If you need to remove anonymous links before a compliance review, you are dealing with shared files and folders that anyone can access without signing in. Anonymous links, also called Anyone links, bypass authentication and expose content to external users. This article explains how to identify these links, how to remove them using SharePoint admin settings and PowerShell, and which policies prevent them from being created again.
Key Takeaways: Removing Anonymous Links for Compliance
- SharePoint admin center > Policies > Sharing: Disable Anyone links at the tenant level to block new anonymous sharing.
- SharePoint Online Management Shell: Use Get-SPOSite and Set-SPOSite to find and remove existing anonymous links site by site.
- Microsoft Purview compliance portal: Create data loss prevention policies to detect and block anonymous links in real time.
Why Anonymous Links Are a Compliance Risk
Anonymous links, also known as Anyone links in SharePoint and OneDrive, let any user with the link access the file or folder without signing in. These links do not expire by default. They remain active until someone manually deletes them or changes the sharing settings.
During a compliance review, auditors check for external sharing that does not meet regulatory standards. Anonymous links fail most compliance frameworks because they provide no audit trail of who accessed the content. Regulations such as GDPR, HIPAA, and SOC 2 require organizations to control and monitor external access. Anonymous links violate these requirements.
The root cause of the risk is that site owners and members can create Anyone links without approval from IT. The default sharing settings in SharePoint allow Anyone links. IT administrators must change these defaults and remove existing links before a compliance review.
Steps to Remove Anonymous Links and Lock Down Sharing
Follow the steps below in the order shown. First, disable the ability to create new Anyone links. Then, remove existing ones. Finally, verify that no anonymous links remain.
Step 1: Disable Anyone Links at the Tenant Level
- Open the SharePoint admin center
Go to https://admin.microsoft.com. In the navigation pane, select Admin centers and then SharePoint. The SharePoint admin center opens. - Navigate to the Sharing settings
In the left menu, select Policies and then Sharing. This page controls external sharing for SharePoint and OneDrive. - Change the external sharing level for SharePoint
Under External sharing for SharePoint, select Specific people (only the people the user specifies). This setting disables Anyone links entirely. Users can still share with guests who sign in. - Change the external sharing level for OneDrive
Under External sharing for OneDrive, select Specific people. Click Save to apply the changes. Existing Anyone links remain active until you remove them.
Step 2: Remove Existing Anonymous Links Using PowerShell
You need the SharePoint Online Management Shell to remove existing Anyone links. Install the module if you have not done so.
- Install the SharePoint Online Management Shell
Open Windows PowerShell as an administrator. Run the command: Install-Module -Name Microsoft.Online.SharePoint.PowerShell. Confirm any prompts. - Connect to SharePoint Online
Run Connect-SPOService -Url https://yourtenant-admin.sharepoint.com. Replace yourtenant with your tenant name. Sign in with a global admin account. - Get a list of all site collections
Run Get-SPOSite -Limit All | Select Url. This shows every site collection in your tenant. Note the URLs you need to scan. - Check sharing status of each site
Run Get-SPOSite -Identity https://yourtenant.sharepoint.com/sites/yoursite | Select SharingCapability. If the value is ExternalUserAndGuestSharing, Anyone links are allowed on that site. - Disable Anyone links on a specific site
Run Set-SPOSite -Identity https://yourtenant.sharepoint.com/sites/yoursite -SharingCapability ExternalUserSharingOnly. This removes the ability to create new Anyone links and converts existing Anyone links to guest links. Guest links require sign-in. - Repeat for all sites
Use a loop in PowerShell: Get-SPOSite -Limit All | ForEach-Object { Set-SPOSite -Identity $_.Url -SharingCapability ExternalUserSharingOnly }. Run this command to apply the change to every site collection.
Step 3: Verify No Anonymous Links Remain
- Use the Sharing report in SharePoint admin center
In the SharePoint admin center, select Reports and then Sharing. This report shows all shared items. Filter by Link type and select Anyone. The report lists any remaining anonymous links. - Remove remaining links manually
For each file or folder listed in the report, go to the item in the browser. Select the three dots and choose Manage access. Under Links, select the Anyone link and click Delete. Confirm the deletion. - Run a PowerShell audit
Use Search-UnifiedAuditLog in Exchange Online PowerShell to search for SharingCreated events with Anyone links. This step is optional but recommended for large tenants.
If Anonymous Links Still Appear After the Main Fix
Anonymous Links Created by Site Owners Before Policy Change
If you only changed the tenant-level sharing setting, existing Anyone links remain active. The PowerShell command in Step 2 converts them to guest links. If you skipped that step, the links still work. Run the Set-SPOSite command again on each site collection.
Anonymous Links in OneDrive for Business
OneDrive uses the same sharing settings as SharePoint. After you change the tenant-level setting, OneDrive users cannot create new Anyone links. To remove existing OneDrive anonymous links, each user must delete them manually. As an admin, you can run Set-SPOSite on each OneDrive site URL. OneDrive site URLs follow the pattern https://yourtenant-my.sharepoint.com/personal/username_domain_com.
Anonymous Links in Microsoft Teams Files
Files shared in Teams channels are stored in the SharePoint site for the team. The same PowerShell commands apply. Navigate to the SharePoint site associated with the team and run Set-SPOSite with ExternalUserSharingOnly. Anonymous links in Teams chats are stored in OneDrive. Remove them using the OneDrive method above.
SharePoint Anonymous Links vs Guest Links: Key Differences
| Item | Anonymous Link (Anyone) | Guest Link (Specific People) |
|---|---|---|
| Authentication required | None | Microsoft account or work account sign-in |
| Audit trail | No record of who accessed the file | Full audit log of guest access |
| Expiration | No default expiration | Can be set with expiration and password |
| Compliance fit | Fails most regulations | Meets GDPR, HIPAA, and SOC 2 requirements |
After you remove all anonymous links and disable the Anyone sharing option, your tenant will meet the requirements of most compliance reviews. The key setting is the external sharing level set to Specific people. Use the SharePoint admin center to verify the setting monthly. For additional protection, create a data loss prevention policy in the Microsoft Purview compliance portal that blocks sharing with Anyone. This policy will prevent users from creating anonymous links even if a site owner later changes the sharing setting.