Nontechnical users often find SharePoint sharing links confusing. They see options like “Anyone,” “People in your organization,” and “Specific people” without understanding the security impact. This confusion can lead to accidental oversharing of sensitive files. The governance checklist in this article helps you explain each link type in plain language. You will learn how to set clear rules so users share files correctly and safely.
Key Takeaways: SharePoint Sharing Links Governance Checklist
- SharePoint admin center > Policies > Sharing: Controls default link types and expiration settings for SharePoint and OneDrive.
- Link type “Specific people”: The most secure option because only named recipients can access the file.
- Link type “Anyone”: Grants access to anyone with the link, including people outside your organization.
- Link expiration and password: Adds time limits and authentication for “Anyone” links to reduce risk.
- Site-level sharing settings: Override tenant defaults for specific SharePoint sites that contain sensitive data.
Understanding SharePoint Sharing Links for Nontechnical Users
SharePoint sharing links are URLs that grant access to files or folders. When a user creates a link, SharePoint assigns a permission level to that link. The permission level depends on the link type chosen. Nontechnical users may not realize that a link can allow editing or even external access. The governance checklist helps you train users to choose the correct link type for each situation.
There are four main link types in SharePoint. Each type has a different security profile. The default link type for your organization is set in the SharePoint admin center. Users can change the link type when sharing a file, but they may not understand the consequences. Your job is to explain these types in simple terms and enforce rules through settings.
The Four Link Types Explained
Anyone link. This link does not require the recipient to sign in. Anyone who has the link can view or edit the file, depending on the permission you set. The link works for people inside and outside your organization. This is the least secure option. Use it only for public content like company newsletters or forms that do not contain personal data.
People in your organization link. This link requires the recipient to sign in with a work or school account from your tenant. External users cannot use it. This is a good default for internal collaboration. It prevents accidental sharing with people outside the company.
People with existing access link. This link does not change permissions. It generates a link that works only for people who already have access to the file. Use this when you want to send a convenience link to someone who already has permission. It does not grant new access.
Specific people link. This link grants access only to the people you name. Recipients must sign in with their Microsoft account or work account. You can add internal and external users. This is the most secure option because you control exactly who gets access.
Governance Checklist for SharePoint Sharing Links
Use this checklist to set rules and train users. Each item includes a plain-language explanation for nontechnical users.
- Set the default link type to “Specific people”
Go to SharePoint admin center > Policies > Sharing. Under “File and folder links,” select “Specific people” as the default. This ensures that every new sharing link requires the user to name recipients. Explain to users: “The default link type makes you choose who gets access. This prevents accidental sharing with the whole company or outsiders.” - Enable link expiration for “Anyone” links
In the same sharing settings, turn on “Expiration” and set a number of days, for example 30. Also require a password for “Anyone” links. Tell users: “If you must use an Anyone link, the link stops working after 30 days. Recipients also need a password you provide separately. This limits how long the file is exposed.” - Restrict “Anyone” links to specific sites
For sites that contain sensitive data, go to Site settings > Permissions > Sharing settings. Set the link type to “Only people in your organization” or “Existing access.” Explain: “This site has confidential files. You cannot create Anyone links here. Share only with named people.” - Train users to choose “Specific people” for internal files
Create a one-page guide that shows the sharing dialog. Highlight the “Specific people” option. Write: “When you share a file with coworkers, always choose ‘Specific people.’ Type their names. This ensures only the right people see the file.” - Audit sharing links regularly
Use the SharePoint admin center > Reports > Sharing links report. Review links that have been created in the last 30 days. Remove links that share sensitive data with too many people. Explain: “We check sharing links monthly to catch mistakes. If you see a link that should not exist, report it to IT.” - Use sensitivity labels to block external sharing
In Microsoft Purview, create a sensitivity label that prevents external access. Apply the label to documents containing personal data. Tell users: “Some files have a label that blocks sharing outside the company. The label is automatic. You cannot override it.” - Remove unused sharing links
Encourage users to delete links after the file is no longer needed. In SharePoint, go to the file, select “Manage access,” and remove the link. Explain: “After a project ends, delete the sharing link. This stops anyone from using an old link to access the file.”
Common Mistakes Users Make and How to Avoid Them
Users share with “Anyone” because it is fast
Users often choose “Anyone” because they do not want to type email addresses. They may not realize the link can be forwarded to outsiders. Fix this by setting the default link type to “Specific people” as described in the checklist. Also, show users how to copy a link to a file that already has permissions set, avoiding the need to create a new link.
Users share a folder instead of individual files
When a user shares a folder, the link grants access to all files in that folder. If the folder contains sensitive subfolders, those become accessible too. Train users to share individual files unless the entire folder is meant to be shared. Use folder-level permissions for project teams instead of sharing links.
Users forget to set expiration on “Anyone” links
Even if the tenant setting requires expiration, users can sometimes bypass it by creating a link with a different type first and then changing it. Enforce expiration at the tenant level and block the ability to change link type after creation. In SharePoint admin center > Policies > Sharing, uncheck “Allow users to change the link type after sharing.”
Users share links with external guests without reviewing permissions
External guests may forward the link to others. Use “Specific people” links for external sharing and require guests to sign in. In SharePoint admin center > Policies > Sharing, select “Only people who have signed in” under “External sharing.” This prevents anonymous access.
| Item | Anyone Link | Specific People Link |
|---|---|---|
| Requires sign-in | No | Yes |
| Accessible by external users | Yes | Only if added |
| Can be forwarded | Yes, to anyone | Only to named people |
| Best use case | Public content | Confidential files |
| Governance risk | High | Low |
The table above compares the two extremes. For most internal sharing, use “People in your organization” as a middle ground.
After implementing this checklist, your nontechnical users will understand why each link type exists and which one to use. Review the sharing settings quarterly to ensure they match your organization’s security needs. For advanced protection, combine sharing links with Microsoft Purview Information Protection to automatically label and encrypt sensitive files.