top of page

🔰 The Hidden Risk of “People in Your Organization” sharing links in SharePoint, OneDrive, and Copilot [Infographic]

  • il y a 7 minutes
  • 15 min de lecture

New features are coming fast on Microsoft 365 and you have trouble following the official roadmap ?


👀 Every month, I publish a new infographic presenting a tip, a new feature on Microsoft teams / Microsoft 365 Copilot / Microsoft Loop / Microsoft 365 solutions that you can use today on your platform. Today is about new expiration link feature for "People in your organization" link.


Question disable file access in a viva engage community

In the age of Microsoft 365 Copilot, can “People in your organization” sharing links become a new data exposure risk ?

Context disable file access in a viva engage community


... Imagine this first scenario


You share a document from SharePoint or OneDrive with the link “People in my organization” because it feels safe. After all, the link does not allow external access, and only authenticated users inside your Microsoft 365 tenant can open it.


The document is used for a project, copied into a Teams conversation, forwarded in an email thread, and then forgotten ....... Months pass. Years pass. The project is closed, people change roles, new employees join the organization, but the sharing link is still active.


This is where the risk starts to become invisible. A “People in my organization” sharing link is not limited to the original recipients. Anyone inside the organization who gets the link may be able to access the file, depending on the permissions and sharing settings.


What was initially a convenient collaboration shortcut can slowly become a long-term exposure path for business data, HR documents, financial files, customer information, or internal strategy content. The danger is not always a spectacular security breach. Sometimes, it is simply an old link that should no longer exist.


... Imagine this second scenario


You deploy Microsoft 365 Copilot across your organization, expecting it to help employees find information faster and work more efficiently. Copilot does not magically bypass permissions, but it can surface and reason over content that users are already allowed to access.


If old "SharePoint sharing links" or "OneDrive sharing links" have remained active for years, they may contribute to a broader discoverability problem: users may not know they have access to certain files, but Copilot may still help them find relevant information if those files are within their permission scope. This changes the way organizations should think about link expiration and collaboration governance.


Before Copilot, an old internal sharing link might have stayed unnoticed in an email archive or a forgotten Teams chat. With AI-powered search and content discovery, the same forgotten access can become more visible, more reusable, and more impactful. That is why configuring expiration for “People in my organization” links is not just a SharePoint or OneDrive setting. It is a key part of a modern Microsoft 365 governance strategy, especially in the age of Copilot.



Solution disable file access in a viva engage community


The 2 scenarios above highlight a simple but critical issue: internal sharing links can become a long-term data exposure risk when they remain active indefinitely. Microsoft is introducing a long-awaited governance capability for “People in your organization” sharing links in SharePoint and OneDrive.


Until now, organizations could already manage expiration for some sharing scenarios, especially "Anyone links", but internal organization-wide links often remained active indefinitely unless users manually configured an expiration date. The new capability allows administrators to define expiration policies for “People in your organization” links, helping reduce stale internal access and preventing internal sharing links from living forever by default.


In the sections below, I explain how these links work, why expiration matters, and how this new capability can strengthen Microsoft 365 governance and Copilot readiness.



1. What is a sharing link in SharePoint and OneDrive ?



The table below summarizes the main Microsoft 365 sharing link types, highlighting who can access the content, the level of access control and traceability provided, and the scenarios for which each option is best suited.



Sharing link type

Who can access ?

Authentication required ?

External access possible ?

Recommended use case

Risk level

Anyone link

Anyone who has the link, including people outside the organization

❌ No

✅Yes

Public documents, event materials, low-risk content intended for broad distribution

⚠️⚠️⚠️

People in your organization link

Authenticated members of the Microsoft 365 organization

✅Yes

❌ No

Internal collaboration where content can be shared broadly within the company

⚠️⚠️

Specific people link

Only the users or groups explicitly selected by the person sharing the file or folder

✅Yes

✅Yes, if external sharing is allowed

Sensitive documents, controlled external collaboration, scenarios requiring limited and traceable access

⚠️

People with existing access link

Only people who already have access through existing permissions

Depends on existing permissions

Depends on existing permissions

Sending a convenient link without changing permissions or expanding access

⚠️



👥 How access works behind the link ?


