Managing the Use of Access Links in SharePoint Online

SharePoint makes collaboration and sharing exceedingly easy - which can put sensitive and regulated content at risk. Accordingly, administrators need to put guardrails in place that facilitate appropriate sharing and prevent data leakage.

In SharePoint Online, the primary way for a user to grant access to resources is to share an access link with other people. When they create a link, they use a dialog like the one below to specify important settings, including who the link will work for and whether those users can edit and download the content:

Figure 1. Settings available for users as they create sharing links in SharePoint Online

As an administrator, you have a great deal of control over which options are available on this dialog. For example, in the screenshot above, the option to allow Anyone with the link to view the content is grayed out.

This control over access links can be exercised at both the tenant level and the site level. This article explains the options and how they work, and also offers guidance for how to enable legitimate sharing to maximize the value of SharePoint while avoiding data leakage.

Tenant-wide Sharing Settings

From the Microsoft 365 admin center, you can specify broad sharing settings for all SharePoint Online sites in your tenant. These settings determine what access options are available for your SharePoint site owners and SharePoint admins.

Limiting the Scope of Sharing

One key decision is how freely business users should be able to share content. To set the tenant-wide limit, navigate to the Settings blade, choose Org settings and scroll to the SharePoint section.

Note that selecting the Anyone option, as shown below, simply allows your SharePoint admins to choose to allow anonymous sharing on their sites; it does not push that setting to all sites.

Figure 2. Controlling which sharing options are available to site owners and SharePoint admins

Alternatively, you can navigate to the Policies blade, expand it to expose the Sharing option, and use the slider to adjust the sharing restrictions for access links across all SharePoint sites and OneDrive.

Figure 3. Controlling access link permissions across all sites and OneDrive using the slider option

Whichever method you choose, you have 4 options, which are described below. When deciding which setting is best for your organization, keep in mind that the stricter you are with access links, the harder it will be for your users to collaborate with others - and the more likely it will be that they use alternative methods to share what they want to share.Accordingly, I recommend choosing a more permissive settings at this level in order to allow collaboration in areas where it is warranted.

• Anyone - This option allows the creation of anonymous access links, which do not require authentication to access. While these links expose your organization to the risk of data exfiltration, they do have legitimate purposes, such as for advertising and marketing sites. If you choose to allow anonymous links, consider investing in a tool like Netwrix Enterprise Auditor that empowers you to keep a close eye on where anonymous links are being created and what they are giving access to
  • New and existing guests - This option is designed for site collections that have external collaborators. It provides the flexibility to share content with registered external users as well as to invite new guest users.Existing guests - This option is similar to the preceding one but does not allow creation of new guests.
  • Only people in your organization - This permission level does not allow any external access to SharePoint or OneDrive.

Additional External Sharing Settings

If you scroll down the page from the sliders, you will find some additional settings for controlling external sharing across your entire SharePoint Online/OneDrive tenant:

Figure 4. Additional external sharing settings across all sites and OneDrive

There are also options for controlling the default settings, expiration and permissions of access links. For example, you can ensure that people using anonymous links can view - but not edit - shared filesor folders.

Figure 5. Additional ways of limiting access links across all sites and OneDrive

Site-wide Sharing Settings

Now let's explore the settings for controlling the availability of access links across a SharePoint site. Similar to tenant-wide settings, site-wide settings are not automatically applied to all sites; rather, they limit the options available to site owners. Accordingly, choose settings that provide reasonable flexibility for your site owners to restrict access when necessary and allow it when appropriate for legitimate user collaboration.

To control external sharing for a site, navigate to the Resources blade of the Microsoft 365 admin center, click on the site, click Editunder the Sharing Status section, and select the desired settings under Eternal sharing:

Figure 6. Controlling external sharing for a particular SharePoint site

To access settings that restrict who is allowed to create access links to a site or its content, from a given SharePoint site, select Settings and choose Change how members can share.

Figure 7. Controlling who is allowed to create access links to a given SharePoint site

Tenant-wide Settings Override Site-wide Settings

Remember that the sharing settings at the tenant level trump those at the site level. For example, suppose a site owner allows anonymous links but they are blocked at the tenant level. In that case, when a user creates an access link for site content, the option to share with Anyone with the link will be greyed out, as shown here:

Figure 8. If an option is disallowed at the tenant level, it will be greyed out for users regardless of the site-level setting.

Conclusion

Don't be afraid of access links. Understand how they work and set up a permission structure that works for your organization. Disallowing external access really limits the ability of business users to get full value from SharePoint, and they will figure out ways to share things externally if they need to.

Instead, carefully choose settings at each level that facilitate collaboration while keeping your data safe. In addition, closely monitor external sharing settings and activity using a security solution like Netwrix Enterprise Auditor.