Best practices for sharing files and folders with unauthenticated users
Unauthenticated sharing (Anyone links) can be convenient and is useful in various scenarios. Anyone links are the easiest way to share: people can open the link without authentication and are free to pass it on to others.
Usually, not all content in an organization is appropriate for unauthenticated sharing. This article covers the options available to help you create an environment where your users can use unauthenticated sharing of files and folders, but where there are safeguards in place to help protect your organization's content.
For unauthenticated sharing to work, you must enable it for your organization and for the individual site or team that you'll be using. See Collaborating with people outside your organization for the scenario that you want to enable.
Set an expiration date for Anyone links
Files are often stored in sites, groups, and teams for long periods of time. Occasionally there are data retention policies that require files to be retained for years. If such files are shared with unauthenticated people, this could lead to unexpected access and changes to files in the future. To mitigate this possibility, you can configure an expiration time for Anyone links.
Once an Anyone link expires, it can no longer be used to access content.
To set an expiration date for Anyone links across the organization
- Open the SharePoint admin center, expand Policies, and then select Sharing.
- Under Choose expiration and permissions options for Anyone links, select the These links must expire within this many days check box.
- Type a number of days in the box, and then click Save.
If you change the expiration time, existing links will keep their current expiration time if the new setting is longer, or be updated to the new setting if the new setting is shorter.
To set an expiration date for Anyone links on a specific site
- Open the SharePoint admin center, expand Sites, and then select Active sites.
- Select the site you want to change, and then select Sharing.
- Under Advanced settings for Anyone links, under Expiration of Anyone links, clear the Same as organization-level setting check box.
- Select the These links must expire within this many days option, and type a number of days in the box.
- Select Save.
Note that once an Anyone link expires, the file or folder can be re-shared with a new Anyone link.
You can set Anyone link expiration for a specific site by using Set-SPOSite.
Set-SPOSite -Identity https://contoso.sharepoint.com/sites/marketing -OverrideTenantAnonymousLinkExpirationPolicy $true -AnonymousLinkExpirationInDays 15
Set link permissions
By default, Anyone links for a file allow people to edit the file, and Anyone links for a folder allow people to edit and view files, and upload new files to the folder. You can change these permissions for files and for folders independently to view-only.
If you want to allow unauthenticated sharing, but are concerned about unauthenticated people modifying your organization's content, consider setting the file and folder permissions to View.
To set permissions for Anyone links across the organization
- Open the SharePoint admin center, and select Sharing.
- Under Advanced settings for "Anyone" links, select the file and folder permissions that you want to use.
With Anyone links set to View, users can still share files and folders with guests and give them edit permissions by using Specific people links. These links require people outside your organization to authenticate as guests, and you can track and audit guest activity on files and folders shared with these links.
Set default link type to only work for people in your organization
When Anyone sharing is enabled for your organization, the default sharing link is normally set to Anyone. While this can be convenient for users, it can increase the risk of unintentional unauthenticated sharing. If a user forgets to change the link type while sharing a sensitive document, they might accidentally create a sharing link that doesn't require authentication.
You can mitigate this risk by changing the default link setting to a link that only works for people inside your organization. Users who want to share with unauthenticated people would then have to specifically select that option.
To set the default file and folder sharing link for the organization:
Open the SharePoint admin center, and select Sharing.
Under File and folder links, select Only people in your organization.
To set the default file and folder sharing link for a specific site:
Open the SharePoint admin center, expand Sites, and then select Active sites.
Select the site you want to change, and then select Sharing.
Under Default sharing link type, clear the Same as organization-level setting check box.
Select the Only people in your organization option, and then select Save.
Prevent unauthenticated sharing of sensitive content
You can use Microsoft Purview Data Loss Prevention (DLP) to prevent unauthenticated sharing of sensitive content. Data loss prevention can take action based on a file's sensitivity label, retention label, or sensitive information in the file itself.
To create a DLP rule:
In the Microsoft Purview admin center, go to the Data loss prevention page.
Click Create policy.
Choose Custom and click Next.
Type a name for the policy and click Next.
On the Locations to apply the policy page turn off all settings except SharePoint sites and OneDrive accounts, and then click Next.
On the Define policy settings page, click Next.
On the Customize advanced DLP rules page, click Create rule and type a name for the rule.
Under Conditions, click Add condition, and choose Content contains.
Click Add and choose the type of information for which you want to prevent unauthenticated sharing.
Under Actions click Add an action and choose Restrict access or encrypt the content in Microsoft 365 locations.
Select the Restrict access or encrypt the content in Microsoft 365 locations check box and then choose the Only people who were given access to the content through the "Anyone with the link" options option.
Click Save and then click Next.
Choose your test options and click Next.
Click Submit, and then click Done.
Protect against malicious files
When you allow anonymous users to upload files, you're at an increased risk of someone uploading a malicious file. In organizations with Microsoft Defender for Office 365 Plan 1 or Plan 2 licenses (for example, in Microsoft 365 E5 or as an add-on), you can use the Safe Attachments feature to detonate uploaded files in a sandboxed virtual environment, and quarantine files that are found to be unsafe.
For instructions, see Turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
If you have Microsoft 365 A5 or E5 Security licenses, you can also turn on (and use) the Safe Documents feature. For more information, see Safe Documents in Microsoft 365 A5 or E5 Security.
Add copyright information to your files
If you use sensitivity labels in the Microsoft Purview admin center, you can configure your labels to add a watermark or a header or footer automatically to your organization's Office documents. In this way, you can make sure that shared files contain copyright or other ownership information.
To add a footer to a labeled file
- Open the Microsoft Purview admin center.
- In the left navigation, under Solutions, click Information protection.
- Click the label that you want to have add a footer, and then click Edit label.
- Click Next to reach the Content marking tab, and then turn On content marking.
- Select the check box for the type of text you want to add, and then click Customize text.
- Type the text that you want added to your documents, select the text options that you want, and then click Save.
- Click Next to reach the end of the wizard, and then click Save label.
With content marking enabled for the label, the text you specified will be added to Office documents when a user applies that label.