Copilot Readiness: How to Fix Oversharing in Microsoft 365

In a previous article, we discussed what "oversharing" means in Microsoft 365 and how it can impact your plans for Copilot readiness.  In this article, we'll discuss ways you can address it.

Oversharing in Microsoft 365 poses a significant security risk, as it can unintentionally allow unauthorized access to sensitive information and increases the likelihood of data breaches.

In this article, I'll discuss how conducting regular audits of public workspaces, adjusting default share link settings, and cleaning up outdated share links are effective tools in addressing oversharing in the short-term and long-term.

Oversharing Fix #1: Audit Your Public Workspaces

Why Does This Matter?

Anyone in the organization can discover and join your public SharePoint sites, teams, and communities without prior approval. 

The contents of public sites may be picked up by Copilot, even if they're not members of the group.

In addition to being accessible workspaces, people are given EDIT permissions by default. This means they can create and modify workspace documents, site pages, lists and more. In my own tests, I didn't even need to join the group to create or modify content.

Sometimes, the planned purpose of a workspace evolves over time. Business users' needs shift, and they adapt the workspace to fit their needs. Unfortunately, we cannot expect workspace owners to notify IT when this happens.

Performing a regular audit of your public workspaces helps ensure they are aligned with your IT governance and security policies. 

What Needs to be Done?

Prepare a report of your public workspaces.  Whether you get this from the M365 Admin center, or through Orchestry - the first step is to identify the scope of your audit.  Ask yourself questions, such as:

• How many public workspaces do you have today?
• From the oldest workspace to the newest, identify workspaces that do not need to be audited
• Identify any workspaces that should be prioritized in the audit

Orchestry administrators can create the audit report in a few clicks from the Lifecycle Insights page.

Review the site content with workspace owners.  This should be a fact-finding mission, not a fault-finding one.  Work in close partnership with site owners to help them identify any files or content that would be considered 'sensitive information' and require extra protection (or be moved to different site all together).

Apply sensitivity labels to content (as required).  If your organization uses sensitivity labels, you can use them to apply extra protection on sensitive material.   This can help prevent share links from overriding permissions set at the library, site or M365 group level.  We'll cover sensitivity labels more in an upcoming article.

Change the privacy setting from 'public' to 'private' (as required). Sometimes the intended purpose of our teams and SharePoint sites changes over time.  If a public site is now largely being used for private work, then it may be easier to lock the site down than move more than 50% of the content to a new location.

How Does this Help?

Of course, routine audits are a common tool for organizations to verify compliance with their policies and industry standards.  

Audits are not only a good way to prevent surprises later—whether by removing sensitive information from public sites or locking down the entire thing—but they can also help remind staff of the importance of good sharing practices.

Oversharing Fix #2: Stop Using "Anyone with a link" as the Tenant Default

Why Does This Matter?

Out of the four share link types in M365, AWAL (Anyone with a link) is the last one I would suggest be used as the default link type for an entire tenant. Unfortunately, this is the out-of-the-box setting in M365 that I see too many organizations leave in place.

As the name implies, "Anyone with a link" links allows internal AND external people to access your data. 

Every time a staff member creates a share link to collaborate with someone, it's like creating a new key to your house. Every link can slowly weaken the overall security of your organizational data and increase the risk of a costly data breach.

Additionally, Copilot can surface files that were shared via 'Anyone' links, but only if the receiving users have opened the link at least once. This means that simply creating an 'Anyone' link does not automatically give people blanket access to the shared file.

What Needs to be Done?

Updating share settings at the tenant level is done from the SharePoint Admin center.  

The first thing to review is the 'External Sharing' section, which controls if/how users can share externally in your tenant in SharePoint and OneDrive.  The lower you set the sliders, the more restrictive external sharing becomes.

Note that while OneDrive has it's own slider, you cannot set it to be 'more permissive' than SharePoint.  

Additionally, remember to review the settings found "More external sharing settings", which provide more tools to tighten up external sharing.

The other section to review is "Files and folders", which controls the default share link across OneDrive and SharePoint.  

You can also change default share links at the site level.  Here, you can set the default link to 'People with Existing Access', which is an ideal default since it doesn't contribute to oversharing. 

The downside is that the SharePoint admin UI only allows you to do this one site at a time.  

On the upside, in Orchestry you can set up default sharing permissions for teams, SharePoint sites and Viva Engage communities in our workspace templates. 

Lastly, if your organization has licenses for 'SharePoint Advanced Management' - you can audit your tenant for AWAL share links using the 'Sharing Links' reports.  These licenses are currently $3/user/month and all users must be licensed in order to leverage these reports.

How Does this Help?

Changing your tenant's default share link from 'Anyone with a link' to literally anything else is one of the easiest things you can do to combat oversharing.  

The average user may not think twice about the link they're using to share files.  Help set them up for success by configuring the defaults to something that strikes the right balance between security and convenience.

Oversharing Fix #3: Clean-Up Share Links

Why Does this Matter?

Returning to my home security analogy, every share link created is like copying a key to your home. The more that are out there, the less secure your home/org may become.

Thankfully, unlike house keys, there are a couple ways to manage share links in M365 as administrators and end-users.

What Needs to be Done?

Microsoft offers a few tools to help you audit share links.  However, some of them require additional licenses such as Microsoft Syntex "SharePoint Advanced Management" (SAM).

A couple of notable features with SAM:

• Data Access Governance reports for SharePoint sites. Create reports in the SharePoint admin center to audit the use of different share links across your org.

• Restrict SharePoint site access with Microsoft 365 groups and Entra security groups.  This tool allows you restrict SharePoint sites to specified M365 groups and security groups, so not even share links can override the site-level permissions.

In late, the Syntex branding will be folded into SharePoint Premium.  Among several other features being introduced, it includes a tool called "Site Access Review" which triggers a workflow that will notify group owners to review shared files on their site and delete links that should no longer be active.

Site Access Review in SharePoint Syntex/SharePoint Premium

E5 tenants out there can also leverage the Data Access Reports to track the use of the share link types 'Anyone with a link', 'People in your Org', and 'Specific People'.  These reports will produce a .CSV of the sites that use the highest number of share links.

For the rest of us, there are the Microsoft Purview Audit logs, which can be configured to report on content shared externally.  To use these reports, they need to be downloaded as .CSV files and cleaned up Excel first. 

Once you've prepared your report, you can notify site owners who have high amounts of externally shared files.

Lastly, training users to manually delete share links from the 'Manage Access' window both helps reduce oversharing by reducing the number of links in the wild.

This is a manual process and Microsoft doesn't give end-users much to help with the process.  However, for cleaning up OneDrive URLs, they can use the "Shared by You' page in the web app as a starting point.

How Does this Help?

Whether it's done systematically or ad-hoc, cleaning out old share links across your M365 tenant is key to ensuring content stays secure, and does not stay overshared.

By making these audits a routine task, the organization can start to develop sharing standards and practices over time.  Perhaps eventually eliminating the need for these audits in the first place.

Closing Thoughts

Combating oversharing in M365 is crucial for maintaining data security and compliance with IT governance policies. Conducting regular audits, applying sensitivity labels, and adjusting default share settings are essential steps to combat oversharing.

We've got more tips for you in future posts. Stay proactive, engage with workspace owners, and implement necessary changes to create a secure and efficient digital environment within your organization.