SharePoint Online

How to Audit Sharing Settings in SharePoint Online

Have you examined who can access your organization's crucial files in Microsoft 365? What if unauthorized users could view, edit, or share sensitive information without your knowledge? In such cases, the risk of data leaks and security breaches becomes massive. This guide will walk you through the key steps to monitor sharing setting changes in SharePoint Online and provide valuable insights to manage them securely.

Using Microsoft 365 Purview Portal

Microsoft 365 Permission Required

Global Admin, Exchange Admin, or Compliance Admin.

Login to the Microsoft 365 Purview Portal.
Navigate to the Audit page under Solutions.
Customize the required date and time range.
Click on the Activities-friendly names drop-down and select the operations mentioned below.
Modified access request setting, Modified 'Members Can Share' setting, Broke sharing inheritance, Restored sharing inheritance, Changed a sharing policy.
Click on Search. Once the search is completed, you can export the Microsoft 365 sharing setting changes report.

You need to have an Audit Premium license to access audit logs older than the default period of 180 days.

Using Windows PowerShell

Microsoft 365 Permission Required

Global Admin, Exchange Admin, or Compliance Admin.

Connect to the Exchange Online PowerShell using the below cmdlet.
Windows PowerShell
```
 Connect-ExchangeOnline
```
Run the below cmdlet to track SharePoint Online sharing setting changes.

Windows PowerShell

 Search-UnifiedAuditLog -StartDate mm/dd/yyyy -EndDate mm/dd/yyyy -RecordType SharePointSharingOperation -Operations WebRequestAccessModified, WebMembersCanShareModified, SharingInheritanceBroken, SharingInheritanceReset, SharingPolicyChanged |Format-Table CreationDate,UserIds,Operations -AutoSize

Using AdminDroid
Simple & Quick

AdminDroid Permission Required Delegated

Any user with report access delegated by the Super Admin.

Login to the AdminDroid Office 365 reporter.
Navigate to the All SharePoint Activities report under Audit»General»O365 Workload Based Activities.
Apply the filters for Operation as mentioned below.
Sharing Policy Changed, Sharing Inheritance Restored, Sharing Inheritance Broken, Web Request Access Modified, Web Access Request Approver Modified.

AdminDroid SharePoint Online Reporter

Take control of your SharePoint Online sharing settings!

The AdminDroid SharePoint Online auditing tool keeps you updated on all changes to sharing settings in your organization. By regularly monitoring these changes, you can revert any unwanted modifications and prevent unauthorized access to crucial data.

Monitor Sharing Invitations in SPO

Explore AdminDroid’s reports on SharePoint Online sharing invitations and update the sharing settings if there are any unintended recipients.

Track Anonymous Sharing Link Creations

Audit anonymous link creations in SharePoint Online to determine if any confidential files have been shared using these links.

Manage Micorosoft 365 Compliance Requirement

AdminDroid's specialized compliance reportboard allows you to track sharing and access activities, ensuring that Microsoft 365 regulatory compliance requirements like ISO, GDPR, SOX, etc., are met.

Verify Permission Levels of Shared Items

Verify the "Shared Permission" column from the SharePoint Online Shared Items report, which will help you to restrict sharing permissions for sensitive files.

Alert on Changes to Sharing Policies

Utilize AdminDroid's alerting feature to receive real-time alerts whenever someone changes the organization-wide sharing policy settings.

Check External Sharing Activities in SharePoint Online

Run a external sharing report in SharePoint Online to check whether your organization’s legal documents are safe.

Therefore, the AdminDroid SharePoint Online reporting and auditing tool keeps you informed about sharing setting changes, helping you in the following scenarios:

Monitor and analyze user sharing patterns to identify trends and detect unusual activities.
Assess the effectiveness of current sharing settings and make data-driven decisions to secure sharing practices.
Trace the origin and extent of data breaches to aid in remediation efforts.

