SKILL.md— paste into Microsoft 365 Copilot or ClaudeDownload▸ View skill file▾ Hide skill file
---
name: Sharing Links Activity Audit
description: Analyse Anyone, Organisation and Specific People sharing-link activity across SharePoint Online and OneDrive to surface high-risk trends and stale links.
---
# Sharing Links Activity Audit
> **TL;DR:** This skill analyses how Anyone, Company-wide and Specific People sharing links are created and used across SharePoint Online and OneDrive, then produces a report of high-risk trends and stale links that expand the Microsoft 365 Copilot exposure surface.
## What does the sharing links activity audit analyse?
This skill examines sharing-link creation and access activity across SharePoint Online and OneDrive, drawing on the SharePoint sharing-links reports and Microsoft Purview audit log activities. It distinguishes Anyone (anonymous), Company-wide (Organisation) and Specific People links, then surfaces high-risk patterns such as anonymous links to sensitive content and stale links no longer in use. Because every active link is a path Microsoft 365 Copilot and external recipients can follow, the audit highlights where least-privilege sharing has eroded. It reads activity data only and changes no links.
## When should you run this skill?
- "Audit our Anyone sharing links across SharePoint and OneDrive"
- "Find stale sharing links nobody uses anymore"
- "Show me Company-wide link trends over the last quarter"
- "Which anonymous links point at sensitive files?"
- "Analyse sharing-link activity for Copilot risk"
- "Where is external sharing growing fastest?"
## How this skill works, step by step
1. Connect read-only to SharePoint Online and the Microsoft Purview audit log.
2. Retrieve sharing-links reports for SharePoint Online and OneDrive.
3. Classify links by type: Anyone, Company-wide (Organisation) and Specific People.
4. Pull audit log activities for link creation, access and resharing events.
5. Identify stale links with no access activity over the review window.
6. Flag anonymous and Company-wide links pointing at sensitive content.
7. Score each link or trend by reach, anonymity and content sensitivity.
8. Aggregate findings into high-risk trend groups and a stale-link list.
9. Output the audit without revoking or modifying any link.
## Output format
The skill returns a sharing-link audit table, one row per high-risk link or trend.
| Scope | Link type | Last accessed | Sensitivity | Risk | Recommended action |
| --- | --- | --- | --- | --- | --- |
| Finance Hub | Anyone | 6 months ago | Confidential | High | Revoke and reissue as scoped |
| Sales OneDrive | Company-wide | 2 days ago | General | Medium | Confirm business need |
| Project Atlas | Specific People | 14 months ago | General | Low | Expire stale link |
Summary:
- Total links reviewed: 4,820
- Anyone links: 612
- Company-wide links: 1,344
- Stale links (no recent access): 1,907
- High risk: 188
## Scope and safety
This skill is read-only by default and makes no changes to sharing links, policies or content.
This skill does NOT:
- Revoke, expire or modify any sharing link.
- Change tenant or site sharing policies.
- Alter audit log retention or configuration.
- Contact users who created or received links.
## Licensing and permissions
### Licences and add-ons
| Capability used | Minimum licence |
| --- | --- |
| SharePoint Online and OneDrive sharing-links reports | Microsoft 365 E3 or E5 |
| Sharing-link insights via Data Access Governance reports | SharePoint Advanced Management (included in E5 or as an add-on) |
| Microsoft Purview audit log activities for sharing events | Microsoft 365 E3 (E5 for extended retention) |
### Least-privilege roles
- Global Reader (read-only visibility across the audit data)
- SharePoint Administrator (read) for sharing-links reports, where Global Reader is insufficient
### Microsoft Graph permissions (read-only)
- `Sites.Read.All` — reads site and sharing-link metadata across SharePoint Online and OneDrive
- `Files.Read.All` — reads file-level sharing and sensitivity context for shared items
- `AuditLog.Read.All` — reads Purview audit log activities for link creation, access and resharing
- `Directory.Read.All` — resolves user and group identities on links
Note: SharePoint Advanced Management sharing-links reports are generated in the SharePoint admin centre or via SharePoint Online PowerShell rather than Microsoft Graph; the Graph scopes above apply to the supporting sharing and audit data this skill reads.
## Sources and compliance
- [Sharing links reports](https://learn.microsoft.com/en-us/sharepoint/sharing-reports)
- [Audit log activities for sharing](https://learn.microsoft.com/en-us/purview/audit-log-activities)
- Maps to Essential Eight: Restrict administrative privileges and limit unnecessary external data exposure.
- Aligns with ISM controls for access control and monitoring of data sharing.
