Back to GSO Recommendations

Set Anonymous Link Expiration in SharePoint: Long-Lived External Sharing Risk

Why this risk matters

Anonymous sharing links in SharePoint and OneDrive allow anyone with the link to access the shared content — without signing in, without being a member of your tenant, and without any audit trail of who is accessing the file. Once an anonymous link is created, it remains active indefinitely by default unless the creator manually expires it or you enforce an organisation-wide expiration policy.

The practical result is that documents are routinely shared for a specific short-term purpose — sending a proposal to a client, sharing a presentation for a meeting — and then remain accessible to anyone who has the link, months or years later. If the link is forwarded, stored in an email that is later compromised, or accessed by someone who finds it in a browser history, the content is exposed with no authentication requirement.

Enforcing an automatic expiration date on anonymous links ensures that sharing access is time-limited by default, reducing the long tail of forgotten, low-visibility external access that accumulates over time in most SharePoint environments.

What happens if this is abused

  • Anonymous links created for temporary sharing remain permanently accessible, extending the exposure window far beyond the intended sharing period
  • Forwarded or leaked anonymous links give unintended parties access to content with no authentication barrier
  • Content accessed via anonymous links has minimal audit coverage — activity is harder to attribute and investigate
  • Sensitive documents (contracts, HR files, financial data) remain accessible via old links even after they've been moved, renamed, or the sharing intent has lapsed
  • No notification is sent to the content owner when an anonymous link is used, so long-running access goes undetected

When this is expected or acceptable

Some workflows genuinely require longer-lived anonymous access:

  • Public-facing resources (marketing materials, event registration forms, public documentation) that are intentionally shared with anyone
  • Partner or customer portals where anonymous access to specific content is a designed feature

For these cases, specific sites or libraries can be configured to allow longer or unlimited anonymous access, while the organisation-wide default enforces a sensible expiration. The goal is to make time-limited sharing the default, not to prevent all anonymous sharing.

Checks to perform before taking action

  • In the SharePoint admin centre, check the current anonymous link expiration setting (Sharing > Expiration and permissions)
  • Review the SharePoint sharing report to understand the current volume and age of anonymous links in your environment
  • Identify any sites or document libraries where longer-lived or permanent anonymous access is genuinely required and document those as exceptions
  • Consider the appropriate expiration window for your organisation — Microsoft recommends 30 days as a reasonable default; some organisations use 7 or 14 days
  • Communicate to users that anonymous links will now expire and they should use authenticated sharing (specific people links) for longer-term collaboration

Safe remediation steps

  1. In SharePoint admin centre > Policies > Sharing, set the anonymous link expiration to your desired number of days (typically 7–30 days)
  2. This setting applies to all new anonymous links created from that point — existing links are not retroactively expired by this setting
  3. For existing long-lived anonymous links, use the SharePoint sharing report to identify and manually expire high-risk links (on sensitive sites or files)
  4. Communicate to site owners that anonymous links on their sites will expire after the configured period and they should renew links that need to remain active
  5. Consider whether to also restrict anonymous link creation to specific sites or content types, rather than allowing it tenant-wide
  6. Review the setting periodically and adjust the expiration window based on operational feedback

Supporting documentation

Microsoft: Manage sharing settings in SharePoint and OneDrive

Microsoft: Change the external sharing setting for a site

Microsoft: Limit sharing in Microsoft 365

Related risks and follow-on checks

After enforcing this control, review these related areas:

  • Files Shared Externally — the GSO finding that surfaces files currently shared via anonymous or guest links; this policy addresses the root cause at the configuration layer
  • Allow Resharing by External Users in SharePoint — a companion control that prevents external users from forwarding sharing links to additional parties
  • Guest Users with Risky Access — review authenticated guest access alongside anonymous link controls for a complete external sharing posture
  • Inactive Guest Users — guest users who received authenticated sharing links and are no longer active should have their access reviewed
TBD CTA