Skip to Content
SharePointExternal Sharing Deep Audit
SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload
▸ View skill file
---
name: External Sharing Deep Audit
description: Inventory every externally shared item across SharePoint, OneDrive, and Teams, ranked by recipient risk, aligned to ASD Essential Eight Control 5.
---

# External Sharing Deep Audit

> **TL;DR:** This skill inventories every externally shared item across SharePoint Online, OneDrive, and Teams, attributes each share to a recipient domain, and ranks the findings by external recipient risk so data stewards can revoke stale or unsafe shares.

## What does the external sharing deep audit do?

The audit inventories every externally shared item across SharePoint Online, OneDrive, and Teams, reading sharing links and direct permissions through Microsoft Graph. It attributes each share to a recipient domain, captures share type, expiry, and last access date, and ranks results by external recipient risk so the data steward can revoke stale or unsafe shares. External exposure is one of the biggest blind spots for Microsoft 365 Copilot readiness: content reachable by external principals can widen the effective grounding surface, so closing stale and unapproved shares keeps Copilot answers least-privilege and trustworthy. Cross-reference findings with Microsoft Purview sensitivity labels to prioritise revocation of classified content.

## When should you run this skill?

- "Audit external sharing across the tenant"
- "Find externally shared SharePoint content"
- "Surface stale external shares"
- "Build an external recipient register for our review board"

## How this skill works, step by step

1. Enumerate all sharing links and direct permissions where the principal is external.
2. For each shared item capture: item path, share type (Anyone, Specific people, Existing access), recipient identity, recipient domain, expiry, last access date.
3. Group recipients by domain.
4. Cross-reference domains against the approved external partner list.
5. Flag stale shares (no access in last 90 days).
6. Flag Anyone links regardless of recency.
7. Compute risk: High (Anyone or unapproved domain), Medium (approved domain, stale), Low (approved domain, recent).
8. Produce the table below.

## Output format

| Item | Share Type | Recipient Domain | Recipient | Expiry | Last Access | Risk | Action |
| --- | --- | --- | --- | --- | --- | --- | --- |

Followed by a summary:

- Externally shared items: N
- Distinct external recipients: N
- Domains outside the approved list: N
- Anyone links: N
- Recommended revocations: N

## Scope and safety

This skill is read-only by default and takes no destructive actions. It does NOT:

- Revoke shares or modify links (read-only)
- Email external recipients
- Inspect file contents

## Licensing and permissions

### Licences and add-ons

| Capability used | Minimum licence |
| --- | --- |
| Read sharing links and external permissions across SharePoint, OneDrive, and Teams via Microsoft Graph | Microsoft 365 E3 or E5 |
| Data Access Governance reports for oversharing and Anyone-link insights | SharePoint Advanced Management |

### Least-privilege roles

- Global Reader (read-only tenant-wide visibility)
- SharePoint Administrator (read) where Data Access Governance reports are reviewed

### Microsoft Graph permissions (read-only)

- `Sites.Read.All` — read site collections and their sharing permissions
- `Files.Read.All` — read drive items and sharing links across SharePoint and OneDrive
- `Group.Read.All` — resolve Teams and Microsoft 365 group membership behind shares
- `Directory.Read.All` — resolve recipient identities and external (guest) principals

## Sources and compliance

- Supports E8 ML2 evidence for Control 5 and the data-repository portion of the IRAP evidence trail
- Pair with Broken Permission Inheritance Audit for a complete external-exposure picture
- Run monthly as part of the sharing governance cadence
- [External sharing overview for SharePoint and OneDrive](https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview)
- Output in Australian English
How to use this skill
  1. Get the file. Download or copy the SKILL.md from the panel above.
  2. Load it into your host:
    • Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
    • Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
    • Any chat host — paste the file contents as your prompt.
  3. Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
  4. Provide your tenant scope and run it (a site, a collection, or the whole tenant).
  5. Review the report and action the risk-ranked recommendations.

This skill is read-only by default — it inspects and reports, and never changes your tenant.

External Sharing Deep Audit

TL;DR: This skill inventories every externally shared item across SharePoint Online, OneDrive, and Teams, attributes each share to a recipient domain, and ranks the findings by external recipient risk so data stewards can revoke stale or unsafe shares.

What does the external sharing deep audit do?

The audit inventories every externally shared item across SharePoint Online, OneDrive, and Teams, reading sharing links and direct permissions through Microsoft Graph. It attributes each share to a recipient domain, captures share type, expiry, and last access date, and ranks results by external recipient risk so the data steward can revoke stale or unsafe shares. External exposure is one of the biggest blind spots for Microsoft 365 Copilot readiness: content reachable by external principals can widen the effective grounding surface, so closing stale and unapproved shares keeps Copilot answers least-privilege and trustworthy. Cross-reference findings with Microsoft Purview sensitivity labels to prioritise revocation of classified content.

When should you run this skill?

  • “Audit external sharing across the tenant”
  • “Find externally shared SharePoint content”
  • “Surface stale external shares”
  • “Build an external recipient register for our review board”

How this skill works, step by step

  1. Enumerate all sharing links and direct permissions where the principal is external.
  2. For each shared item capture: item path, share type (Anyone, Specific people, Existing access), recipient identity, recipient domain, expiry, last access date.
  3. Group recipients by domain.
  4. Cross-reference domains against the approved external partner list.
  5. Flag stale shares (no access in last 90 days).
  6. Flag Anyone links regardless of recency.
  7. Compute risk: High (Anyone or unapproved domain), Medium (approved domain, stale), Low (approved domain, recent).
  8. Produce the table below.

Output format

ItemShare TypeRecipient DomainRecipientExpiryLast AccessRiskAction

Followed by a summary:

  • Externally shared items: N
  • Distinct external recipients: N
  • Domains outside the approved list: N
  • Anyone links: N
  • Recommended revocations: N

Scope and safety

This skill is read-only by default and takes no destructive actions. It does NOT:

  • Revoke shares or modify links (read-only)
  • Email external recipients
  • Inspect file contents

Licensing and permissions

Licences and add-ons

Capability usedMinimum licence
Read sharing links and external permissions across SharePoint, OneDrive, and Teams via Microsoft GraphMicrosoft 365 E3 or E5
Data Access Governance reports for oversharing and Anyone-link insightsSharePoint Advanced Management

Least-privilege roles

  • Global Reader (read-only tenant-wide visibility)
  • SharePoint Administrator (read) where Data Access Governance reports are reviewed

Microsoft Graph permissions (read-only)

  • Sites.Read.All — read site collections and their sharing permissions
  • Files.Read.All — read drive items and sharing links across SharePoint and OneDrive
  • Group.Read.All — resolve Teams and Microsoft 365 group membership behind shares
  • Directory.Read.All — resolve recipient identities and external (guest) principals

Sources and compliance

  • Supports E8 ML2 evidence for Control 5 and the data-repository portion of the IRAP evidence trail
  • Pair with Broken Permission Inheritance Audit for a complete external-exposure picture
  • Run monthly as part of the sharing governance cadence
  • External sharing overview for SharePoint and OneDrive 
  • Output in Australian English

Licensed under CC BY 4.0  by Educ4te . Adapted from the open HybridSP skills catalogue.

Last updated on
Everyone Except External Users (EEEU) SweepSharing Links Activity Audit