- Reference: [ASD Essential Eight Maturity Model](https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight/essential-eight-maturity-model)
- Output in Australian English
How to use this skill
- Get the file. Download or copy the
SKILL.mdfrom the panel above. - Load it into your host:
- Microsoft 365 Copilot / Copilot Studio — add it as the instructions of a declarative agent or Copilot Studio agent.
- Claude (Cowork / Claude Code) — drop the file into your skills folder; it loads as an Agent Skill automatically.
- Any chat host — paste the file contents as your prompt.
- Grant read-only access. Assign the least-privilege roles and Microsoft Graph scopes listed in Licensing and permissions below.
- Provide your tenant scope and run it (a site, a collection, or the whole tenant).
- Review the report and action the risk-ranked recommendations.
This skill is read-only by default — it inspects and reports, and never changes your tenant.
Sharing Links Activity Audit
TL;DR: This skill analyses how Anyone, Company-wide and Specific People sharing links are created and used across SharePoint Online and OneDrive, then produces a report of high-risk trends and stale links that expand the Microsoft 365 Copilot exposure surface.
What does the sharing links activity audit analyse?
This skill examines sharing-link creation and access activity across SharePoint Online and OneDrive, drawing on the SharePoint sharing-links reports and Microsoft Purview audit log activities. It distinguishes Anyone (anonymous), Company-wide (Organisation) and Specific People links, then surfaces high-risk patterns such as anonymous links to sensitive content and stale links no longer in use. Because every active link is a path Microsoft 365 Copilot and external recipients can follow, the audit highlights where least-privilege sharing has eroded. It reads activity data only and changes no links.
When should you run this skill?
- “Audit our Anyone sharing links across SharePoint and OneDrive”
- “Find stale sharing links nobody uses anymore”
- “Show me Company-wide link trends over the last quarter”
- “Which anonymous links point at sensitive files?”
- “Analyse sharing-link activity for Copilot risk”
- “Where is external sharing growing fastest?”
How this skill works, step by step
- Connect read-only to SharePoint Online and the Microsoft Purview audit log.
- Retrieve sharing-links reports for SharePoint Online and OneDrive.
- Classify links by type: Anyone, Company-wide (Organisation) and Specific People.
- Pull audit log activities for link creation, access and resharing events.
- Identify stale links with no access activity over the review window.
- Flag anonymous and Company-wide links pointing at sensitive content.
- Score each link or trend by reach, anonymity and content sensitivity.
- Aggregate findings into high-risk trend groups and a stale-link list.
- Output the audit without revoking or modifying any link.
Output format
The skill returns a sharing-link audit table, one row per high-risk link or trend.
| Scope | Link type | Last accessed | Sensitivity | Risk | Recommended action |
|---|---|---|---|---|---|
| Finance Hub | Anyone | 6 months ago | Confidential | High | Revoke and reissue as scoped |
| Sales OneDrive | Company-wide | 2 days ago | General | Medium | Confirm business need |
| Project Atlas | Specific People | 14 months ago | General | Low | Expire stale link |
Summary:
- Total links reviewed: 4,820
- Anyone links: 612
- Company-wide links: 1,344
- Stale links (no recent access): 1,907
- High risk: 188
Scope and safety
This skill is read-only by default and makes no changes to sharing links, policies or content.
This skill does NOT:
- Revoke, expire or modify any sharing link.
- Change tenant or site sharing policies.
- Alter audit log retention or configuration.
- Contact users who created or received links.
Licensing and permissions
Licences and add-ons
| Capability used | Minimum licence |
|---|---|
| SharePoint Online and OneDrive sharing-links reports | Microsoft 365 E3 or E5 |
| Sharing-link insights via Data Access Governance reports | SharePoint Advanced Management (included in E5 or as an add-on) |
| Microsoft Purview audit log activities for sharing events | Microsoft 365 E3 (E5 for extended retention) |
Least-privilege roles
- Global Reader (read-only visibility across the audit data)
- SharePoint Administrator (read) for sharing-links reports, where Global Reader is insufficient
Microsoft Graph permissions (read-only)
Sites.Read.All— reads site and sharing-link metadata across SharePoint Online and OneDriveFiles.Read.All— reads file-level sharing and sensitivity context for shared itemsAuditLog.Read.All— reads Purview audit log activities for link creation, access and resharingDirectory.Read.All— resolves user and group identities on links
Note: SharePoint Advanced Management sharing-links reports are generated in the SharePoint admin centre or via SharePoint Online PowerShell rather than Microsoft Graph; the Graph scopes above apply to the supporting sharing and audit data this skill reads.
Sources and compliance
- Sharing links reports
- Audit log activities for sharing
- Maps to Essential Eight: Restrict administrative privileges and limit unnecessary external data exposure.
- Aligns with ISM controls for access control and monitoring of data sharing.
- Reference: ASD Essential Eight Maturity Model
- Output in Australian English
Last updated on