๐ Recipe ยท SharePoint & OneDrive
Audit SharePoint Sites for Security Issues and Oversharing
Inventory every SharePoint site, flag 'Everyone' and anonymous sharing, and produce a prioritized remediation report
Complexity
Intermediate
Impact
security + compliance + access-review + data-governance + sharepoint
Context
Why This Matters
SharePoint Online is one of the most common sources of data oversharing in Microsoft 365 tenants. Over time, sites accumulate permissions that nobody remembers granting โ 'Everyone except external users' groups, stale guest accounts, anonymous sharing links that never expire, and site owners who left the company years ago.
This recipe walks through a tenant-wide audit of every SharePoint site, focusing on the highest-risk misconfigurations: wide-reaching internal access (Everyone groups), external/anonymous sharing, and missing or orphaned owners. Run it quarterly as part of your access review program, before a compliance audit (SOC 2, ISO 27001, HIPAA), or any time you onboard a new CISO or data protection lead.
When to run this recipe
- Quarterly access reviews
- Pre-audit preparation (SOC 2, ISO 27001, HIPAA)
- After a security incident involving data exposure
- When migrating from a file server to SharePoint
- After enabling or disabling tenant-wide external sharing
Expected Outcomes
After completing this recipe you will have:
- A complete inventory of all SharePoint sites in the tenant (excluding OneDrive personal sites)
- A CSV report listing each site's URL, owners, sharing capability, and flagged findings
- A prioritized list of sites sharing with 'Everyone' or 'Everyone except external users'
- A list of sites with anonymous ('Anyone') sharing enabled
- Identification of orphaned sites (no active owner) and sites with excessive external guests
- Concrete remediation actions for each high-risk site
Risks & Considerations
Before you start
- Permissions matter: To enumerate site-level permissions via Graph, the calling app needs
Sites.FullControl.All. Lower scopes likeSites.Read.Allwill return 403 on/sites/{id}/permissions. Plan the consent step with your security lead. - Do not remediate blindly: 'Everyone except external users' is sometimes intentional (company-wide intranet, all-hands announcements). Review each finding with the site owner before removing access.
- Throttling: Large tenants (1000+ sites) will hit Graph throttling. Use
$select, paginate, and add backoff retries. - Audit log the audit: Anything touching permissions is logged. Coordinate with your SOC so your review activity is not flagged as an attack.
- OneDrive is out of scope here: This recipe intentionally skips personal sites (
/personal/). Audit those separately โ the permission model and remediation flow differ. - Do not change sharing settings during the audit. Collect findings first, then remediate in a controlled change window.
Required Permissions
| Permission | Why It's Needed |
|---|---|
| Sites.FullControl.All | Required to read site-level permissions and sharing capability for every SharePoint site. Lower scopes return 403 on the permissions endpoint. |
| Sites.Read.All | Minimum scope to enumerate sites and read site metadata. Sufficient for the inventory step but not for permission drill-down. |
| Directory.Read.All | Resolve group and user identities referenced in site permissions (e.g., to identify 'Everyone except external users'). |
| SharePoint Administrator role | Required in the SharePoint admin center to view and modify tenant-wide external sharing settings and per-site sharing capability. |
The fastest way to get this done โ just ask Dex. Copy the prompt below and paste it into your Dex conversation.
For IT Admins
Paste into Dex CoAdmin