The key difference between these sharing links is not only who can open them, but also what happens when the link is forwarded.


With an Anyone link, the link can be forwarded to another person, and that person can use it as long as the link is still valid and has not been revoked or expired.


With a People in your organization link, the link can also be forwarded, but only users who are authenticated members of the organization can use it. This means an employee could share the link with another colleague, and that colleague may be able to access the content if the link is still active. This is why this link type should not be confused with “specific internal recipients”; it is broader than that.


With a Specific people link, forwarding the link does not automatically give access to new people. If someone receives the forwarded link but was not included in the original sharing scope, they will not be able to open the file unless they already have access through another permission path. This makes Specific people links much more appropriate when organizations need tighter control over internal or external sharing.


With a People with existing access link, forwarding the link also does not grant any new permission. The link can technically be sent to anyone, but only users who already have access to the content will be able to open it. This makes it the safest option when the goal is simply to reference a file, not to expand its audience.



2. Why link expiration has become essential ? 



Link expiration is no longer just a “nice-to-have” setting in SharePoint and OneDrive. It has become a critical part of Microsoft 365 governance because collaboration does not stop being risky when a file is shared internally. Here are 4 risks if you do not set up expiration.


💢 The first risk is "forgotten access"


In many organizations, users share documents for a meeting, a temporary review, a budget discussion, or a short project phase.


Once the collaboration is over, nobody goes back to clean up the link. The document may no longer be actively used, but the sharing link still exists. Over time, these old links create a hidden access layer that is difficult for users and administrators to see, especially when files are stored across many SharePoint sites, Teams-connected sites, and OneDrive accounts.


This is exactly the kind of stale access that link expiration helps reduce by making access time-bound by default.


💢 The second risk is "people changing roles or leaving"


Even if former employees lose access when their accounts are disabled or removed, the broader issue remains : access originally granted for one business context may continue to be available to people who no longer need it.


A user may move from Finance to Sales, from HR to Operations, or from a project team to another business unit, while old internal sharing links remain valid.


Without expiration, SharePoint and OneDrive links can outlive the business reason that justified them in the first place.


💢 The third risk is "contractors, vendors and temporary contributors"


Even when “People in your organization” links do not work for guests, some organizations still have internal accounts for external workers, consultants, subsidiaries, or long-term service providers.


From a technical perspective, these users may be members of the tenant, but from a governance perspective, their access should often be limited in time and scope.


If internal sharing links never expire, a contractor who was involved in a short-term assignment may retain access to documents long after the engagement is over, simply because the link was never reviewed or revoked.


💢 The fourth risk is "projects are completed"


Project workspaces are often created quickly, content is shared broadly, and collaboration intensity is high. But when the project closes, access cleanup is rarely as disciplined as project delivery.


Documents remain in SharePoint, links remain in Teams conversations, and OneDrive files shared during the project may continue to be reachable.


Link expiration introduces a natural lifecycle control : access does not need to last forever just because the document still exists.


In short, link expiration helps organizations move from a model of permanent convenience to a model of controlled collaboration. It does not prevent users from sharing. It does not replace permissions reviews, sensitivity labels, data loss prevention, or access governance. But it adds a simple and powerful safeguard : if access was meant to support a temporary business need, the sharing link should be temporary too.



3. How link expiration works in Sharepoint and OneDrive ?


Link expiration in SharePoint and OneDrive can work in two different ways :


Manually, when the user chooses an expiration date while creating or managing a sharing link


Administratively, when the Microsoft 365 administrator defines a maximum lifetime for links.


Both approaches are important. Microsoft now supports administrator policies for “People in your organization” sharing links, allowing organizations to reduce the risk of internal links remaining active indefinitely.


*️⃣User-Defined Manuel Expiration


With manual expiration, the user sharing a file or folder can choose an expiration date for the sharing link. In practice, this is done from the SharePoint or OneDrive sharing experience : the user selects the file, opens the "Share" or "Copy link" dialog, chooses the appropriate link type, opens the link settings, and sets an expiration date before sending or copying the link.


