SharePoint Security Best Practices: Stop Oversharing Before It Costs You

Data Protection
March 03, 20264 min read

SharePoint Oversharing Is the Risk Nobody Talks About

Ask any MSP what keeps them up at night and they will say ransomware, phishing, or compromised credentials. But there is a quieter risk lurking in almost every Microsoft 365 tenant: SharePoint oversharing.

When a single employee creates an “Anyone with the link” sharing link to a document containing client data, that file is now accessible to anyone on the internet who has that URL. No authentication required. No audit trail of who accessed it. This happens every single day in organizations that have not locked down their SharePoint sharing settings.

The Default Settings Are Too Permissive

Out of the box, SharePoint Online allows users to share content externally with minimal restrictions. Microsoft designs defaults for collaboration, not security. Here is what you need to change:

Organization-level sharing settings:

  • Navigate to SharePoint admin center and review the sharing level. The options range from “Anyone” (most permissive) to “Only people in your organization” (most restrictive).
  • For most organizations, set the default to “New and existing guests” — this requires authentication while still enabling external collaboration.
  • Disable “Anyone” links entirely unless there is a documented business need, and even then limit their expiration to 7 days maximum.

Site-level sharing controls:

  • Individual SharePoint sites can have sharing settings that are more restrictive than the org default, but never less restrictive.
  • Sensitive sites (HR, finance, legal, client data) should be set to “Only people in your organization” or “Existing guests only.”
  • Create a site classification system (public, internal, confidential) with corresponding sharing policies.

Audit Existing Sharing Links

Before you tighten settings, you need to understand what is already shared. This is where most admins get a nasty surprise.

What to look for:

  • Anonymous “Anyone” links that are still active (some may have been created years ago)
  • External sharing to personal email addresses (gmail.com, yahoo.com) rather than business domains
  • Sites shared with “Everyone except external users” — this means every employee in the organization has access, which is almost never intentional
  • OneDrive folders shared broadly (users often share their entire OneDrive root folder by accident)

How to audit:

  • Use the SharePoint admin center sharing reports
  • Run the Microsoft 365 sharing activity report
  • Use PowerShell (Get-SPOSite, Get-SPOExternalUser) for detailed enumeration
  • Or use an automated assessment tool that checks all of this across the entire tenant

Implement Sensitivity Labels

Microsoft Information Protection sensitivity labels are one of the most underutilized security features in M365. They let you classify and protect content based on its sensitivity level.

Setting up a basic label scheme:

  • Public — no restrictions, for content intended for external audiences
  • Internal — default label for general business content, blocks anonymous sharing
  • Confidential — encrypted, restricted to specific groups, requires justification to change
  • Highly Confidential — encrypted, no external sharing, audit all access, watermarked

Label policies:

  • Set a default label (Internal) so all new documents are automatically classified
  • Require justification when users downgrade a label
  • Enable auto-labeling for content containing sensitive data types (SSN, credit card numbers, health records)

Configure Data Loss Prevention (DLP) Policies

DLP policies prevent sensitive information from being shared outside the organization, even accidentally.

Priority DLP policies to create:

  • Block external sharing of documents containing credit card numbers
  • Warn users when sharing documents containing personally identifiable information (PII)
  • Block external sharing from confidential SharePoint sites
  • Alert admins when bulk downloading occurs from sensitive sites
  • Create policies specific to your client’s regulatory requirements (HIPAA, PCI-DSS, SOC 2)

Guest Access Management

External collaboration is a business requirement, but it needs guardrails.

Guest access best practices:

  • Set guest access expiration (90 days is a good default)
  • Require guests to re-authenticate periodically
  • Review guest accounts quarterly and remove stale ones
  • Restrict what guests can do (view-only for most scenarios)
  • Use Azure AD access reviews to automate guest account lifecycle management

Monitor and Alert on Sharing Activity

Setting up policies is only half the battle. You need ongoing monitoring to catch policy violations and suspicious activity.

Key alerts to configure:

  • New “Anyone” sharing links created (if you allow them at all)
  • External sharing to new domains
  • Bulk file downloads by a single user
  • Sharing activity from accounts flagged as risky
  • Changes to site-level sharing settings

Automate Your SharePoint Security Audits

Checking sharing settings, link permissions, guest access, DLP policies, and sensitivity labels across every site collection in a tenant is tedious work. Across multiple client tenants, it is impossible to do manually with any consistency.

365 Security Assessment audits all SharePoint and OneDrive security configurations automatically, identifying oversharing risks, misconfigured permissions, and missing DLP protections as part of its comprehensive M365 security audit.

Run your free assessment and find out what your clients are accidentally sharing with the world.

sharepointsecurity best practicesdata protectionmicrosoft 365oversharing
Back to Blog