Key Points
Helping Clients Identify Insecure File Shares in Microsoft 365
- Audit file share access regularly using the Microsoft 365 Compliance Center, SharePoint Admin Center, and OneDrive reports.
- Review tenant-level sharing settings to align with security and compliance policies.
- Use PowerShell scripts for granular insights into external users, guest accounts, and anonymous link sharing.
- Engage department owners to validate the necessity of external file sharing.
- Maintain a centralized review register to track insecure shares and document remediation actions.
- Automate monitoring and remediation, and use RMM tools whenever possible.
File share security helps eliminate permission sprawl and prevent outside threats from accessing work files. This practice is key to Microsoft 365 (M365) stability. Following a structured framework based on centralized management ensures that your permissions stay relevant and up-to-date. Audit file share access for increased accountability. This article provides a robust framework that helps clients identify and remediate insecure file shares.
Control permissions for optimized file share security
Enforcing Windows file share security blocks external threats and improves security policies. Consider your organization’s technical constraints before continuing.
📌 Prerequisites:
- Administrator access to your client’s Microsoft 365 tenant (Global Admin or SharePoint Admin)
- Working experience with the Microsoft 365 Compliance Center, SharePoint Admin Center, and PowerShell
- Defined client compliance needs (for example, ISO 27001, GDPR, HIPAA, NIS2)
- Documentation platform for storing review results (such as NinjaOne Documentation, IT Glue, SharePoint)
Step 1: Review sharing settings at the tenant level
First, ensure your share settings align with your security and compliance policies. This prevents oversharing and sets the foundation for file share security within your Microsoft 365 environment.
📌 Use Cases: Use this to set file share standards across your M365 suite.
📌 Prerequisites: Administrator credentials (Global Admin or SharePoint Admin), Windows 10/11 operating system, Microsoft 365.
- Log in at admin.microsoft.com.
- Select SharePoint from the list of admin centers on the left pane.
- Navigate to Policies > Sharing.
- Modify the following to comply with client policies:
- Default link settings (for example, “Anyone with the link” vs. “Specific people”).
- External sharing permissions for SharePoint and OneDrive.
- Domain restrictions.
- Document changes to create an audit trail.
Step 2: Audit OneDrive and SharePoint shares
Next, check if any files or folders were shared with guests. Doing this will help you and your client pinpoint risky shares that violate file share security.
📌 Use Cases: Use this to view which files are externally available.
📌 Prerequisites: Administrator credentials (Global Admin or SharePoint Admin), Windows 10/11 operating system, Microsoft 365.
Sharepoint
- Log in at admin.microsoft.com.
- Navigate to Settings > Site usage.
- Under Shared with external users, click Run report.
- Choose a location to export the CSV report, then click Save.
OneDrive
- Log in at admin.microsoft.com.
- Navigate to the Microsoft 365 app launcher and click the OneDrive tile.
- Navigate to Settings > OneDrive settings > More settings.
- Select Run sharing report.
- Choose a location to export the CSV report, then click Save.
Once you have the CSV files, administrators should:
- Identify external users: Look for non-corporate email domains and different IP addresses.
- Review user permissions: Flag files with full read and write access.
- Assess sensitivity: Check if business-critical files are being shared externally.
- Check the sharing method: Investigate anonymous links and tighten security.
- Spot unusual patterns: Look for instances of bulk or frequent sharing.
For more information on how reports are formatted, read Microsoft’s official documentation.
Step 3: Run PowerShell scripts for granular insights
Leverage powerful cmdlets to probe for additional share details across all Microsoft 365 sites.
📌 Use Cases: Use this to uncover expired guest accounts, link-based access, and hidden users.
📌 Prerequisites: Administrator privileges, Administrator credentials (Global Admin or SharePoint Admin), Windows 10/11 operating system, Microsoft 365 subscription, SharePoint.
- Install Microsoft’s official SharePoint Online Management Shell.
- This module allows you to manage SharePoint file share security features via PowerShell.
