A project manager sends a contract document to an external client using "Anyone with the link." The project wraps up six months later. The contract is archived. The link is not revoked. Two years on, that URL still works, the file is still accessible without a sign-in, and no one in the organisation knows.
Multiply that pattern across three years of activity in a tenant with 80 users and a few hundred document libraries, and you have a meaningful shared link problem. Most organisations do not know how many sharing links exist across their SharePoint Online environment, whether those links have expiration dates, or whether any of them point to content that should no longer be accessible. This is one of the most consistent governance gaps we see in Microsoft 365 deployments.
Why shared links are a permission blind spot
The four types of SharePoint sharing links
SharePoint Online offers four types of sharing links, each with a different access scope and risk profile:
| Link type | Who can access | Risk level |
|---|---|---|
| Anyone with the link | No sign-in required. Any person who receives the URL can open the content, including forwarded recipients and anyone who finds the URL by any means. | High |
| People in [organisation] | Anyone signed in to the tenant can access the content if they have the link. A large internal audience, and the link can be forwarded internally without restriction. | Medium |
| Specific people | Only the named recipients can access the content. Forwarded recipients are rejected unless they are on the original list. | Low |
| People with existing access | No new access is granted. The link works only for people who already have permission to the content through site or library membership. | Minimal |
The high-risk link type, "Anyone with the link," is also the one most users reach for when sharing externally because it is the path of least resistance. It does not require knowing the recipient's email address, does not require the recipient to have a Microsoft account, and produces a URL that can be sent by any means. For ad hoc external collaboration, that convenience is real. The problem is that the link does not expire unless the sender explicitly sets an expiration date, and most do not.
The accumulation problem
Sharing links accumulate silently. They are not visible in site member lists, permission inheritance reports, or the standard SharePoint admin center views. A site that looks clean from a permissions perspective, with a well-defined set of site members and proper inheritance, can have dozens of file-level sharing links pointing to content that is effectively public.
There is also a compounding factor: when a file is moved to a new library, its sharing links sometimes persist. When a library is migrated to a new tenant, existing sharing links are typically broken, but during the window between migration and cutover, links from the source environment may still resolve. And when a file is replaced or updated, the sharing link from the previous version may remain active against the new content in the same location.
Entra ID conditional access policies can restrict what authenticated users can access, but they have no effect on anonymous "Anyone with the link" links, which bypass authentication entirely. This is a gap that governance policy alone cannot close without addressing the links themselves.
Auditing shared links across SharePoint Online
What to look for in a shared links audit
A useful shared links audit answers four questions for each library and site in scope:
- How many sharing links exist? The total count establishes the scale of the problem and helps prioritise effort.
- What type are they? Anonymous links need immediate attention. Organisation-wide links need review. Specific-people links need to be checked for whether the recipients are still active.
- Do they have expiration dates? Links without expiration are permanent unless explicitly revoked. This is the most common finding in a first audit.
- What content do they point to? A permanent anonymous link to a project status update from 2022 is a very different concern from one pointing to HR policy documents, legal agreements, or financial records.
Most audits find that the majority of sharing links are benign from a content sensitivity standpoint, but a consistent minority point to content that should not have been shared externally in the first place, or that was shared appropriately at the time but should have been revoked when the relationship ended.
Why native tools make this harder than it should be
SharePoint Online does not provide a native cross-site sharing links report. The Microsoft 365 admin center shows aggregate counts: how many files are shared externally, how many anonymous sharing links have been created in the past 30 days. These are useful trend indicators but not actionable for remediation.
To see individual sharing links natively, you open each file's sharing panel and look at what is configured for that specific item. On a library with 2,000 documents, that process is not feasible. The Microsoft Graph API exposes sharing link data programmatically, which means PowerShell scripting can produce a tenant-wide sharing links report, but that approach requires scripting knowledge, careful pagination handling, and typically a significant amount of time to run against a large tenant.
Microsoft Purview's audit log records the creation of sharing links, but searching it for "all currently active sharing links across the tenant" is not what the audit log is designed for; it records events, not current state.
The native tooling, in short, is well suited for compliance investigations of specific incidents and for aggregate trend monitoring, but not for a systematic audit of what sharing links currently exist and which should be removed.
Getting shared links under control
The most effective approach is a periodic shared links audit, ideally on the same schedule as a permission review: once a quarter for high-sensitivity site collections, once or twice a year for general document libraries.
The first audit for a tenant that has not done one before is typically the most time-consuming, because the backlog of unchecked links can span years of activity. Prioritise libraries that hold sensitive categories of content first: HR documents, legal agreements, financial records, client-facing materials, and any library covered by a retention policy or compliance programme. These are the libraries where a stale anonymous link represents the highest risk.
After the first audit and cleanup, the ongoing maintenance is much lighter. A regular review catches new links before they accumulate to a problematic volume, and establishes a documented process that can be handed off or replicated as the organisation grows or hires additional IT staff.
Tenant-level policy enforcement is also worth reviewing alongside a links audit. SharePoint Online allows admins to restrict the "Anyone with the link" link type entirely, or to enforce expiration dates on all anonymous links through the sharing settings in the SharePoint admin center. These settings do not retroactively affect existing links, but they prevent new ones from being created without expiration going forward. The combination of a one-time retroactive cleanup and a forward-looking policy enforcement is more durable than either approach alone.
ShareMaster's Shared Links and Permissions tool provides the audit and bulk-removal capability that bridges the gap between native SharePoint tooling and the scripting-heavy alternative. It surfaces existing sharing links across libraries and sites, categorises them by type, and allows bulk removal of links matching criteria you define: all anonymous links older than 90 days, for example, or all organisation-wide links pointing to a specific library. Running the same audit as a periodic check is fast once the initial cleanup is done.
For the broader permission picture alongside sharing links, the guide to auditing SharePoint permissions covers site membership, permission levels, and unique permission inheritance alongside the shared link question. The two audits complement each other: one shows what access is granted through site structure, the other shows what access is granted outside that structure through links.
The organisations that handle this well treat shared links as a governed resource the same way they treat site membership and permission levels: reviewed on a schedule, cleaned up routinely, and restricted by policy where the business does not need the flexibility. The organisations that handle it poorly are the ones who discover, during an information security review or a client inquiry, that a file was accessible far longer than anyone intended.
Frequently Asked Questions
How do I see all shared links in SharePoint Online?
SharePoint Online does not provide a single native view of all shared links across a tenant. Per-file sharing details are visible in each item's sharing panel, and aggregate counts appear in the Microsoft 365 admin center, but a cross-tenant view of individual links requires Microsoft Graph API queries via PowerShell or a tool like ShareMaster's Shared Links and Permissions feature.
What is an anonymous sharing link in SharePoint?
An "Anyone with the link" link allows access to a file or folder without any sign-in requirement. Anyone who has the URL can open the content, including external parties and anyone the link is forwarded to. These links can include expiration dates, but expiration is not required by default in most tenant configurations.
Can I bulk-remove SharePoint sharing links?
The native SharePoint interface requires revoking sharing links one file at a time from each item's sharing panel. There is no built-in bulk removal option. ShareMaster's Shared Links and Permissions tool provides bulk removal across libraries and sites based on criteria you define, such as link type, age, or library.