Field note
SharePoint External Sharing Cleanup
Good collaboration is not the same thing as permanent access. The job is to keep supplier and client work moving while making old links, old guests and overshared sites easier to spot and easier to close.
External sharing in Microsoft 365 rarely goes wrong in one dramatic step. It drifts.
A project team needs a supplier in a Teams channel. Someone sends an "Anyone" link because it is quick. A finance folder is shared with a guest who was meant to help for two weeks. Six months later, the work is done but the access is still there.
That is the part many SMEs underestimate. The risk is often not a hacker bypassing controls. It is normal, valid access that outlived the reason for it.
Microsoft's own sharing model is clear enough once you read it properly: sharing is controlled at both the organisation level and the site level, and the more restrictive setting wins. That means cleanup gets easier when tenant defaults are sensible, instead of wide open and left to individual site owners.
Start with the defaults, not the symptoms
Before looking at individual sites, look at the settings that create future mess:
| Setting | What to check |
|---|---|
| SharePoint org-level sharing | Is the tenant allowing a wider sharing model than the business actually needs? |
| OneDrive sharing | Is OneDrive more permissive than SharePoint for no real reason? |
| Default link type | Are users pushed toward broad sharing links instead of named people links? |
| Anyone links | Are anonymous links still allowed where they should not be? |
| Site-level overrides | Have sensitive sites been restricted below the tenant default? |
| Guest controls | Are Entra guest restrictions and review processes in place? |
If the default is too open, every new workspace inherits the problem before anybody has made a bad decision.
Clean up by business risk, not alphabetically
This is where many reviews waste time. They start with a list of site names and work top to bottom. Real cleanup should start with where exposure would hurt.
Start here:
- HR, payroll and recruitment workspaces.
- Finance and forecasting libraries.
- Leadership and board collaboration spaces.
- Customer delivery sites with external suppliers.
- Old project Teams with no active owner.
- OneDrive accounts for leavers and role changes.
You are looking for a few very plain signals:
- External users on a site that should be internal only.
- "Anyone" or broad guest links on sensitive libraries.
- No clear business owner for the site.
- Sharing settings that are more open than the data justifies.
- Guests from supplier domains that are no longer active.
A cleanup model that works in real life
Keep it boring and repeatable:
- Export high-risk sites and connected groups.
- Confirm each site's business owner.
- Review site-level sharing against the data in that workspace.
- Remove anonymous links where there is no hard reason to keep them.
- Remove stale guests and old supplier domains.
- Record what was changed and what was deliberately left in place.
The key thing is the last step. Some external access will stay, and that is fine. What matters is whether the exception is understood, named and reviewed.
Keep evidence simple
| Site | Owner | External users | Anonymous links | Action |
|---|---|---|---|---|
| Finance | Finance lead | 2 | 0 | Keep and review quarterly |
| HR | HR manager | 0 | 0 | External sharing disabled |
| Client delivery | Delivery lead | 6 | 0 | Keep named guests, review monthly |
| Archive project site | Unknown | 11 | 4 | Reassign owner, remove links, review guests |
This is enough for internal control, customer questionnaires and incident follow-up. Nobody needs a thirty-page governance deck for this.
A better default stance for most SMEs
For most small and mid-sized tenants, the cleaner position is:
- No anonymous links unless there is a specific business case.
- External sharing only where there is a named owner.
- Sensitive sites restricted at site level, even if broader sharing exists elsewhere.
- Guest access reviewed on a schedule, not just when somebody remembers.
- Labels and DLP used to support the model, not pretend the model exists.
There is no glamour in this work. But when external sharing is tidy, Copilot readiness, supplier assurance, and routine security review all get easier at the same time. That is usually the sign you fixed the right problem.
References
Related notes
26 Mar 2026 · 3 min
Sensitivity Labels in SharePoint and OneDrive: A Practical Start
Related: microsoft purview, sensitivity labels, sharepoint.
26 Feb 2026 · 3 min
Guest Access Reviews in Teams
Related: teams, sharepoint, guest access.
30 Mar 2026 · 3 min
Container Labels for Teams, Sites and Groups: Control the Place, Not Just the File
Related: microsoft purview, teams, sharepoint.
Need help mapping this to your own tenant, controls, or assessment timeline?