OneDrive for Business administrators often rely on the External Sharing Report in the Microsoft 365 admin center to audit who has access to shared files. A common problem is that this report does not include anonymous guest links that were created before a specific date or policy change. These old anonymous links, often called “Anyone” links, remain active and can grant access to files without appearing in the standard sharing report. This article explains why the report misses these links and provides a step-by-step method to locate and manage them using Microsoft Graph PowerShell.
Key Takeaways: Finding and Removing Old Anonymous Links
- Microsoft 365 admin center > Reports > Sharing: Displays only recent external sharing activity and does not enumerate all active anonymous links.
- Microsoft Graph PowerShell cmdlet Get-SPOSiteGroup: Lists all sharing links, including old anonymous links, for a specific site.
- Microsoft Graph PowerShell cmdlet Remove-SPOSiteGroup: Removes an anonymous link group to revoke all access granted through that link.
Why the External Sharing Report Omits Old Anonymous Links
The External Sharing Report in the Microsoft 365 admin center is an activity log, not a full inventory of all sharing links. It records events such as when a user sends an invitation, creates a sharing link, or changes permissions. Once a link is created, the report stops tracking it unless someone interacts with it again. Anonymous links, particularly those set to “Anyone with the link,” do not generate ongoing activity. If a user created an anonymous link six months ago and nobody has clicked it since, that link will not appear in the default report.
Another reason is that the report filters by date range, typically showing the last 30 days. Links created before that range are excluded entirely. Additionally, the report focuses on user-driven sharing events and does not scan all site collections for persistent link objects. Anonymous links are stored as hidden SharePoint groups within each site. The report does not query these groups. To find old anonymous links, you must use a tool that can enumerate all sharing link objects across your tenant.
Steps to Find and Manage Old Anonymous Links Using PowerShell
- Install the SharePoint Online Management Shell
Open Windows PowerShell as an administrator and run the commandInstall-Module -Name Microsoft.Online.SharePoint.PowerShell. Press Enter and confirm any installation prompts. This module is required to run SharePoint-specific cmdlets. - Connect to SharePoint Online
RunConnect-SPOService -Url https://yourtenant-admin.sharepoint.com. Replaceyourtenantwith your actual tenant name. Sign in with a global admin or SharePoint admin account when prompted. - Get a list of all site collections
RunGet-SPOSite -Limit All | Select-Object Url. This returns the URL of every site collection in your tenant. Note the URL of the site where you suspect old anonymous links exist. For a targeted search, you can filter by site name or useGet-SPOSite -Identity "https://yourtenant.sharepoint.com/sites/sitename". - List all sharing link groups for a site
RunGet-SPOSiteGroup -Site https://yourtenant.sharepoint.com/sites/sitename | Where-Object {$_.Title -like "SharingLinks"}. This command returns all groups whose title contains “SharingLinks.” Anonymous links are stored in groups with a title format likeSharingLinks.12345678-1234-1234-1234-123456789012. Each group represents one anonymous link. - Inspect the members of a sharing link group
RunGet-SPOSiteGroup -Site https://yourtenant.sharepoint.com/sites/sitename -Group "SharingLinks.12345678-1234-1234-1234-123456789012" | Select-Object Users. This shows the email addresses or user names that have accessed the link. If the group contains “Everyone except external users” or “Everyone,” the link is an anonymous link. - Remove an old anonymous link
To revoke access, runRemove-SPOSiteGroup -Site https://yourtenant.sharepoint.com/sites/sitename -Group "SharingLinks.12345678-1234-1234-1234-123456789012". Confirm the removal when prompted. This deletes the link group and immediately blocks all access through that link. The underlying file or folder permissions remain unchanged for other users.
If You Still Cannot Find All Old Anonymous Links
Anonymous links created before a tenant-wide policy change
If your organization changed the default sharing link type from “Anyone” to “Specific people” or “People in your organization,” links created before that change remain active. The External Sharing Report does not retroactively scan for these pre-change links. Use the PowerShell method above to search all site collections. Consider running a script that loops through every site and exports all sharing link groups to a CSV file for offline review.
Anonymous links on OneDrive personal sites
OneDrive personal sites (user profiles) also store anonymous links. The Get-SPOSite cmdlet includes these sites by default. To filter for OneDrive sites only, look for URLs containing -my.sharepoint.com/personal/. Run Get-SPOSite -IncludePersonalSite $true -Limit All | Where-Object {$_.Url -like "/personal/"} to get a list of OneDrive sites. Then apply the same Get-SPOSiteGroup and Remove-SPOSiteGroup steps to each site.
Anonymous links in deleted sites
When a site is deleted and moved to the SharePoint recycle bin, its anonymous links are preserved. The Get-SPOSite cmdlet does not show deleted sites by default. Run Get-SPOSite -IncludePersonalSite $true -Limit All -Filter "Url -like 'https://yourtenant.sharepoint.com/sites/deletedsite'" after restoring the site from the recycle bin. Alternatively, use the SharePoint admin center to restore the site, then run the PowerShell steps to remove the links.
External Sharing Report vs PowerShell Enumeration: Key Differences
| Item | External Sharing Report | PowerShell Enumeration |
|---|---|---|
| Scope | Recent sharing events (last 30 days) | All sharing link groups across all sites |
| Anonymous links included | Only those with recent activity | All anonymous links regardless of age |
| Ability to remove links | No | Yes, via Remove-SPOSiteGroup |
| Requires admin roles | Global reader or higher | SharePoint admin or global admin |
| Output format | Web-based table or CSV export | PowerShell objects (exportable to CSV) |
The External Sharing Report is useful for monitoring recent sharing activity and user behavior. PowerShell enumeration is required for a complete audit of all anonymous links, especially those created months or years ago. Use both tools together: run the report for weekly monitoring and run the PowerShell script quarterly to clean up old anonymous links.
You can now locate and remove old anonymous links that the External Sharing Report misses. The key is to use the Get-SPOSiteGroup and Remove-SPOSiteGroup cmdlets in the SharePoint Online Management Shell. For ongoing audits, schedule a PowerShell script to run monthly and export the results to a CSV file. As an advanced tip, combine this with the Set-SPOTenant -SharingCapability cmdlet to restrict future anonymous link creation, preventing the problem from recurring.