When users share files from OneDrive, they can create links that let anyone with the link access the content. These Anyone links do not require sign-in or authentication. This creates a security risk because the link can be forwarded or discovered by unintended recipients. This article explains how to block users from creating Anyone links in OneDrive using SharePoint admin settings and group policies.
Key Takeaways: Restrict Anyone Links in OneDrive
- SharePoint admin center > Policies > Sharing: The master toggle that controls whether Anyone links are allowed across SharePoint and OneDrive
- OneDrive admin center > Sync > Sharing settings: Per-site controls to limit link types available to users
- Windows Group Policy or Intune: On-premises or cloud policy to enforce the restriction on managed devices
How Anyone Links Work in OneDrive
Anyone links are the most permissive sharing option in OneDrive. When a user creates an Anyone link, the recipient does not need to sign in with a Microsoft account or organizational account. The link can be opened by anyone who has the URL. This includes people outside your organization. The link can also be forwarded to others, and anyone with the forwarded link can access the file.
By default, Anyone links are enabled in the Microsoft 365 tenant. The setting is controlled at the tenant level in the SharePoint admin center. The same setting applies to both SharePoint Online and OneDrive for Business. There is no separate OneDrive-only toggle for Anyone links. Blocking Anyone links in SharePoint also blocks them in OneDrive.
The restriction affects all users in the tenant. You cannot selectively block Anyone links for a subset of users using the admin center alone. For granular control, you must use PowerShell or sensitivity labels.
Steps to Block Anyone Links in OneDrive
Method 1: Block Anyone Links in the SharePoint Admin Center
This method changes the tenant-wide sharing default. The change applies to all SharePoint sites and all OneDrive accounts.
- Sign in to the Microsoft 365 admin center
Go to https://admin.microsoft.com and sign in with a Global Admin or SharePoint Admin account. - Open the SharePoint admin center
In the left navigation, select Admin centers and then SharePoint. - Go to Policies > Sharing
In the left menu of the SharePoint admin center, select Policies, then Sharing. - Change the external sharing setting
Under External sharing, locate the OneDrive section. Select New and existing guests or Only people in your organization. Do not select Anyone. If you choose Only people in your organization, users cannot share with anyone outside the tenant. If you choose New and existing guests, users can share with authenticated guests but not via Anyone links. - Save the setting
Click Save at the bottom of the page. The change takes effect within a few minutes.
Method 2: Block Anyone Links for Specific OneDrive Sites Using PowerShell
If you need to block Anyone links for specific users or sites, use SharePoint Online Management Shell. This method overrides the tenant default for individual OneDrive sites.
- Install the SharePoint Online Management Shell
Open Windows PowerShell as an administrator. RunInstall-Module -Name Microsoft.Online.SharePoint.PowerShell. - Connect to SharePoint Online
RunConnect-SPOService -Url https://yourtenant-admin.sharepoint.com. Replaceyourtenantwith your tenant name. Sign in with a SharePoint Admin account. - Get the OneDrive site URL for the user
RunGet-SPOSite -IncludePersonalSite $true -Filter "Url -like '-my.sharepoint.com/personal/'" | Select-Object Url. Note the URL for the target user. - Block Anyone links on that site
RunSet-SPOSite -Identity https://yourtenant-my.sharepoint.com/personal/user_domain_com -SharingCapability ExternalUserAndGuestSharing. Replace the URL with the user’s OneDrive site URL. The valueExternalUserAndGuestSharingallows sharing with authenticated guests but blocks Anyone links. UseDisabledto block all external sharing.
Method 3: Use Sensitivity Labels to Block Anyone Links
Sensitivity labels give you the most granular control. You can apply a label that blocks Anyone links to specific files or folders.
- Open the Microsoft Purview compliance portal
Go to https://compliance.microsoft.com and sign in with a Compliance Admin or Global Admin account. - Create a new sensitivity label
Go to Information protection > Labels. Click Create a label. Give the label a name like No Anyone Links. - Configure encryption and access control
In the label wizard, select Encryption. Choose Configure encryption settings. Under Assign permissions now, select Let users assign permissions and choose Only people in your organization. This blocks Anyone links because the label requires authenticated access. - Publish the label
After creating the label, publish it to the users or groups who need it. Users can then apply the label to files or folders in OneDrive.
Common Issues After Blocking Anyone Links
Users Still See the Anyone Link Option
If users still see the Anyone option in the Share dialog, the tenant setting may not have propagated. Wait up to 24 hours for the change to apply. Also check that the OneDrive site-level setting was not overridden by a custom policy. Use the PowerShell method to verify the site’s SharingCapability property.
Blocking Anyone Links Breaks Existing Shared Links
Existing Anyone links continue to work after you change the setting. To invalidate existing Anyone links, run Set-SPOSite -Identity and then use Revoke-SPOUserSession for each user. Alternatively, use the SharePoint admin center to generate a new sharing report and manually revoke links.
Users Cannot Share with External Guests at All
If you set the sharing option to Only people in your organization, users cannot share with any external person. This includes clients, vendors, or partners. To allow guest sharing while blocking Anyone links, use New and existing guests instead.
Anyone Links vs Other Link Types: Key Differences
| Item | Anyone Link | People in Your Organization Link |
|---|---|---|
| Authentication required | No | Yes – Microsoft 365 or organizational account |
| Accessible by external users | Yes | No – only internal users |
| Can be forwarded freely | Yes – anyone with the URL can access | No – recipient must be in the same organization |
| Expiration and password options | Available but optional | Available but optional |
| Block via admin center | Yes – change external sharing setting | N/A – this is the restricted option |
After blocking Anyone links, users can still create People in Your Organization links and Specific People links. These require authentication and are more secure. Audit log events for sharing will show the link type as InternalLink or GuestLink instead of AnonymousLink. Review the audit log regularly to confirm compliance with your sharing policy. To further tighten security, consider setting expiration dates on all new sharing links.