Later, the file owner can also go to Manage access, review existing links, update the link expiration date, remove the expiration date if allowed, or delete the sharing link entirely.


This approach is simple and user-friendly, but it has an obvious limitation: it relies on users making the right decision every time they share content. Manual expiration is therefore useful, but it should not be considered a complete governance strategy for SharePoint sharing links or OneDrive sharing links.


*️⃣Admin-Enforced Expiration


Admin-enforced expiration is different. Instead of hoping that users manually set an expiration date, the administrator defines the maximum lifetime for “People in your organization” links.


With this model, the organization can make sure that internal sharing links do not stay active forever.


For SharePoint and OneDrive administrators, the key point is that this policy can be configured separately for SharePoint and OneDrive. The SharePoint Online PowerShell cmdlet "Set-SPOTenant" includes parameters such as :


  • `CoreOrganizationSharingLinkMaxExpirationInDays`,

  • `OneDriveOrganizationSharingLinkMaxExpirationInDays`,

  • `CoreOrganizationSharingLinkRecommendedExpirationInDays`,

  • `OneDriveOrganizationSharingLinkRecommendedExpirationInDays`.


The new policy introduces two important concepts : a "recommended expiration value" and a "maximum expiration value".


🏷️ A --- Recommended Value


The recommended value is the default suggestion presented to users when they create a "People in your organization" link. It guides users toward the organization’s preferred sharing behavior without necessarily being the strictest possible limit.


It can generally be configured starting from 7 days. This value is used as the default suggestion when a user creates a“People in your organization” link. And the maximum limit for the recommended expiration value is 720 days. It must be lower than or equal to the maximum expiration value configured for the same SharePoint or OneDrive scope.


Yes, a user can go beyond the recommended expiration value ...

It is a recommended value, displayed by default to guide the user. The user can choose a longer duration, as long as it does not exceed the maximum expiration value.


Example :


Set-SPOTenant

  -CoreOrganizationSharingLinkRecommendedExpirationInDays 30

  -CoreOrganizationSharingLinkMaxExpirationInDays 90


👉 In this case, the user can create a link for 45 days, 60 days, or 90 days, but not beyond 90 days.


 Yes, an admin can prevent users from going beyond the recommended expiration value ...


Example :

Set-SPOTenant

-CoreOrganizationSharingLinkRecommendedExpirationInDays 30

-CoreOrganizationSharingLinkMaxExpirationInDays 30


👉 In this case, the recommended value is 30 days, and the maximum limit is also 30 days. As a result, the user cannot choose a longer duration.


🏷️ B --- Maximum Value


The maximum value is different. It acts as the hard limit that users cannot exceed when creating a sharing link and the maximum limit is 720 days. This distinction is very useful from a governance perspective: the recommended value drives good habits, while the maximum value enforces the organization’s security boundary.


No. A user can not go beyond the maximum expiration value.

It is the hard limit.


 Yes, an admin can block an user from going beyond the maximum expiration value

This is exactly the purpose of the maximum expiration value. The administrator does not need another blocking mechanism: the maximum value itself acts as the technical boundary that prevents users from setting a longer expiration period.


Example :

Set-SPOTenant

-CoreOrganizationSharingLinkRecommendedExpirationInDays 30

-CoreOrganizationSharingLinkMaxExpirationInDays 90


👉In this case, the user will likely see 30 days as the suggested value. the user can choose a longer duration but the user cannot exceed 90 days.


4. What impact on Copilot and Data Security ?



The security impact of “People in your organization” sharing links becomes much more visible with Microsoft 365 Copilot and agents. The issue is not that Copilot bypasses permissions. The real risk is different : if a user has access to content because an old internal sharing link was created, redeemed, or left active, Copilot and agents may treat that access as legitimate.



💢 🤖 Risks with Microsoft 365 Copilot Chat


With Microsoft 365 Copilot Chat, the main risk is accidental discoverability. Copilot Chat can reason over work data for licensed Microsoft 365 Copilot users, and Microsoft’s architecture makes clear that access is scoped to what the signed-in user is already authorized to access.

That means overshared SharePoint and OneDrive content does not become a Copilot problem because AI is breaking security; it becomes a Copilot problem because the existing permissions are already too broad.


Example scenario : a Finance manager shares a “People in your organization” link to a draft budget file during an internal review. The link is later copied into a Teams chat and forwarded to several colleagues. The project ends, but the link remains active for years.


Later, an employee using Microsoft 365 Copilot Chat asks :“Summarize what we know about next year’s budget assumptions.”


If that employee has access to the document through the old internal sharing link, Copilot may be able to include that file in its reasoning.



💢 🤖 Risks with Agent Builder (Copilot Studio Lite Agents)


The risk becomes broader when users start creating agents with Agent Builder or the lightweight Copilot Studio experience. Microsoft explains that Copilot Chat users can build agents from the Microsoft 365 Copilot chat experience, and that agents accessing shared tenant data such as SharePoint or Graph connector content are subject to metered consumption. These agents can be grounded in organizational knowledge, which makes permission hygiene even more important.


Example scenario : a business user creates a simple internal “Project Assistant” agent with Agent Builder. The agent is designed to answer questions about project documentation stored in SharePoint.


The creator selects a project folder that contains several files shared through old “People in your organization” links. Some of those files include internal risk assessments and supplier negotiation notes.


If old internal links gave too many people access, the agent can amplify that exposure by making the information easier to retrieve and summarize.



💢 🤖 Risks with Sharepoint Agents


SharePoint agents introduce another important scenario because they are created directly from SharePoint content and are designed to help users ask questions about sites, pages, libraries, files, and folders. Microsoft states that agents in SharePoint access organizational data in the same way Copilot in Microsoft 365 apps does: they respond based on the user’s permissions to the underlying data.


Example scenario : a department creates a SharePoint agent for an internal knowledge site. The site contains general procedures, templates, and onboarding documents. However, one folder also contains old project documents that were shared years ago using “People in your organization” links. A site member creates an agent over the library without realizing that some content is too broadly accessible.


An employee then asks the SharePoint agent :“What lessons did we learn from the supplier escalation project?”


If they have access to those old files, the agent may use them to generate an answer, even though the project documents were never intended to become part of a broad knowledge assistant.



💢 🤖 Risks with Copilot Studio Full Agents


With Copilot Studio Full, the risk can become more complex because agents can be connected to multiple knowledge sources, including SharePoint, Copilot connectors, Power Platform capabilities, and business workflows. Microsoft Copilot Studio supports SharePoint as a knowledge source, and when generative answers use SharePoint, calls are made on behalf of the user chatting with the agent, depending on the authentication configuration.


Example scenario : an IT team builds a Copilot Studio Full agent for “Employee Support.” The agent is connected to SharePoint HR policies, IT procedures, and internal knowledge articles. During testing, the agent works well. But one of the SharePoint sources includes legacy OneDrive files or project folders shared with “People in your organization” links. Some documents contain internal restructuring notes, draft policies, or sensitive operational information.


The agent does not ignore permissions, but for users who already have access through old internal links, it may retrieve and summarize information that was never meant to be surfaced through a company-wide support assistant.



5. How to audit "People in your organization" sharing links ?


Auditing existing “People in your organization” links should start with SharePoint Advanced Management, through Data access governance reports in the SharePoint admin center. These reports are designed to help administrators identify potentially overshared SharePoint and OneDrive content, assess exposure, and apply the right governance or compliance actions.


The most relevant report is the "Sharing links activity report", which identifies SharePoint sites where users have created the highest number of sharing links, including“People in the organization” links.


Once risky sites have been identified, Site access reviews in SharePoint Advanced Management provide a structured way to remediate exposure : administrators can delegate the review to the people who understand the site best: the site owners. The process is straightforward : the site owner receives an email focused on the specific oversharing issue, reviews the access situation, takes the necessary actions, and completes the review. Microsoft supports site access reviews for sharing link reports.



For organizations preparing for Microsoft 365 Copilot and agents, this should become a recurring governance habit. Run baseline reports to identify broad exposure, use sharing link reports to monitor new internal link creation, initiate site access reviews for high-risk sites, and then enforce expiration policies for People in your organization links going forward. This creates a complete lifecycle : detect existing oversharing, involve owners in remediation, and prevent new internal links from remaining active indefinitely.





