How to Manage SharePoint and OneDrive External Sharing in Microsoft 365
By default, Microsoft 365 SharePoint and OneDrive allow staff to share files with anyone using a link – even external parties without a Microsoft account. For many Malaysian businesses, this default is too permissive. Client data, financial records and confidential proposals can be unintentionally shared with the wrong people. This guide covers auditing and tightening your sharing settings.
A new Microsoft 365 tenant defaults to allowing Anyone links (fully anonymous sharing). This means staff can generate a link that anyone on the internet can access with no sign-in required. Review and tighten these settings before onboarding staff.
Understanding the Sharing Levels
Microsoft 365 has four sharing levels, from most to least permissive:
| Level | Who Can Access | Suitable For |
|---|---|---|
| Anyone | Anyone with the link, no sign-in required | Public content only – not recommended for business files |
| New and existing guests | External users invited individually or Anyone links | Organisations that regularly collaborate with external parties |
| Existing guests only | Only guests already in your directory | Controlled external access, pre-approved partners |
| Only people in your organisation | Internal staff only | Highly confidential environments, healthcare, finance |
Step 1: Access SharePoint Admin Centre
Open Sharing Settings
Sign into admin.microsoft.com with a Global Administrator or SharePoint Administrator account. In the left navigation, click Show all to expand all admin centres. Click SharePoint.
In the SharePoint admin centre, go to Policies > Sharing. This page controls sharing settings for both SharePoint sites and OneDrive.
Step 2: Configure Organisation-Wide Sharing
Set the External Sharing Level
The Sharing page shows two sliders:
- SharePoint: Controls sharing for SharePoint sites and document libraries
- OneDrive: Controls sharing from personal OneDrive folders (must be equal to or more restrictive than SharePoint)
For most Malaysian SMEs, the recommended setting is New and existing guests. This allows external sharing when needed but requires guests to sign in, creating an audit trail.
For organisations handling sensitive client data (law firms, clinics, accountants), consider Existing guests only or Only people in your organisation.
Move the sliders to your chosen level and save.
Configure Link Expiry and Passwords
Scroll down on the Sharing page to configure additional controls:
- Choose expiration and permissions options for Anyone links: Enable These links must expire within this many days and set 7 to 30 days. This ensures anonymous links do not stay active indefinitely.
- File and folder link permissions: Change default permission from Anyone with the link can edit to Anyone with the link can view. Users can always grant more permissions when sharing, but this prevents accidental edit access.
- Require password for Anyone links: Consider enabling this for an extra layer of protection on anonymous links.
Step 3: Audit Existing External Shares
Review Active External Shares
In the SharePoint admin centre, go to Reports > Sharing links. This report shows all currently active sharing links across your organisation:
- File or folder being shared
- Link type (Anyone, People in organisation, Specific people)
- Created by (which staff member shared it)
- Created date and expiry (if set)
Review this list and identify any Anyone links to sensitive files. Contact the creator to confirm these links are still needed, or delete them directly from this report.
Step 4: Configure Site-Level Sharing
Restrict Specific SharePoint Sites
For highly sensitive document libraries (e.g. HR, Finance, Legal), you can override the organisation-wide sharing setting with a more restrictive site-level setting.
In the SharePoint admin centre, go to Sites > Active Sites. Click the site name. Click Policies > External file sharing. Set the sharing level for this specific site. A Finance SharePoint site might be set to Only people in your organisation even if the organisation default allows guest sharing.
Schedule a monthly review of the Sharing Links report. As staff create links for legitimate purposes, these links accumulate over time. An expiry policy combined with monthly cleanup keeps your sharing posture clean without disrupting day-to-day collaboration.
Need IT Help in Malaysia?
Cybergate provides Microsoft 365 Malaysia for businesses across Malaysia. Our team is available Monday to Saturday, 9am to 6pm.