How to Avoid Risky Oversharing in Microsoft SharePoint, with image of hikers on steep rocks

Is Your SharePoint Set Up to Overshare?

Due to its design, oversharing content in Microsoft SharePoint is exceptionally easy and can result in significant data security compromises! Coupled with Copilot’s powerful content surfacing capabilities, it is critical to understand and address the root causes of the problem.

Oversharing is defined as granting a recipient access to information, beyond what is strictly necessary.

It is an obvious risk to share sensitive or confidential content with unintended internal or external users. But what is not obvious to most users is that Microsoft SharePoint is an environment with abundant opportunities for oversharing.

Why is it so easy to overshare?

Three main reasons contribute to oversharing of content:

1. Default SharePoint Settings

The default settings in SharePoint for “Copy Link” and “Share” are configured so that the recipients have the least-restrictive level of access: ANYONE – internal or external – can EDIT!

SharePoint pop up, reading: Link Copied. Anyone with Link can edit. Gear icon, and words: Settings

2. New Links Are Easy to Create but Cause Big Problems

Most untrained users default to using the “Copy Link” or “Share” features. And why not? They are conveniently accessed, and seem to achieve their goal of sharing. However, there are unseen but substantial impacts.

Each time a user clicks “Copy Link” or “Share,” a NEW UNIQUE LINK is created, even if the end user already has access to the content! This “explicit link” overrides the site settings for the file! In other words, the new duplicate link has created unique permissions that are independent of any other file, folder, library, or site. If a user’s access to the file, folder, library, or site is removed—but they have an explicit link—they still have access to the content!

Image of computer screen showing SharePOint menu of many items, titled: Exceptions Documents.

 Three of the four types of “sharing” links generate unique permissions! Unique item-level permissions are harder to manage and more prone to access problems.

  • The only type of sharing link that does not override site permissions is “People with existing access.”
Image of SharePoint pop up. Title is Link Settings. Four options include: Share link with 1) Anyone. 2) People in Organization - in this case, sample organization is Contosso. 3) People with existing access. 4) People you choose. Option #3, People with Existing Access is selected.

In this image, “Contoso” is the name of the organization.

Explicit access can also be granted through indirect sharing. For example:

 Sharing links forwarded in Outlook emails will grant recipients explicit access to target files.
 Sharing links sent by other means will grant recipients explicit access to target files once clicked.
 Even files shared in MS Teams can be another source of oversharing, as selecting “copy link” will give anyone access by default. (MS Teams runs on SharePoint, after all!)

3. Copilot AI Reveals All

The powerful search capacity of AI tools such as Microsoft Copilot can magnify this issue. While Copilot does not change existing permissions, it can surface content that users didn’t know they had the ability to access. If this content is sensitive or confidential, real problems can emerge.

Oversharing: What Could Possibly Go Wrong?

Ever hear that line in a movie, “What could possibly go wrong?” Immediately, you know the characters are in for a rough ride. Well, here we go…

Put yourself in the shoes of a CIO in any industry. (To get your mind going, how about: government, financial services, healthcare, legal, technology, or education.)

Firing up your computer Monday morning, you discover that—due to default sharing settings—confidential information has been overshared within your organization, and also with your contracted vendors!

Your mind starts racing with all the ricocheting impacts.

How soon will this hit the press? Then what?

Financial Impact to Your Organization:  
– Regulatory fines and penalties.
– Stock price decline and shareholder value loss.
– Financial losses and missed opportunities.

Legal Consequences:
– Legal action and costly litigation fees.
– Regulatory violations and fines.
– Lawsuits and settlements.

Operational Disruption:
– Extended downtime and disruption to business operations.
– Internal investigations and resource consumption.

Reputational Damage:
– Diminished public perception and loss of brand trust.
– Negative publicity and media scrutiny.
– Damage to relationships with stakeholders.

Talent and Recruitment Drain:
– Loss of employee trust and loyalty.
– Difficulty attracting top talent.

Competitive Impact:
– Loss of competitive advantage.
– Poaching of customers by competitors.

Relationship Impacts:
– Loss of client trust and business relationships.
– Severance of ties with partners and vendors.
– Damage to relationships with regulatory bodies and industry associations.

And the list goes on…

Best Practices and Solutions

It is clearly in your best interest to avoid oversharing content! So where to start?