With the rollout of “People in your organization” expiration links, some organizations may have futher questions. I’ve selected for you the most frequently asked (FAQ) questions that could arise for both end-users and administrators.



📂 What is a "People in your organization" sharing link ?

A “People in your organization” sharing link is a SharePoint or OneDrive link that can be used only by authenticated members of your Microsoft 365 tenant. It does not work for guests or external users, but it can be forwarded internally and used by another member of the organization if they receive and redeem the link.


📂 Can "People in your organization" links be forwarded ?

Yes. Microsoft describes these links as transferable inside the organization. If another authenticated member receives the link, they may be able to use it, depending on the sharing settings and whether the link is still valid.


📂 Do "People in your organization" links work for guests ?

No.These links work only for members of the Microsoft 365 organization. They do not work for guests or users outside the tenant.


📂 Is Does the new expiration policy apply to both Sharepoint and OneDrive ?

Yes. The new expiration policy applies to SharePoint and OneDrive, and administrators can configure expiration values separately for SharePoint sites and OneDrive accounts.


📂 Can users choose a shorter expiration period than the admin value ?

Yes. Users can generally choose a shorter expiration period than the maximum policy allows, but they cannot exceed the administrator-defined maximum expiration period.


📂 Can users bypass the maximum expiration period ?

No. The maximum expiration value is designed as an enforced ceiling. If the administrator sets a maximum of 90 days, users should not be able to create a link valid for longer than 90 days.


📂 What is the minimum expiration value for "People in your organization" links" ?

The minimum value is 7 days for “People in your organization” link expiration policies.


📂 What is the maximum expiration value for "People in your organization" links" ?

The maximum value is 720 days for “People in your organization” link expiration policies.


📂 Does the policy apply to existing "People in your organization" links ?

Not fully retroactively. Microsoft states that only links created after the policy is applied automatically expire based on the configured timeframe. Organizations should combine expiration policies with auditing and cleanup. SharePoint Advanced Management Data access governance reports can identify sites with high sharing activity, and site access reviews can delegate remediation to site owners.


📂 What happens when a "People in your organization" link expires ?

When the link expires, that specific sharing link can no longer be used to access the file or folder. The content itself is not deleted, and users may still access it through other permissions such as site membership, direct access, or another active sharing link.


📂 Can a user create a new link after the old one expires ?

Yes, if the user still has permission to share the file or folder. Link expiration controls the lifetime of a specific link; it does not necessarily prevent future sharing.


📂 Can admins configure exceptions for specific Sharepoint sites ?

Yes. Site-level overrides can be configured for specific SharePoint sites when a different expiration policy is required, for example for sensitive HR, Finance, Legal, or executive workspaces.


📂 Why does link expiration matter for Microsoft 365 Copilot ?

Copilot and agents respect existing permissions, sharing settings, and policies. If old internal links have created unnecessary access, Copilot may make that access easier to discover, summarize, and reuse.


📂 When should organizations avoid "People in your organization" links ?

Organizations should avoid them for sensitive, regulated, confidential, or limited-audience content such as HR files, financial reports, legal documents, executive materials, customer data, security documentation. In these cases, Specific people links are usually more appropriate because they are limited to named recipients.


📂 What is the best governance approach for internal link expiration ?

The best approach is to combine several layers: define tenant-wide expiration policies, configure stricter site-level exceptions for sensitive sites, audit existing sharing links, run site access reviews, educate users, and align link expiration with Copilot readiness. SharePoint Advanced Management is designed to help prevent oversharing, manage content sprawl, and improve readiness for Copilot and agents.




Microsoft Teams Personal meeting template

If you liked this tip and infographic on Sharepoint Governance and think it will be useful to others as well, feel free to share it.




Commentaires


Les commentaires sur ce post ne sont plus acceptés. Contactez le propriétaire pour plus d'informations.
Footer.png
Footer.png
Ko-fi_logo_bluebg.png
SUPPORT ME ... thanks 
bottom of page