Dex

๐Ÿ“ Recipe ยท SharePoint & OneDrive

Audit SharePoint Files with Public or Anonymous Sharing Links

Scan every SharePoint site and document library to identify files exposed via anonymous (public) sharing links and produce a remediation-ready report.

Complexity

Intermediate

Impact

security + compliance + data-governance + access-review

Context

Why This Matters

Anonymous sharing links in SharePoint (also called "Anyone" links) allow access to files without authentication โ€” anyone with the URL can view or edit the content. While convenient for external collaboration, these links are one of the most common sources of data leakage in Microsoft 365 tenants.

Run this audit when you need to:

  • Respond to a compliance review (SOC 2, ISO 27001, HIPAA, GDPR)
  • Investigate a suspected data exposure incident
  • Perform a quarterly or post-acquisition data governance review
  • Validate external sharing policy changes after tightening tenant-level settings
  • Prepare for a tenant-to-tenant migration or M&A due diligence

The recipe walks every SharePoint site collection, enumerates each document library, inspects file-level sharing permissions, and flags items where the sharing scope is anonymous (and, optionally, organization for a broader posture review).

Expected Outcomes

What you'll have when you're done

  • A complete inventory of files with anonymous (public internet) sharing links across all SharePoint sites
  • A secondary list of files with organization-wide links (optional but recommended)
  • A CSV report with site, file path, link type, permission scope, and direct URL โ€” suitable for import into a GRC tool or ticketing system
  • Clear remediation targets: each flagged file can be revoked or re-shared with specific users
  • A repeatable script you can schedule monthly to catch new exposures

Risks & Considerations

Warnings and gotchas

  • Read-only audit: The audit itself does not change any permissions. Never auto-revoke sharing links without a review โ€” you may break legitimate external workflows (partners, contractors, customers).
  • Throttling: Large tenants (hundreds of sites, millions of files) will hit Graph API throttling (HTTP 429). Honor Retry-After headers and paginate with @odata.nextLink.
  • Permission inspection is per-item: The shared property on a driveItem only indicates that it is shared, not how. You must call GET /drives/{id}/items/{id}/permissions to confirm a link is truly anonymous.
  • Nested folders: /root/children only returns top-level items. Use /root/search(q=' ') or recurse into folders to catch every file.
  • OneDrive is separate: This recipe targets SharePoint sites. OneDrive personal libraries require scanning user drives via /users/{id}/drive.
  • Data handling: The output report contains file paths and URLs that may themselves be sensitive. Store it in a restricted location and delete after remediation.
  • Don't confuse scopes: anonymous = public internet; organization = anyone in the tenant with the link; users = specific named users. Only anonymous is a true public exposure.

Required Permissions

PermissionWhy It's Needed
Sites.Read.AllEnumerate all SharePoint sites and read site metadata
Files.Read.AllList drive items across all document libraries
Sites.FullControl.AllRequired to read detailed sharing permissions on every item (Files.Read.All alone is insufficient for /permissions on some items)

The fastest way to get this done โ€” just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Audit all SharePoint sites in our tenant for files shared via anonymous (public) links. Walk every site and document library, check file-level sharing permissions, and produce a CSV report listing each exposed file with its site, path, URL, and link details. Optionally include organization-wide links as a secondary finding.
Try in Dex CoAdmin