Starting Clean with Best Practices

The following recommendations and settings can enable successful content sharing and minimize the increased risk of oversharing.

General users:

  • Take notice of your organization’s SharePoint settings for collaborative content.
  • Be mindful when sharing content and copying links – SharePoint will tell you what type of sharing link you are creating, and you can change the default option.
  • Talk to your IT department if you have not received SharePoint training.
  • Talk to your IT department if sharing links default to something other than “People with existing access.”

IT Admin:

For best results, we recommend training your users on the preferred method of sharing content. Additionally, we recommend that the Microsoft SharePoint settings be configured as follows.

It is important to note that changing the Microsoft SharePoint settings will only impact content going forward. It will not change the sharing links of existing content.

The default settings set by your organization’s IT team are important. Default sharing settings should not elevate access or change permissions – users can change the default type of sharing link if that is their intention!

There are 4 types of Sharing Links

  • Anyone
      • Anyone with the link can access the content, inside or outside of the organization.
      • This type of sharing link will create unique permissions on the shared item.

    Potential for oversharing content!

  • Organization sharing links (will display as “People in ”)
      • Anyone in the organization with the link can access the content, regardless of site permissions.
      • This type of sharing link will create unique permissions on the shared item.

    Potential for oversharing content!

  • People with existing access
      • This link works for anyone who already has access to the content.

    This type of link will not create unique permissions on the shared item.

  • Specific people/People you choose (same type of link known by two names)
      • This link only works for the people whose name you enter when sharing.
      • This type of sharing link will create unique permissions on the shared item.

    Potential for oversharing content!

Tenant Settings

Settings below are located at SharePoint Admin center > Policies > Sharing

  • External sharing
    • Set to the lowest level acceptable for your organization. Do you need “Anyone” links?
  • Default Sharing Link type
    • We recommend “Specific People” as the other two options both encourage oversharing. (The Tenant level does not offer “People with existing access.)
  • Default link permission
    • We recommend “View” access – users can set to Edit on shared links as needed.
  • Set guest access expiration (see site gear icon > permissions > guest expiration)

Per-Site Settings

Per-site settings are set through the UI (User Interface) at these locations:

  • Admin center > sites > site settings > external file sharing
  • Admin center > sites > site settings > external file sharing > more sharing settings > Advanced settings for external sharing

External Sharing

  • We recommend restricting external sharing (from the tenant default) where possible. Disable on all sites except where needed.
  • If sharing externally, limit sharing to specific domains for each site.
  • Default Sharing Link type – we recommend “people with existing access.”Default link permission – we recommend “view” (can leave as “inheriting from tenant” if you set that to View already).

️PowerShell for configuring these same options:

  • Set-SPOSite or Set-PnPTenantSite -Url “Site_URL” -SharingCapability “Sharing_Capability”
  • SharingDomainRestrictionMode[None,AllowList,BlockList]
  • SharingAllowedDomainList
  • DefaultLinkToExistingAccess[$true,$false]
  • Sharing_Capability Options
    • Disabled
    • ExistingExternalUserSharingOnly
    • ExternalUserSharingOnly
    • ExternalUserAndGuestSharing

Cleaning Up Overshared Content

How can you fix the existing overshared content problem? Unfortunately, it’s not simple or easy to unravel the current spaghetti-like tangle of links to shared content.

What to Identify?

  • Content shared with “Everyone” or “Everyone except external users.”
  • Existing sharing links (“Anyone” links, “organization” links).
  • External user access.

How to Identify?

Additional information, including step by step guides and a demo, can be found in Rego’s free webinar, Optimizing Data Security for Microsoft Sharing and Collaboration.”

Still have questions or concerns? Reach out to Rego Consulting for a no-pressure conversation about how we can assist you.

In Summary:

The default settings of Microsoft SharePoint are configured for the broadest ability to share content. Most users are unaware of the additional complications they create when sharing content. Changing default sharing settings is a big step in the right direction! The unchecked sharing of content can result in critically compromised content. Rego is here to help!

About the Author: Rego Consulting

As the leading Strategic Portfolio Management (SPM), Project Portfolio Management (PPM), Technology Business Management (TBM), Agile and expert services provider, Rego Consulting has helped hundreds of organizations achieve a higher return on their software investment, including 60% of Fortune 100 and 70% of Fortune 20 companies.

Share This Story, Choose Your Platform!

Stay up-to-date. Join our newsletter!