Introduction #
Unauthenticated sharing (Anyone links) is the most convenient and easiest way to share documents: people can open the link without authentication and are free to pass it on to others.
*For unauthenticated sharing to work, you must enable it for your organization and for the individual site or team that you’ll be using.
However this creates a security flaw when users share and forget stop sharing documents when done. This could lead to unexpected access and changes to files in the future. To mitigate this possibility, we recommend setting an expiration period for Anyone links for all documents in the organisation (tenant) to 30 days.
User Impact #
Medium
Once an Anyone link expires, it can no longer be used to access content using that link. The users will need to re-share the documents (creating a new Anyone link).
Admin Portal Reference #
In the Microsoft 365 Admin Center;
- Go to the SharePoint Admin Center
- In the left navigation, click Sharing.
- Under Choose expiration and permissions options for Anyone links, select the These links must expire within this many days check box.
- Type a number of days in the box, and then click Save.
If Action is set to Notify #
We report the setting is compliant if the Anyone links sharing expiry is turned on and set to the number of days matching the parameter in MSPMagic.
We report the setting is non-compliant if the Anyone links sharing expiry is turned off or the number of days does not match the parameter in MSPMagic.
If Action is set to Enforce #
We report the setting is compliant if the Anyone links sharing expiry is turned on and set to the number of days matching the parameter in MSPMagic.
We report the setting is compliant-fixed when MSPMagic turns on the Anyone links sharing expiry or sets the number of days to match the parameter in MSPMagic.
