SharePoint permissions and sharing links are a pretty hot topic due to the difficulty in managing them. But, it’s not just a management issue - creating these links can cause other issues in your tenancy that many people don’t realise.
There are some much more obvious issues with Sharing Links - they bypass normal permission models, there is little audit capability, they’re hard to clean up and they can be set to anonymous access - meaning you could have links accessible to anyone.
In this post I’ll describe a weird, common, real world problem with sharing links and something that has probably already happened in your organisation. I’ll also suggest two third party products that can clean these links up, and how they (and we) can prevent it from happening again.
So, you know how everyone always tells you to not use unique permissions on your documents and libraries?
No, I’m serious.
See that Copy Link button on the top right in Microsoft Word, when you open a SharePoint document? Click it, go on:
What happens when you click that?
Now that inheritance is broken, what does that mean? It means that any changes in permissions you make to the site, do not inherit down to the library.
So, for example, if Adele has been explicitly added as a Reader to the site, then she’ll also have access to everything within. This is expected. When Adele is removed however, you would expect her to lose access to the libraries and documents within - but she doesn’t.
Now, this doesn’t matter if you’re carefully using the correct Site Owners and Site Members groups for membership - but that’s not always the case.
Here is my site permissions. I’m managing all permissions at the site level, and they currently cascade down to all libraries and documents;
Here is my library permissions (inheriting as expected, nothing to see here);
Here is a document in that library.
Right now the document has no sharing links, and no unique permissions, and also inherits its permissions from the site. All normal, default state.
Now, open the document, and in Microsoft Word, select copy a link:
OK, lets check that library again:
Huh!? Yep - inheritance broken, on the library. 🤯
Now remove Adele from the site permissions, and re-inspect the library. Adele retains access to it, and all documents within.
If someone has created a Sharing Link, then explicit site permissioned users will get permanent access to the document and its parent library - even when removed from the site.
The most frustrating part of this is that there doesn’t appear to be any logical reason for changing the library permissions. If you create a sharing link, makes sense to break inheritance on the document. It’s a headache, and potentially causes security issues, but it’s understandable. For libraries however, it makes no sense at all.
You may have noticed that there are two options - Copy Link and Share. Now, personally I find this confusing - why isn’t this just one option?
The library inheritance issue shown above only happen when you hit ‘Copy Link’, and only the first time, before the document has been shared initially. This option is also available in the ‘Share’ dialog. So, the ‘Copy Link’ option can be accessed from the “Share” option, which would reduce the chances of unnecessary sharing links being created;
The point is, when you click Share, it lets you add specific users, and send the link to them via email. A sharing link is not created in this scenario and the issue doesn’t occur. It only happens when you create a Sharing Link which is a special format that looks like this:
Well, you can take the extreme route and go ahead and turn off sharing, if you want. That’s going to annoy your users though - sharing links are a valuable tool that people use every day.
If you don’t want to turn off sharing links, then you can manage the situation.
There are a few ways to manage it:
Well, since you asked, I know about two products that do this kind of thing.
DeliverPoint is a tool that is built to run inside SharePoint, using delegated permissions (the identity of the current user). It is pretty flexible in being able to run reports of things like permission types, broken inheritance, and sharing links. It can be scoped to either a specific site, a collection of sites, or maybe just a specific library - and run those reports automatically on a scheduled basis.
I think it’s especially valuable in situations where permissions are restricted - many organisations restrict apps to those which only use delegated permissions.
It’s priced based on the tenant, so there’s a base price plus a small extra cost per user.
You can get more information on DeliverPoint here.
Orchestry is very much an all-encompassing service designed for monitoring many aspects of your M365 environment. It runs at the tenant level, using App-only permissions for certain Graph APIs which give it the elevated privileges required to fully monitor your tenant and its content. From this, it can pull all sorts of statistics from your SharePoint audit logs, Microsoft Graph, and other sources. All that data is then used to provide insights into potential issues like stale sites and sprawl, permissions issues, Copilot readiness, and so on. They have tons of other out of the box reports, not just Sharing Links.
You can find more information on Orchestry here or if you need an Orchestry implementation partner in the UK, I can heartily recommend Your365Coach. (No-one’s paying me to say that)
All the sharing links in your environment can be retrieved via various APIs or by using PowerShell. If you’re IT oriented, and you need to sort out your sharing links, you can get a list of all links with a couple of different techniques outlined in Reshmee Auckloo’s excellent and detailed post here.
Furthermore, once you’ve exported them, you want to do something with them right? If you’re deleting them, or moving content, or migrating to another tenant - then you need to map back to the original document URL. You can do this with PowerShell shown in another of Reshmee’s posts here.
Thanks for asking! Helm Workspaces is a workspaces platform which will take the business metadata you’ve got stored in a SharePoint List, and synchronise it with relevant workspaces. For the purposes of preventing data being shared with the wrong people, it takes care of synchronising the security of those workspaces (for example, sites or libraries). If unique users need to be added, it’ll create a group for you to manage it.
Contact us to have a chat or book a demo.