How to Audit SharePoint Online Anonymous Access in Microsoft 365

Anonymous links are useful to share specific documents, folders, or files for collaboration with external partners, clients, or anyone who doesn't have direct access to your SharePoint site. To create an anyone link in SharePoint Online,

Follow these essential steps to enhance security for your anonymous links.

Note: Users can generate 'anyone' links only if their organization has enabled this feature. otherwise, the option will be greyed out.

• Admins need to monitor any anonymous links created for confidential files.
• This report lists all anonymous links generated in SharePoint Online, offering detailed information such as creation time, file name, and the user who created the link.

Anonymous links in SharePoint Online facilitate quick and secure sharing of documents and files with external users without requiring them to sign in. You can set anyone links at two levels in SharePoint Online.

Tracking file and folder sharing configurations in SharePoint is crucial for security and prevents unauthorized external sharing of sensitive documents.

In a single report, you can view the site owner, external sharing capability, number of site users, and additionally you can see member permissions.

If you want to restrict users from creating anonymous links, the only option is to reduce the privilege level in the SharePoint admin center, which affects your entire tenant. There is no other option to restrict this capability for a particular user or group.

Use the below cmdlet to disable anyone links in SharePoint Online.

Connect-SPOService -Url https://<yourtenant>-admin.sharepoint.com
# Disable anonymous link sharing for Entire Tenant
Set-SPOTenant -Identity SharingCapability ExternalUserOnly

Reducing the privilege level in the SharePoint admin center to restrict users from creating anonymous (unauthenticated) links can impact external collaboration. Additionally, it may pose difficulties for users who do not have a Microsoft account.

AdminDroid's report on anonymous link creations in SharePoint Online provides a list of all generated anonymous links, including the creation time, file name, and the user responsible for each link.

• AdminDroid automatically analyses the recent possible alerts for the alert policy using your organization audit data and creates a 'Alert Preview Console' on the retreived data.
• With the 'Preview & Deploy' feature, you shall view the recent possible alerts and deploy the alert policy to receive alert on the anonymous link creations.

Pro Tip: AdminDroid provides predefined alert policies on anonymous link creation, resources accessed using anonymous links, and unusual volume of anonymous link creation.

You can easily 'Preview & Deploy' to receive alerts on the anonymous link activites.

Within SharePoint Online, users can easily share files and folders by creating an 'Anyone link' which allows anonymous access without requiring sign-in.

So monitoring 'Anyone link' usage helps you spot unauthorized access to sensitive documents and maintain compliance with data protection regulations and security policies.

Use the below cmdlet to extract all anonymous link activities in SharePoint Online.

Connect-ExchangeOnline
$RetriveOperation = "AnonymousLinkRemoved", "AnonymousLinkCreated", "AnonymousLinkUpdated", "AnonymousLinkUsed"
Search-UnifiedAuditLog -StartDate "yyy-mm-dd" -EndDate "yyyy-mm-dd" -Operations $RetriveOperation -ResultSize 5000

Tracking anonymous activities in SharePoint Online helps you to protect your organization's data from unauthorized access and enhance data security.

• Get a list of all anonymous activities with AdminDroid's "All sharepoint events related to anonymous links" report.
• This report provides detailed data about the user who created the link, operations performed, filename, file permissions, and expiration date.

No, it's not possible for an anonymous (unauthenticated) user to remove files and folders shared through an Anyone link. Only the owner of the site has the permission to delete the files.

Note : Above conditions are applicable to anyone links only.

Connect-ExchangeOnline
Search-UnifiedAuditLog -StartDate <mm/dd/yyyy> -EndDate <mm/dd/yyyy> -Operations FileDeleted,  FileDeletedFirstStageRecycleBin, FileDeletedSecondStageRecycleBin | Format-Table -Property RecordType, CreationDate, UserIds, Operations 

Keep track of file deletions in your SharePoint environment to prevent unauthorized or accidental loss of important files and to ensure sensitive information is protected.

• Navigate to All File Deletions in SharePoint and OneDrive report under Audit»General»File/Folder Deletion Tracking»File Deletions.
• This report provides detailed information on deleted files, including deletion timestamps, device info, URL's of the deleted items, the operations performed, and the result status.

Yes, in addition to anonymous links, SharePoint offers more secure external file sharing options with better control. These include specific people links that requires recipients to login with a Microsoft account to access the files.

By implementing the above changes, you can more effectively manage external sharing in SharePoint Online.

• A detailed report on file and folder sharing activities with external users in SharePoint Online is available through AdminDroid.
• This report includes event time, workload, type of operation, operation performer’s email, target user or group's email, shared file or folder name.

Pro Tip: AdminDroid supports scheduling external file activities, enabling automated tasks such as downloading and emailing reports on a weekly or monthly basis for efficient management and timely updates.