Explore a full range of reporting options

Download Live Demo

Important Tips

Reset SPO sharing setting changes with Microsoft365DSC automatically if any undesired modifications are made to these settings.

Monitor SharePoint Online access request setting changes to ensure that only authorized users have permission to approve these requests.

Utilize the sharing links report in SharePoint Online to gain insights into how files are shared through different link types.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints while dealing with sharing setting changes in SharePoint Online.

Error Your org doesn't allow sharing with people who use this email domain.

This happens because sharing with the external user’s domain may be blocked by your organization.

Fix Run the below PowerShell cmdlet to enable external sharing with the domain.

Set-SPOTenant -SharingDomainRestrictionMode "AllowList" -SharingAllowedDomainList "<DomainName>"

Error "Anyone with the link" is Greyed Out.

This error occurs when you attempt to share content from a SharePoint site which prevents sharing with 'Anyone’.

Fix Run the below PowerShell cmdlet to set the external sharing level for a SharePoint site.

Set-SPOSite -Identity <SiteURL> -SharingCapability ExternalUserSharingOnly

Error Sorry, access to this document has been removed.

This error occurs when the document owner has removed the sharing link for the file or folder.

Fix Contact the document owner to grant access to the resource.

Error Write-ErrorMessage|Microsoft.Exchange.Management.UnifiedPolicy.ErrorRuleNotFoundException|There is no rule matching identity '<LabelName>'.

This error happens when you specify a wrong value for the sensitivity label name.

Fix Run the below cmdlet to get the exact name of the sensitivity label from the “Name” value.

Get-Label

SharePoint Online

Frequently Asked Questions

Manage SharePoint Online Sharing Settings to Safeguard Data in Microsoft 365

How to manage sharing settings in SharePoint Online?

For organizations collaborating with a wide range of users, including external parties, it's crucial to manage access permissions levels to site contents. You can change the sharing settings by navigating to the Sharing page of your SharePoint admin center.

SharePoint external sharing settings: You can choose the desired external sharing level based on your requirements. The four sharing levels available are:
- Anyone
- New and existing guests
- Existing guests
- Only people in your organization.
Limit external sharing by domain: Here, you have the option to allow sharing with only specific domains or to block certain domains.
Allow only users in specific security groups to share externally: With this option, you can choose specific security groups in your organization whose members are only authorized to share externally.
Guests must sign in using the same account to which sharing invitations are sent: This setting requires guests to sign in with the same account in which they receive the invitation. By default, they can use any account to login and access the content.
Set guest user access expiration: This setting allows you to define a time period for which the guest users are allowed to access a SharePoint site. After the specified time ends, their access to the site is revoked automatically.
Set default sharing link type: In this setting, you can specify the default link that is selected when users share files in SharePoint Online. You can also choose the default access permission level for these links.
Choose expiration and permissions options for ‘Anyone’ links: You can set expiration days and permission levels for files and folders shared with "Anyone" links. This option appears only when the "Anyone" link is chosen in the external sharing settings.

Access a detailed report on site collection sharing settings available in AdminDroid to get an overview of various sharing configurations for all the site collections in your Microsoft 365 organization.

This report helps you to identify the external sharing level, sharing allowed and blocked domains, etc., of all the site collections.
Use AdminDroid’s built-in charts to visually classify your site collections based on their sharing levels.

Handy Hint: You can use the Report scheduling functionality to receive a weekly report on the sharing settings of your SharePoint Online sites.

Why do SharePoint site external sharing settings differ from org-wide settings?

The organization-wide sharing setting is not applied to all the SharePoint sites in your organization. Each site type has its own default sharing level irrespective of the organization-wide setting.

The default external sharing setting of each site type is mentioned below.

