SharePoint Online security: external sharing risks

SharePoint Online is where most of a Microsoft 365 tenant's corporate documents live, and its sharing model is designed to make sharing as easy as possible. That ease is also its main risk: "anyone with the link" links and inherited permissions no one reviews end up exposing sensitive information outside the organization.

"Anyone with the link": the most common leak

The most permissive sharing option in SharePoint and OneDrive generates a link that grants access to the file or folder to anyone who has it, with no sign-in and no organization membership required. It's convenient, which is why most users default to it when sharing a document with someone external. The problem is that the link can be forwarded, accidentally indexed, or stay active indefinitely long after the need to share it has disappeared, with no one in security aware of it.

Permission inheritance and "broken" folder-level sites

SharePoint applies permissions by inheritance from the site down to folders and documents, but it's common to break that inheritance to grant one-off access to a specific folder — typically to collaborate with an external party. Every inheritance break creates an independent permission set that no longer follows changes to the parent site: if access is later revoked at the site level, those folders with "broken" permissions keep their own access, invisible in a surface-level review. Across hundreds of sites, this produces a permission map no one fully understands.

External sharing settings at organization and site level

External sharing is controlled at two levels that must stay consistent: the tenant policy (the maximum sharing level allowed globally) and each individual site's policy (which can be more restrictive, but never more permissive than the tenant's). A frequent mistake is configuring the tenant restrictively and assuming all sites inherit that restriction, without verifying that sites created before the policy change — or team sites auto-created by Teams — still use a looser configuration.

How to audit sharing in SharePoint Online

An audit covers: (1) inventorying all active "anyone with the link" links and their age, prioritizing sites with sensitive data; (2) reviewing the external sharing policy at the tenant and individual site level, looking for inconsistencies; (3) identifying folders with broken permission inheritance and validating access is still needed; (4) enabling automatic expiration for external links and requiring mandatory expiration on "anyone" links; (5) reviewing team sites auto-created by Teams and Planner, which inherit default settings not always aligned with corporate policy.

FAQ

Is it ever safe to use "anyone with the link" links?

Only for genuinely public content, with expiration configured. For any document with business information, sharing with specific people or groups (authenticated) is preferable, since it leaves a clear record of who has access and allows granular revocation.

How do I know if a site has "broken" permissions?

The SharePoint admin center and tools like the file access report let you identify items with unique permissions (broken relative to the site). It's one of the first checks in any SharePoint audit, because it often reveals access no one remembers granting.