- Press Win + R, type PowerShell, and press Ctrl + Shift + Enter.
- Install the required module:
Install-Module -Name Microsoft.Online.SharePoint.PowerShell -Scope AllUsers
Import-Module Microsoft.Online.SharePoint.PowerShell
- To connect your tenant, run the following:
Connect-SPOService -Url https://<yourTenant>-admin.SharePoint.com
Replace <yourTenant> with your actual Microsoft 365 tenant name.
⚠️ Warning: This is not a standard PowerShell cmdlet and will only work once you complete step 3.
- To list all guest users who accepted share invites, run the following:
Get-SPOExternalUser | Select DisplayName, Email, AcceptedAs
- List outside users by filtering results where IsExternal = True.
- To export file share security results, run the following:
Get-SPOExternalUser | Select DisplayName, Email, AcceptedAs | Export-Csv -Path "ExternalUsers.csv" -NoTypeInformation
- For per-site reports, run the following:
Get-SPOUser -Site https://yourtenant.SharePoint.com/sites/sitename | Where-Object {$_.IsExternal -eq $true} | Export-Csv -Path "SiteExternalUsers.csv" -NoTypeInformation
- Highlight key risk indicators in your CSV reports.
Step 4: Engage department owners in reviews
Collaborate with department heads to add context to your technical findings. Avoid friction and help validate business needs by:
- Sharing file share security reports with other supervisors.
- Confirming whether outside permissions are still required.
- Using lightweight RMM platforms to automate communications.
Step 5: Document findings in a file-sharing review register
Maintain a shared database for all insecure shares and the steps taken for remediation. Doing this enables you to track and manage external permissions and improve auditability.
Keeping a good record improves file share security and supplements QBRs and ongoing governance structures. Integrating endpoint management solutions can streamline this process significantly (especially if it includes a dedicated knowledge base).
Proactively generate client-friendly QBRs to show initiative and expertise.
Read about NinjaOne’s advanced report generation features here.
Step 6: Build remediation and monitoring into ongoing governance
Lastly, put systems in place to catch file share security risks early. Involve file share security in other important workflows, and use tools like Microsoft Purview Insider Risk Management to mitigate insider risk.
For proactive monitoring, configure alerts for:
- Unusual external sharing
- Mass deletions
- Sensitive file access
Summary of best practices for Windows file share security
Follow these guidelines for a sustainable, client-friendly audit file share framework.
| Best practice | Purpose and value |
| Review tenant-level defaults |
|
| Audit OneDrive/SharePoint shares |
|
| Use PowerShell for visibility |
|
| Engage business owners |
|
| Maintain review registers |
|
Automation touchpoint example
Program file share security checks on Microsoft 365 using this process:
- Create a PowerShell script that generates reports on external shares.
- Schedule the script to run every 30 days via Windows Task Scheduler under an admin account.
- Export CSV reports to a specific folder (such as C:\Reports\ExternalShares.csv).
- Use a dedicated knowledge base (for example, NinjaOne Documentation) to organize results by client, site, or department.
- Set real-time alerts to flag any rows with high risk levels and link types set to “Anyone”.
- Automatically create a PSA ticket and attach it to the assigned IT technician or department.
- Notify relevant stakeholders and monitor file share security remediation.
- Prepare QBRs to discuss operational risks and highlight improvements.
How NinjaOne helps manage insecure file shares
Helping clients detect, manage, and document file share security risks across several work tools can strain IT resources. NinjaOne’s RMM tools simplify the process by:
- Scheduling scripts to detect external users, anonymous links, and overshared content
- Providing a repository for important documentation via NinjaOne Documentation
- Automating endpoint alerts and scheduled reporting to keep business owners aware of system health and security issues
- Streamlining QBR delivery with audit logging and reporting tools.
Crack down on permission sprawl with modern endpoint tools
Helping clients audit file share access strengthens security, improves data privacy, and builds trust. Be wary of the permission types your users can share, and automate the hardest parts of file share audits with centralized tools with clear ROI for faster workflows.
Related topics:
