Four options exist for auditing who has external access to your SharePoint content. Each suits a different scenario. Here is how they compare at a glance.
| Capability | Admin Center | Purview | PowerShell | ShareMaster |
|---|---|---|---|---|
| View active sharing links | No | Partial (events) | Yes (scripted) | Yes |
| View external users per site | Yes | Partial | Yes (scripted) | Yes |
| View unique item permissions | No | No | Yes (scripted) | Yes |
| Bulk-revoke links or permissions | No | No | Yes (scripted) | Yes (GUI) |
| Compliance audit trail | Limited | Yes | No | No |
| Scripting required | No | No | Yes | No |
| Export to spreadsheet | Partial | Yes | Yes | Yes |
Method 1: SharePoint Admin Center
The SharePoint Admin Center is every admin's first stop. Under Reports > Usage, the SharePoint report surfaces file sharing activity over rolling windows of 7, 30, 90, and 180 days. The Sites > Manage sites view shows each site's current external sharing setting: anyone, new and existing guests, existing guests only, or only people in your organisation. Opening a site's properties panel also shows the current list of external users for that site.
This gives you a useful first-pass summary: which sites have external sharing turned on, which have had recent sharing activity, and how many external users each site has. The gap is depth. The Admin Center cannot show you the individual sharing links that currently exist. It cannot tell you which files are shared, what each link permits, or when links expire. There is no bulk remediation surface beyond toggling external sharing off for an entire site.
- Quick site-level governance check with no setup
- Identifying which sites have external sharing enabled
- Viewing the external user list on a specific site
- No view of individual sharing links or their targets
- No bulk-revoke capability
- Activity reports cover a rolling window only, not a persistent log
Method 2: Microsoft Purview Activity Explorer
The Microsoft Purview compliance portal's Activity Explorer provides a detailed audit log of sharing events across SharePoint Online and OneDrive for Business. You can filter by activity type: SharedFile, SharedFolder, AnonymousLinkCreated, AddedToSecureLink, and others. Narrow results by user, date range, site URL, or file name. The output shows exactly who shared what, with whom, and when.
Purview is the right tool for compliance questions: "Who shared the finance folder externally last month?" or "Has anyone created anonymous links on this library in the past 90 days?" Full audit log access requires at least Microsoft 365 E3; extended retention up to one year requires E5 or the Microsoft Purview Audit add-on. The critical constraint is that Purview shows past events, not current state. A link created six months ago and then revoked will appear in the activity log but is no longer active. There is no action surface in the Purview portal to revoke a link directly.
- Compliance audits and legal investigations
- Answering historical questions about sharing activity
- Exporting structured sharing event data for reporting
- Shows past events only, not currently active links
- No direct remediation from the portal
- Full functionality requires E3 or higher licence
Method 3: PnP PowerShell
PnP PowerShell provides the most flexible and complete view of external sharing in SharePoint Online. Three cmdlets are most relevant to a sharing audit:
Get-SPOExternalUser: lists all external users who have been added to any site in the tenant, with their email address and associated sites.Get-PnPSharingLink: lists all active sharing links on a specific file or folder, including link type, permissions, and expiry date.Get-PnPListItemPermission: returns the permission levels on a list item, surfacing unique permissions that bypass inheritance.
Scoping a tenant-wide scan
Each of these cmdlets operates against a specific scope: a single file, folder, or site. Auditing sharing links across an entire tenant requires scripting a loop over all site collections, all libraries and lists within each site, and all items within each library. On a large tenant, that script runs for several hours and must handle throttling (HTTP 429 responses), pagination, checked-out files, and access-denied exceptions on sites where the running account lacks permission. The output is typically a CSV that requires further analysis.
When PowerShell is the right choice
PowerShell suits admins who need custom extraction logic: links shared only with addresses from a specific external domain, links with no expiry date set, or links where the permission level is Edit rather than View. It is also the practical option when a software approval process makes deploying a third-party tool slow or uncertain. The same script that audits can also revoke, by calling the link deletion API in the same loop.
- Custom extraction with domain, date, or permission-type filters
- Environments where scripted automation is already the admin norm
- Combined audit-and-revoke pipelines in a single script run
- Scripting required; significant complexity for full tenant scope
- Tenant-wide scans take hours on large environments
- Throttle handling, pagination, and error handling add substantial script length
Method 4: ShareMaster Shared Links and Permissions
ShareMaster's Shared Links and Permissions feature provides a GUI-based view of all sharing links and unique permissions on a SharePoint site or library. It runs as part of the Windows desktop application, connects to SharePoint Online using your Microsoft 365 credentials, and presents the results in a browsable, filterable list. No module installs, no credential management in scripts, no browser session to expire.
The operational value lies in the action surface. After reviewing the sharing links view, you can select one or more links and bulk-revoke them in a single action. The same view surfaces unique item-level permissions, which are a common source of unintended external access. Unique permissions set on individual documents or folders are invisible in the standard SharePoint library view - the Admin Center reports don't surface them, making them easy to miss in a manual review.
For governance cycles run quarterly or at project completion, a GUI tool that does not require rebuilding a PowerShell script for each cycle reduces the per-review cost substantially. Combine it with Report Master's permission matrix export for a full written record of what was found and what was removed.
- Reviewing and remediating sharing links on specific sites without scripting
- Surfacing unique item-level permissions alongside sharing links in one view
- Recurring governance reviews where rebuilding a script each cycle is impractical
- Windows desktop application only
- Scoped to one site at a time rather than a single tenant-wide run
Try ShareMaster free for 14 days
Decision Matrix: Which Method Fits Your Situation
| Your situation | Recommended approach |
|---|---|
| Quick check: which sites have external sharing turned on? | SharePoint Admin Center |
| Responding to a compliance query about past sharing events | Microsoft Purview Activity Explorer |
| Tenant-wide extract of all active links with custom domain or permission filter | PnP PowerShell |
| Reviewing and cleaning up links on specific sites without writing scripts | ShareMaster Shared Links and Permissions |
| Quarterly governance review across multiple project sites | ShareMaster Shared Links and Permissions |
| Understanding what each sharing permission level allows before you audit | See the SharePoint external sharing settings reference |
Frequently Asked Questions
What is the difference between a SharePoint sharing link and a unique permission?
A sharing link is a URL that grants access to a file, folder, or site when clicked. It can be anonymous or specific-people. A unique permission is a direct access entry on a site, library, or item where permission inheritance has been broken, giving specific users explicit access outside the normally inherited structure. Both represent external access risk but are stored differently in SharePoint and are not visible in the same Admin Center report.
How do I see all external sharing links across an entire SharePoint tenant?
The SharePoint Admin Center does not provide a single view of all active sharing links across the tenant. Microsoft Purview Activity Explorer shows sharing events from the audit log, but only past events within the retention window, not current link state. For a current view, use PnP PowerShell with Get-PnPSharingLink looped across all sites, or ShareMaster Shared Links and Permissions for a GUI-based site-level review.
Can I bulk-revoke SharePoint sharing links without PowerShell?
SharePoint Online does not include a native bulk-revoke option in the Admin Center or site settings. ShareMaster's Shared Links and Permissions feature provides bulk-revoke through a Windows GUI, letting admins select multiple links and remove them in a single action without scripting.
For a step-by-step guide to working through a sharing audit on a specific site, see how to audit SharePoint shared links.