SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: SharePoint Oversharing Audit
description: Audit SharePoint Online sharing links and flag sites where external or broad access breaches policy, aligned to ASD Essential Eight Control 5.
---
# SharePoint Oversharing Audit
> **TL;DR:** This skill reviews every active sharing link and site permission across SharePoint Online in scope, flags external or Anyone access that breaches your policy, and produces a risk-ranked remediation table.
## What does the SharePoint oversharing audit do?
The audit examines all active sharing links and site permissions across the SharePoint Online sites in scope, using Microsoft Graph as the data source. It identifies sites where external sharing or Anyone links exceed your organisation's policy and produces a risk-ranked table of sites that need remediation. Because Microsoft 365 Copilot answers are only as trustworthy as the underlying permissions, oversharing hygiene is core Copilot-readiness work: tightening broad and anonymous access ensures Copilot honours least-privilege and surfaces only content a user is genuinely entitled to see. Pair the findings with Microsoft Purview sensitivity labels to confirm that broadly shared content is appropriately classified.
## When should you run this skill?
Invoke this skill when asked to:
- "Run an oversharing audit"
- "Review sharing links"
- "Check external access across our sites"
- "Prepare sharing governance report"
## Policy defaults (adjust to your organisation)
| Setting | Default |
| --- | --- |
| Anyone links | Not permitted |
| External sharing | Allowed only to named approved domains |
| Internal broad sharing | Flagged if site has more than 50 unique users |
| Review period | Previous 30 days |
## How this skill works, step by step
1. List all SharePoint Online sites in scope (or the selected site).
2. For each site, retrieve active sharing links by type: Anyone, Specific people, Organisation.
3. Flag any sites with Anyone links (policy breach).
4. Flag sites sharing with external addresses not on the approved domain list.
5. Note each site's last review date if recorded.
6. Calculate a risk score: High (Anyone link or more than 5 external), Medium (1 to 5 external), Low (internal broad only).
7. Compile into the output table below.
## Output format
Produce a Markdown table with these columns:
| Site Name | URL | Sharing Type | External Recipients | Anyone Links | Risk | Recommended Action |
| --- | --- | --- | --- | --- | --- | --- |
Follow the table with a summary:
- Total sites reviewed: N
- High risk: N (requires immediate review)
- Medium risk: N (schedule review within 30 days)
- Low risk: N (monitor at next governance cycle)
## Scope and safety
This skill is read-only by default and takes no destructive actions. It does NOT:
- Remove or modify sharing links (read-only, no destructive actions)
- Access email or calendar data
- Assess permissions at the file level (site level only)
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| Read SharePoint sites, sharing links and site permissions via Microsoft Graph | Microsoft 365 E3 or E5 (includes SharePoint Online Plan 2) |
| Data Access Governance reports for oversharing and sharing-link visibility at scale | SharePoint Advanced Management (included with Microsoft 365 E5 or available as an add-on) |
### Least-privilege roles
- SharePoint Administrator (read) to review tenant sharing configuration and Data Access Governance reports
- Global Reader for read-only tenant-wide visibility where a dedicated SharePoint role is not granted
### Microsoft Graph permissions (read-only)
- `Sites.Read.All` — read site collections and their permission and sharing-link details
- `Files.Read.All` — read items and the sharing links that grant access to them
- `Group.Read.All` — resolve Microsoft 365 group memberships behind site access
- `Directory.Read.All` — resolve users, external recipients and approved domains referenced in sharing links
## Sources and compliance
- Supports E8 ML2 evidence for Control 5 (data repository access validation)
- Output can be saved as a Word document for IRAP assessment use
- [Manage external sharing for SharePoint Online](https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview)
- [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
SharePoint Oversharing Audit
TL;DR: This skill reviews every active sharing link and site permission across SharePoint Online in scope, flags external or Anyone access that breaches your policy, and produces a risk-ranked remediation table.
What does the SharePoint oversharing audit do?
The audit examines all active sharing links and site permissions across the SharePoint Online sites in scope, using Microsoft Graph as the data source. It identifies sites where external sharing or Anyone links exceed your organisation’s policy and produces a risk-ranked table of sites that need remediation. Because Microsoft 365 Copilot answers are only as trustworthy as the underlying permissions, oversharing hygiene is core Copilot-readiness work: tightening broad and anonymous access ensures Copilot honours least-privilege and surfaces only content a user is genuinely entitled to see. Pair the findings with Microsoft Purview sensitivity labels to confirm that broadly shared content is appropriately classified.
When should you run this skill?
Invoke this skill when asked to:
- “Run an oversharing audit”
- “Review sharing links”
- “Check external access across our sites”
- “Prepare sharing governance report”
Policy defaults (adjust to your organisation)
| Setting | Default |
|---|---|
| Anyone links | Not permitted |
| External sharing | Allowed only to named approved domains |
| Internal broad sharing | Flagged if site has more than 50 unique users |
| Review period | Previous 30 days |
How this skill works, step by step
- List all SharePoint Online sites in scope (or the selected site).
- For each site, retrieve active sharing links by type: Anyone, Specific people, Organisation.
- Flag any sites with Anyone links (policy breach).
- Flag sites sharing with external addresses not on the approved domain list.
- Note each site’s last review date if recorded.
- Calculate a risk score: High (Anyone link or more than 5 external), Medium (1 to 5 external), Low (internal broad only).
- Compile into the output table below.
Output format
Produce a Markdown table with these columns:
| Site Name | URL | Sharing Type | External Recipients | Anyone Links | Risk | Recommended Action |
|---|
Follow the table with a summary:
- Total sites reviewed: N
- High risk: N (requires immediate review)
- Medium risk: N (schedule review within 30 days)
- Low risk: N (monitor at next governance cycle)
Scope and safety
This skill is read-only by default and takes no destructive actions. It does NOT:
- Remove or modify sharing links (read-only, no destructive actions)
- Access email or calendar data
- Assess permissions at the file level (site level only)
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| Read SharePoint sites, sharing links and site permissions via Microsoft Graph | Microsoft 365 E3 or E5 (includes SharePoint Online Plan 2) |
| Data Access Governance reports for oversharing and sharing-link visibility at scale | SharePoint Advanced Management (included with Microsoft 365 E5 or available as an add-on) |
Least-privilege roles
- SharePoint Administrator (read) to review tenant sharing configuration and Data Access Governance reports
- Global Reader for read-only tenant-wide visibility where a dedicated SharePoint role is not granted
Microsoft Graph permissions (read-only)
Sites.Read.All— read site collections and their permission and sharing-link detailsFiles.Read.All— read items and the sharing links that grant access to themGroup.Read.All— resolve Microsoft 365 group memberships behind site accessDirectory.Read.All— resolve users, external recipients and approved domains referenced in sharing links
Sources and compliance
- Supports E8 ML2 evidence for Control 5 (data repository access validation)
- Output can be saved as a Word document for IRAP assessment use
- Manage external sharing for SharePoint Online
- ASD Essential Eight Maturity Model
- Output in Australian English
Licensed under CC BY 4.0 by Educ4te . Adapted from the open HybridSP skills catalogue.
Last updated on