GOVERNANCE · April 11, 2026 · 12 min read
SharePoint and OneDrive Oversharing Assessment: Find Anyone-Links Before Copilot Does
The Concentric AI 2025 Data Risk Report found that the average organization has 802,000 files at risk from oversharing, and that 16% of business-critical data is overshared on the typical Microsoft 365 tenant. We have scanned tenants with 12,000+ active Anyone-links on the top 30 most-used SharePoint sites alone. None of those links was tracked. None had been expired. Most were created years ago for one-off file shares with vendors who left the partnership long ago.
Anyone-links are the dominant oversharing risk surface in Microsoft 365 — and they are about to become a much bigger problem now that Copilot is indexing the entire reachable surface of every user's tenant. The SharePoint and OneDrive Oversharing Assessment is the read-only audit that finds them before Copilot does. This post explains what it checks, what the findings look like, and how to act on the report.
Why Anyone-Links Are Worse Than You Think
An Anyone-link in SharePoint or OneDrive is a sharing link that grants access to "Anyone with the link" without requiring the recipient to be authenticated to your Microsoft 365 tenant. When the link was originally created, the user thought of it as "I'm sending a link to one specific person." That was never how the link worked. The link grants access to anyone who possesses the URL — and from Microsoft Graph's permission model perspective, the link makes the file readable to every authenticated user in the tenant the moment they discover it exists.
The discovery problem used to be the saving grace. Most Anyone-links sat in inboxes, on Slack, in Teams chats — buried in the long tail of normal work. Copilot is the discovery problem getting solved. Copilot semantically searches the entire reachable corpus on every prompt. A user asking "summarize our Q4 sales pipeline" gets back content from every document in OneDrive and SharePoint that the model can reach, including the Anyone-link Excel file from three years ago that nobody has touched since.
The result: a tenant that was technically overshared for years but nobody noticed becomes a tenant where stale, sensitive documents start appearing in Copilot chat responses on day one of the rollout. The Concentric AI report notes that Copilot accessed roughly 3 million confidential records per organization in H1 2025. Most of those records were not files the asking user could have found through normal search. They were files Copilot's semantic indexer reached through the Anyone-link permission grant.
What the Assessment Scans
The SharePoint and OneDrive Oversharing Assessment is a focused subset of the full Microsoft 365 governance scan, targeting the modules that produce the oversharing surface. Three modules execute:
1. SharePoint Permissions (the headline)
We enumerate the top 30 most-active SharePoint sites in the tenant via the Graph sites endpoint, then walk each site's sharing links to build the Anyone-link footprint. For each site we record:
- The total count of active Anyone-links
- The breakdown by edit-vs-view permission (edit links are higher risk)
- Any links that have been active for more than 12 months (stale links are higher risk)
- The site's external sharing capability setting (which determines whether new links can be created at all)
- The site owner and the site's last activity timestamp
Thirty sites is a deliberate cap. It keeps the scan fast enough to finish in three to five minutes and covers the 80% of activity on most tenants. If your tenant has meaningful risk hiding in the long tail, the top 30 will already tell you because the failure mode is consistent: a tenant with bad oversharing on the top 30 will have worse oversharing on sites 31+. The Partner tier of the suite (the Microsoft 365 Complete Bundle) ships an expanded scan to 100+ sites for tenants that need it.
2. Teams & OneDrive Governance (the OneDrive enablement signal)
Most "SharePoint oversharing" reports forget that OneDrive is part of the same Anyone-link surface. Every user in the tenant has a personal OneDrive that can produce its own Anyone-links, and the OneDrive enablement check is the precondition: if Known Folder Move (KFM) is not deployed, a large fraction of each user's working content is sitting on local desktops where it generates no Anyone-link risk but also generates no Copilot value. We pull the OneDrive usage report via getOneDriveUsageAccountDetail(period='D7') and compute the active-storage percentage across the tenant.
The Teams & OneDrive module also surfaces tenant-wide external sharing capability (Anyone vs New and existing guests vs Existing guests vs Only people in your organization), domain restrictions, default link type, and link expiration policies. The tenant-wide setting is the upstream gate that determines whether new Anyone-links can be created at all.
