Fractional IT & Security Officer for growing businesses | Microsoft 365 · Entra ID · Compliance · Operational IT leadership
You revoke a leaver's M365 access. Entra shows zero active sessions. Job done? When a user shares a file through Teams or SharePoint, M365 generates an anonymous link with no login required to open it. That link doesn't die when you offboard the user. It doesn't die when you revoke the license. By default, it never expires. Six months after someone leaves, the link still works. Any device. Any country. No authentication required. I found three of these during an offboarding audit last month. Files shared externally, still fully accessible, completely invisible in a standard access review. The fix takes two minutes: SharePoint Admin Centre → Policies → Sharing → set "Anyone" link expiration to X days (each organization has it's own risk appetite). One setting. Applies to all new links going forward. For existing links: run sharing link reports in SharePoint Admin Centre under Reports. You'll find links that have been active for months. This isn't a Microsoft bug. It's a misconfiguration that ships by default. Edit: And disable also "allow guests to share items they dont own" (thanks for bring it up Hervé Doher ) How many of your offboarding checklists include this step? #Microsoft365 #SharePoint #CyberSecurity #ITSecurity #samcek
I had sharepoint sharing setup for only approved domains.
"Anyone in the org", set and forget. Need to send externally? Use a completely different encrypted and managed approach
Honestly, this one feels less like an offboarding miss and more like a “we never locked the front door” situation 😅 Microsoft 365 is pretty clear that Anyone links are anonymous by design, so killing the user, license, or session won’t touch them. That’s expected behavior. The real fix is preventative: set the tenant policies properly from day one ,either disable Anyone links completely or force an expiration. Offboarding alone was never meant to be the control here.
You should suggest those companies security assessment that covers cis benchmark for microsoft 365 and azure. This is what I do with risk assessing in general for controls. Also how this can be a checklist, its one time configuration you set in place and review depending on internal policies of the company.
Auditing share link activity and removing such links generated by offboarded user would be the chef’s touch 👍🏻
what a nightmare, thank God I do not allow any external sharing at my org
Strong checklist item. This works even better when external links and guest users are reviewed together, because both often outlive the project that created them. The hard part usually isn’t finding the artifact, it’s knowing who in the business can confirm whether it should still exist.
Really simple and effective control but still missed by many!!
First and most important consideration,in my mind, is if the organization wants the share with “Anyone” setting turned on at all. That creates the first huge risks of over sharing. “Existing” or “new and existing” may be a better choice to start a new orgs setting. If “anyone” is an operational business requirement then, yea the x days setting then to be set. Also this poccess needs to be communicated throughly to the users. Someone will need to own the process of renewing the link when it expires.