Laura manages Microsoft 365 for Meridian Advisory Group, a management consulting firm with 90 staff across three offices. Every client engagement gets its own SharePoint team site: a place for deliverables, working papers, and documents exchanged between Meridian and the client during the project. The model works well while an engagement is active. Six years in, nobody had ever gone back to clean up the sites from projects that had ended.
By the time Laura ran her first external sharing report, Meridian had 63 SharePoint sites on the tenant. Forty-seven of them were for closed projects. All 47 still had external users.
What a permission export revealed
Laura connected ShareMaster to the Meridian tenant and ran a permission export using Report Master. The results came back in an Excel workbook listing every external user, the sites they could access, and their last recorded access date across the tenant.
The numbers were sobering. Across those 47 closed-project sites, Meridian had 214 active external user accounts. Breaking them down:
- 61 accounts had not accessed any Meridian resource in over 12 months.
- 38 accounts belonged to email addresses at companies that had since rebranded, merged, or closed, meaning the original contact was likely unreachable through that address.
- 22 accounts held site owner or member permissions (not just visitor access) on sites where the project had formally concluded.
- The remaining accounts were former contractors and project staff whose engagement had ended without a corresponding permissions review.
Beyond user accounts, the export surfaced 340 active sharing links across those 47 sites. Many had been created during project delivery and never revoked after handover. Eleven sites had anonymous sharing links still active, meaning anyone with the URL could access that content.
"I knew we had some leftover access from old projects. I didn't know it was this many accounts, across this many sites, some of them with member-level permissions on deliverable libraries that contained commercially sensitive client information." Laura, IT Manager, Meridian Advisory Group
Deciding what to keep and what to remove
Not everything needed to go. A handful of the closed-project sites were actively referenced by the same clients for follow-on engagements, so their external access had to stay. Laura exported the full site list from the admin center and spent an afternoon with the firm's engagement leads, marking each closed-project site as one of three categories: archive (no ongoing relationship), keep external access (active follow-on work), or clean up access but preserve the site for internal reference.
Twelve sites stayed as-is because of active follow-on activity. The remaining 35 were candidates for a full external access removal. For those sites, the plan was clear: remove all external users, revoke all sharing links, leave the content in place for internal staff who might need to reference prior work.
This categorisation took about two hours. The cleanup itself would have taken far longer without the right tooling.
Removing external access and shared links at scale
Done through the native SharePoint interface, revoking external access across 35 sites would mean navigating to each site's permissions page, finding each guest account, removing it individually, then checking every document and folder for sharing links created at the file level. Laura estimated four to six hours per site at that pace. Thirty-five sites would have been months of work spread across weekends.
Instead, she used ShareMaster's Shared Links and Permissions tool. Working through the 35 sites in batches, she selected groups of external users for bulk removal and revoked sharing links across libraries in a single operation per site. The tool processes multiple targets at once rather than one by one. The cleanup that would have consumed weeks ran in a single afternoon.
Laura cleared the anonymous links first - those were the highest-risk exposure: content reachable by anyone who had ever received a link, without authentication. All gone within the first hour.
See what Report Master exportsBefore and after: the numbers
| Metric | Before cleanup | After cleanup |
|---|---|---|
| External user accounts across closed-project sites | 214 | 41 (retained for active follow-on engagements) |
| Active sharing links across closed-project sites | 340 | 29 (retained for active follow-on engagements) |
| Anonymous (open) sharing links | 34 | 0 |
| Sites with external accounts at owner or member level | 22 | 4 (active follow-on, all at visitor level) |
| Time to complete the cleanup | N/A | One afternoon (approximately 4 hours) |
Building a process to prevent recurrence
The cleanup cleared the six-year backlog. The question was how to stop the same situation from accumulating again. Meridian settled on two simple changes.
First, project closure now includes a SharePoint step. When an engagement is marked complete in Meridian's project management tool, a reminder goes to Laura to revoke site-level external access within five business days. This catches the majority of external access at the natural moment when the relationship formally ends.
Second, a quarterly Report Master export runs as a scheduled check. File-level sharing links are often created ad hoc during a project and survive even after site-level external users are removed. The quarterly export catches anything that slipped through the project closure process. It runs in under ten minutes and outputs a spreadsheet Laura can review over a coffee.
For a step-by-step walkthrough of setting up a shared links audit, see the guide to auditing SharePoint shared links.
Note: This approach works for project-based consulting with defined engagement start and end dates. For ongoing managed-service relationships - where clients access shared documentation continuously - there is no natural project-close moment, so a scheduled periodic audit is a better fit than a project-closure trigger.
Frequently Asked Questions
How do I find all external users across multiple SharePoint sites at once?
Report Master generates an external user report across all connected site collections in a single Excel export. It shows each guest account, the sites they can access, and their last access date, without requiring PowerShell or Purview compliance access. That single export gave Meridian the full picture of 214 accounts across 47 sites in one run.
Can I remove all sharing links from a SharePoint site without editing each file individually?
Yes. ShareMaster's Shared Links and Permissions tool lists all active sharing links across a site or library and lets you bulk-revoke selected links in a single operation. Navigating to each file's sharing settings in the SharePoint interface is not required.
How often should a consulting firm audit SharePoint external access?
Quarterly is a practical cadence. The project closure process handles immediate removal of site-level access. A quarterly audit catches file-level sharing links created during a project that survive site-level cleanups. Together, the two steps keep external access close to what is actually needed at any given time.