You changed a OneDrive sharing policy in the Microsoft 365 admin center expecting to immediately block or restrict all shared links. But existing links continue to work, and users can still access files you intended to lock down. This happens because OneDrive applies new sharing policies only to links created after the policy change, not to links that already exist. This article explains the technical reason for this behavior, provides steps to manage existing links, and shows you how to enforce policies retroactively when needed.
Key Takeaways: OneDrive Sharing Policies and Existing Links
- Microsoft 365 admin center > SharePoint > Policies > Sharing: Changes here apply only to new links created after the policy is saved.
- OneDrive > Shared > Manage access: Manually revoke or update permissions on existing links one at a time.
- SharePoint Online Management Shell: Use PowerShell to bulk-modify or delete existing sharing links across the tenant.
Why Policy Changes Do Not Retroactively Apply to Existing Links
OneDrive and SharePoint use a permission-token model for sharing links. When you create a sharing link, the system generates a unique token that grants access to the target file or folder. The token stores the access permissions at the moment of creation, not a reference to the current tenant policy.
When you update a sharing policy in the Microsoft 365 admin center or SharePoint admin center, OneDrive records the new policy rules. All new links created after the policy change will follow the updated restrictions. Existing tokens remain unchanged because the system does not retroactively re-issue or invalidate them. This design prevents service interruptions for users who rely on ongoing collaboration through shared links.
The same behavior applies to changes in external sharing settings, link expiration defaults, and permission levels. For example, if you switch from Allow anyone links to Specific people links, existing Anyone links still work until someone manually revokes them or the link expires based on its own expiration date.
Steps to Manage Existing Sharing Links After a Policy Change
To enforce new sharing policies on links that were created before the policy change, you must take manual or scripted action. Below are two methods: the OneDrive web interface for individual links and PowerShell for bulk operations.
Method 1: Revoke or Update Links Using the OneDrive Web Interface
- Open the OneDrive website
Go tohttps://onedrive.live.comand sign in with your work or school account. - Navigate to the Shared section
In the left navigation pane, select Shared. Then choose Shared by you to see all links you have created. - Locate the link you want to change
Scroll through the list or use the search box to find the file or folder associated with the link. - Open Manage access
Select the file or folder, then click the Manage access icon a person with a gear icon in the toolbar. A panel opens showing all sharing links and direct permissions. - Revoke or modify the link
To remove the link entirely, click the three dots next to the link and select Delete link. To change permissions, click the three dots and choose Change permissions for example, switch from Anyone to Specific people. - Confirm the change
Click Apply or Delete to save the update. The link is immediately updated or removed.
Method 2: Bulk-Revoke Existing Links Using PowerShell
- Install the SharePoint Online Management Shell
Open PowerShell as an administrator and runInstall-Module -Name Microsoft.Online.SharePoint.PowerShell. Press Y to confirm. - Connect to SharePoint Online
RunConnect-SPOService -Url https://yourtenant-admin.sharepoint.comand sign in with a SharePoint admin account. - Get all sharing links for a site
RunGet-SPOSite -Identity https://yourtenant-my.sharepoint.com/personal/user_upn | Get-SPOSiteSharingLinkto list all active sharing links on a specific OneDrive site. - Filter links by type or permission
Use PowerShell filtering to target specific link types. For example,Get-SPOSiteSharingLink -SiteUrl https://yourtenant-my.sharepoint.com/personal/user_upn | Where-Object {$_.Scope -eq "Anyone"}returns all Anyone links. - Delete the filtered links
RunGet-SPOSiteSharingLink -SiteUrl https://yourtenant-my.sharepoint.com/personal/user_upn | Where-Object {$_.Scope -eq "Anyone"} | Remove-SPOSiteSharingLink. Confirm each deletion by pressing Y. - Repeat for each affected site
Run the same commands for each OneDrive site or SharePoint site that needs policy enforcement.
If Existing Links Continue Working Despite Policy Changes
Links created before the policy change still work
This is the expected behavior as explained in the Background section. To stop these links, use the manual or PowerShell methods above. There is no tenant-wide toggle to retroactively invalidate all existing links.
Users can still create Anyone links after you changed the policy
Check that the policy change has fully propagated. Go to Microsoft 365 admin center > SharePoint > Policies > Sharing. Under External sharing, verify the correct level is selected. Also confirm that the policy applies to OneDrive specifically. The setting at the tenant level may not apply to OneDrive if a custom policy is set at the site level. Navigate to SharePoint admin center > Sites > Active sites, select the OneDrive root site, and choose Sharing to verify the site-level setting.
PowerShell commands fail with permission errors
Ensure you are using a SharePoint admin role, not just a global admin. The account must have the SharePoint admin role assigned in the Microsoft 365 admin center. Also verify that the SharePoint Online Management Shell module is updated to the latest version by running Update-Module -Name Microsoft.Online.SharePoint.PowerShell.
Policy Change Impact: New Links vs Existing Links
| Item | New links created after policy change | Existing links created before policy change |
|---|---|---|
| Policy enforcement | Follow new policy immediately | Not affected by policy change |
| Permission scope | Restricted by updated settings | Remain at original permission level |
| Expiration date | Uses new default expiration if set | Uses original expiration date |
| External sharing type | Blocked if policy restricts | Still accessible if originally Anyone |
| Revocation method | None needed | Manual revoke or PowerShell bulk delete |
OneDrive sharing policy changes do not retroactively affect existing links because of the token-based permission model. To enforce new rules on older links, use the Manage access panel for individual links or the SharePoint Online Management Shell for bulk operations. Always test policy changes in a small site collection first before rolling out tenant-wide. For ongoing management, schedule a periodic PowerShell script to scan and remove outdated sharing links that no longer match your current security requirements.