3. Purview Current State (the labels signal)
Sensitivity labels are the only mechanism Copilot can use to suppress overshared content from prompt responses at runtime. We pull the sensitivity label inventory via the Information Protection Graph endpoint to give you visibility into how much of your tenant's content has any classification at all. A tenant with zero sensitivity labels is a tenant where Copilot has no signal to discriminate between a marketing presentation and a confidential M&A document — they look identical to the model.
Label coverage is a precondition for any Copilot-aware DLP rule. The assessment surfaces the label inventory and flags publishing gaps (labels that exist in Purview but are not published to the users who need them).
What the Findings Look Like
The assessment produces a 1.0–4.0 score, a four-state verdict, and a prioritized findings list. Common findings on real tenants:
SP-001 (Must Do Before Copilot): 12,847 active Anyone-links across the top 30 SharePoint sites. Average age: 2.3 years. 4,212 with edit permission. The oldest active link is 6 years old.
SP-003 (Must Do Before Full Rollout): Tenant external sharing capability is set to "Anyone" with no link expiration policy. Recommended: switch to "New and existing guests" and add a 90-day link expiration default.
TMS-005 (Must Do Before Full Rollout): Only 34% of users (412 of 1,210) have an active OneDrive with content. Suggests Known Folder Move is not deployed broadly.
PUR-002 (Must Do Before Copilot): No sensitivity labels are published in this tenant. Without labels, Copilot has no signal to suppress confidential content from prompt responses.
The remediation list is sorted so the worst offenders show up first. Your SharePoint admin can triage the top 5 sites and fix 80% of the risk in an afternoon, instead of trying to boil the ocean by walking every site one by one.
Why This Is a Standalone Assessment
The Copilot Readiness Assessment includes the SharePoint Permissions module as one of its six checks, alongside Licensing, Purview, Identity, Apps Readiness, and Teams. So why sell SharePoint and OneDrive as a separate single assessment?
Because the buyers are different. A SharePoint admin who just wants to clean up Anyone-link sprawl does not need the Copilot Readiness verdict. They need the per-site Anyone-link inventory, the edit-vs-view breakdown, and the age distribution — and they do not need to pay for the Conditional Access policy review or the M365 Apps update channel breakdown. The SharePoint and OneDrive Assessment gives them exactly the three modules that matter for the oversharing question, at the same CA$399 single-assessment price as any other product.
If you are running a Copilot rollout planning conversation, buy the Copilot Readiness Assessment instead — it includes oversharing as one of six dimensions and gives you the readiness score the CIO actually wants. If you are doing a SharePoint cleanup project, this is the right SKU. If you are doing both, the Microsoft 365 Complete Bundle at CA$1,599 covers both plus four more.
Read-Only by Design
The scan is 100% read-only at the architectural level. The Microsoft Graph client has a write guard at the client level: any HTTP verb other than GET raises an exception before the request leaves the process. The service account is granted exactly fourteen read-only Graph application scopes (Sites.Read.All, Files.Read.All, etc.) and your tenant's Azure AD consent screen lists every scope before you click Accept. Every finding is stored encrypted at rest with AES-256-GCM.
For an MSP delivering this to a client, the read-only architecture means the client's security review takes 24 hours instead of two weeks. You hand them a one-page summary: here are the fourteen scopes, here is the write guard, here is the encryption key handling, here is the audit log of every Graph call we made during the scan. Most clients sign off the same day.
How to Run It
The Free Snapshot answers the question "does my tenant have a SharePoint oversharing problem at all" in three to five minutes, no credit card required, one snapshot per tenant per month per product. It gives you the composite score, the four-state verdict, the per-module finding counts, and one sample finding. If the answer is yes (and on most tenants it will be), the CA$399 single assessment unlocks the full per-site Anyone-link inventory and the JSON / HTML / CSV exports for 90 days.
The setup is the same as every other assessment in the suite: register at app.migrationfox.com/register, create an Azure AD app registration with the fourteen read-only Graph scopes, paste the credentials into MigrationFox, click Run. The scan completes in three to five minutes. The dashboard shows you per-site rankings and the worst-offender Anyone-link distribution.
SharePoint and OneDrive Assessment
CA$399 one-time
90-day access · 1 tenant · unlimited re-runs · MigrationFox-branded PDF
Buy CA$399 →Or run a Free Snapshot first — no credit card
Read more: SharePoint & OneDrive product page · Copilot Readiness deep-dive · The Complete Bundle