resolve-site-urls?view=o365-worldwide
• Data Access Governance Reports (E5 or Advanced Management license)
  • • Sharing link reports for top 100 (UI) or 10,000 (CSV) sites
      https://learn.microsoft.com/en-US/SharePoint/data-access-governance-reports?WT.mc_id=365AdminCSH_inproduct#sharing-links-reports
    • New EEEU (Everyone except external users) report forthcoming
• Compliance center audit log to see links that have been used recently
  • https://compliance.microsoft.com/auditlogsearch
  • Activities – operation names: companylinkused,anonymouslinkused,securelinkused (max 90-day history)
• Per-site external user report
  • site contents > site usage > shared with external users
• ShareGate
  • permissions matrix report, external access review
• PowerShell scripts

Additional information, including step by step guides and a demo, can be found in Rego’s free webinar, “Optimizing Data Security for Microsoft Sharing and Collaboration.”

Still have questions or concerns? Reach out to Rego Consulting for a no-pressure conversation about how we can assist you.