Why oversharing happens?

The Microsoft 365 architecture makes oversharing (too) easy

Microsoft 365 was designed with IT Professionals in mind, but for users, it can get especially complicated when it comes to permissions. To help you better understand oversharing, let’s take a look at where it can happen.

First, there are two types of “containers.” When we talk about Microsoft 365 Collaboration, we have Microsoft 365 Groups, which are the most popular ones. Each time you create a Microsoft Teams team, you create a Microsoft 365 Group that includes a SharePoint site, an Exchange Mailbox, and optionally other things like a plan in Planner.

Every time you add someone to the team, you don’t only give them access to the chat portion; you give them access to the whole Microsoft 365 Group, including all the files in the SharePoint site associated with that team.

We also have standalone SharePoint sites (for example, a communication site) or classic SharePoint sites if you still have any of those around.

SharePoint and OneDrive for Business sharing links

Now, let’s move over to SharePoint and OneDrive, more specifically. The last time you shared a document in SharePoint, did you just simply click the share button and then Copy link without looking at any of the options?

How often do you click the settings gear icon next to “Copy Link” and actually change the type of link? When sharing files in SharePoint, we can create four types of links.

1. Anyone link

The first one is the Anyone link, which is a transferrable, revocable secret key. What does this mean? Transferrable means it can be forwarded to others, so anyone with the link can access the resource.  Revocable means that the link can be disabled at any time manually if need be, and secret key means that you can’t just find it on the internet. It’s not public; you need that link, that secret key, to gain access.

For example, once we create the link for a document in the Anyone mode, we can send it to an internal user. This user can forward that link to an external user, which can forward it to another external user, and it will still work, so really, as long as you have that link, that secret key, you have access to the document.

2. People in (My organization) link

The next type of link is People in my organization, which is, important to remember, a transferable, revocable secret key. It can be forwarded to others, it can be revoked at any time, and you need the link to have access. However, unlike the Anyone Link, it only works for users inside your organization.

So, suppose we have a document that we create a link for with the People in my organization link. In that case,  we can send it to an internal user, who can then forward that exact same link to another user inside the organization. But, even if the link is forwarded to someone outside the organization, they cannot access it.

3. People you choose link

Next, we have the Specific people link. This link is a non-transferable, revocable secret key, which means it will not work if it is forwarded to anyone else. We can still revoke access anytime we want to, and users need the link to gain access.

As the name says, this link only grants access to the specified recipient. So, if we create a link to share with John, John can access the document; however, even if that link is shared with someone else inside the company, they will not be able to use it.

4. Only people with existing access link

This is the type of link we should use if we just want to copy the link to the file without affecting permissions.

Links and oversharing

Now, remember when we asked when the last time you modified the type of link you created when you wanted to share permissions with someone was?  If you didn’t modify the link and you created a “People in My Organization” link and sent it to a person, but 5 others in CC who clicked the link, even if they didn’t need access to the document, they now have access to it!

If you did the same for a folder – that link – that secret key, you created for everyone in your organization, can give access to that folder and if they click it once they keep permission to that folder, and all the items in it until someone goes in and removes it, which rarely happens. Those documents will now show up in search and Microsoft 365 Copilot!

If you want to see all the permissions for a file, click on the three dots (the ellipsis button) and then click manage access.

From there, you can see the people who have access directly to this document only. For example, I can see that “Finance Taylor” has direct permission to access this document without necessarily having access to the container. This piece of information tells us that this file has broken permissions.

Broken Permissions means that the permissions of an artifact (it could be a document, folder, or library) are different than the permissions of the container, such as the site or Microsoft 365 Group.

If we go to the Links tab, we can also see there are two types of active links that exist. One of the types is the Anyone with View permissions link. As the name implies, with this link, anyone in the world with that secret key can view this document. The second type of link is People in my organization with edit permissions.

Oversharing summarized

Oversharing in Microsoft 365 is when a piece of content, whether it’s a Microsoft 365 Group, a site, a folder, or a simple document, is shared with people who shouldn’t have access to that piece of content. This can happen if somebody created a link with an option that’s too permissive and the user should have never had access to that content or if a user had a valid reason to access it but doesn’t need it anymore.

Permissions should be kept for the minimum amount of time needed to complete a task. If a user still has access to a Project, for example, that they’re not working on anymore, that is also considered oversharing.