Classic Site: Only people in your organization.
Group-connected sites (including Teams): New and existing guests (if the Microsoft 365 groups have ‘Let group owners add people outside the organization to groups’ option is 'On'),

Existing guests (if the Microsoft 365 groups have ‘Let group owners add people outside the organization to groups’ option is 'Off').
Communication Site: Only people in your organization.
Modern sites with no group: Only people in your organization.

Note: Classic, communication, and modern sites (without a group) will always have the Only people in your organization setting, regardless of the organization-wide setting. However, for group-connected sites, the default setting may vary based on your organization-wide setting.

For example, if your organization-wide setting is restrictive, such as Existing guests, then all group-connected sites will adopt this as default setting. Similarly, if the organization-wide setting is set to the most restrictive level like Only people in your organization, then all group-connected sites will have this as the default setting.

How to change the default sharing settings of a SharePoint site?

The default sharing setting based on site types may not suit your organization’s purpose. Some confidential sites may require more restricted access, while common sites may require more permissive access.

Follow the steps below to change the sharing settings for individual sites in SharePoint Online.

Login to the SharePoint Online admin center.
Navigate to Sites»Active Sites. Select the desired SharePoint site and hit on the Settings tab.
Click on the "More sharing settings" link. You can choose an external sharing level, change the default sharing link type, and the default sharing link permission.
Once done, click on Save.

Note: Here, you may notice that some of the sharing settings are greyed out. This is because you might have restricted those settings in your organization-wide sharing settings.

You can also use Microsoft 365 sensitivity labels to control the default sharing link settings for sites and documents. The more restrictive setting between these two will be the default sharing link for the documents.

Run the below PowerShell cmdlet to configure the default sharing link type of sensitivity labels.

Connect-IPPSSession -UserPrincipalName <UPN>

Set-Label -Identity "<LabelName>"-AdvancedSettings @{DefaultShareLinkPermission = "View" DefaultSharingScope = "SpecificPeople"}

Note: Make sure to replace <UPN> and <LabelName> with the appropriate values before executing the cmdlets.

Now, the documents or sites with this label will have the default sharing link as "People you choose" and sharing permission as "View". If required, you can also customize the DefaultShareLinkPermission and DefaultSharingScope parameters with other values as mentioned below.

DefaultShareLinkPermission -Edit
DefaultSharingScope -Organization, Anyone

How to prevent team members from sharing content on your SharePoint site?

If everyone on a SharePoint Online site can share the site and its content, it raises the risk of document overwrites, which could result in data loss or corruption. Without proper management, confidential documents may be exposed to unwanted users.

You can prevent users from sharing files in SharePoint Online by following the steps below.

Navigate to the desired SharePoint Online site.
Tap on the Settings (gear) icon and select Site permissions.
Under Site Sharing, select the "Change how members can share" link.
Here, you have three site sharing settings as mentioned below.
- Site owners and members can share files, folders, and the site. People with Edit permissions can share files and folders.
- Site owners, members, and people with Edit permissions can share files and folders, but only site owners can share the site.
- Only site owners can share files, folders, and the site.
Choose the required sharing permission and click on Save.

You can audit sharing permission setting changes by selecting the "Modified Members Can Share" setting under Activity in your Office 365 audit logs. However, preparing the report may take more time if it includes multiple events.

Utilize the Member's Sharing Permission Setting Changes report in AdminDroid to track all sharing permission changes within a click.

This report provides information on who modified the setting and the time it was modified.
You can use the Site URL easy filter to view the sharing permission modifications for specific SharePoint Online sites.

How to remove shared links in SharePoint Online?

If you find any compliance documents on your internal document site being shared with "Anyone" links or Edit permissions, follow these steps to disable the sharing link in SharePoint Online.

Navigate to the desired SharePoint Online site.
Go to the document library that contains the file or folder you need to stop sharing.
Click on the ellipses (More option) near the file or folder and select Manage access.
Tap on the Stop Sharing button to prevent all sharing links for the item. However, if you wish to remove only specific links, click on the Delete icon next to the specific link under the Links section.