--- name: External Sharing Deep Audit description: Inventory every externally shared item across SharePoint, OneDrive, and Teams, ranked by recipient risk, aligned to ASD Essential Eight Control 5. --- # External Sharing Deep Audit > **TL;DR:** This skill inventories every externally shared item across SharePoint Online, OneDrive, and Teams, attributes each share to a recipient domain, and ranks the findings by external recipient risk so data stewards can revoke stale or unsafe shares. ## What does the external sharing deep audit do? The audit inventories every externally shared item across SharePoint Online, OneDrive, and Teams, reading sharing links and direct permissions through Microsoft Graph. It attributes each share to a recipient domain, captures share type, expiry, and last access date, and ranks results by external recipient risk so the data steward can revoke stale or unsafe shares. External exposure is one of the biggest blind spots for Microsoft 365 Copilot readiness: content reachable by external principals can widen the effective grounding surface, so closing stale and unapproved shares keeps Copilot answers least-privilege and trustworthy. Cross-reference findings with Microsoft Purview sensitivity labels to prioritise revocation of classified content. ## When should you run this skill? - "Audit external sharing across the tenant" - "Find externally shared SharePoint content" - "Surface stale external shares" - "Build an external recipient register for our review board" ## How this skill works, step by step 1. Enumerate all sharing links and direct permissions where the principal is external. 2. For each shared item capture: item path, share type (Anyone, Specific people, Existing access), recipient identity, recipient domain, expiry, last access date. 3. Group recipients by domain. 4. Cross-reference domains against the approved external partner list. 5. Flag stale shares (no access in last 90 days). 6. Flag Anyone links regardless of recency. 7. Compute risk: High (Anyone or unapproved domain), Medium (approved domain, stale), Low (approved domain, recent). 8. Produce the table below. ## Output format | Item | Share Type | Recipient Domain | Recipient | Expiry | Last Access | Risk | Action | | --- | --- | --- | --- | --- | --- | --- | --- | Followed by a summary: - Externally shared items: N - Distinct external recipients: N - Domains outside the approved list: N - Anyone links: N - Recommended revocations: N ## Scope and safety This skill is read-only by default and takes no destructive actions. It does NOT: - Revoke shares or modify links (read-only) - Email external recipients - Inspect file contents ## Licensing and permissions ### Licences and add-ons | Capability used | Minimum licence | | --- | --- | | Read sharing links and external permissions across SharePoint, OneDrive, and Teams via Microsoft Graph | Microsoft 365 E3 or E5 | | Data Access Governance reports for oversharing and Anyone-link insights | SharePoint Advanced Management | ### Least-privilege roles - Global Reader (read-only tenant-wide visibility) - SharePoint Administrator (read) where Data Access Governance reports are reviewed ### Microsoft Graph permissions (read-only) - `Sites.Read.All` — read site collections and their sharing permissions - `Files.Read.All` — read drive items and sharing links across SharePoint and OneDrive - `Group.Read.All` — resolve Teams and Microsoft 365 group membership behind shares - `Directory.Read.All` — resolve recipient identities and external (guest) principals ## Sources and compliance - Supports E8 ML2 evidence for Control 5 and the data-repository portion of the IRAP evidence trail - Pair with Broken Permission Inheritance Audit for a complete external-exposure picture - Run monthly as part of the sharing governance cadence - [External sharing overview for SharePoint and OneDrive](https://learn.microsoft.com/en-us/sharepoint/external-sharing-overview) - Output in Australian English