Episode Details
Back to Episodes
How Better Audit Settings and PowerShell Reporting Catch Risky SharePoint and OneDrive Links Before They Become Disasters
Season 1
Published 8 months, 2 weeks ago
Description
Stop Blind External Sharing in Microsoft 365
You can spend years hardening identities, tweaking conditional access, and locking down SharePoint—and still lose critical data because of one blind external share that nobody saw coming. A single folder link from a busy project owner, a guest invited “just for a week,” or a forwarded OneDrive link to a personal mailbox can quietly punch a hole through all your carefully designed controls. In this episode, you learn how to stop blind external sharing in Microsoft 365 by combining the right audit settings, scripts, and alerts so you finally see what is leaving your tenant before it becomes a disaster.
We start with the most dangerous feeling in security: false confidence. Many admins check the audit box in the compliance portal, skim a few logs, and assume “we’re covered” for SharePoint and OneDrive. Months later, when finance, HR, or legal ask for a full story of who accessed a sensitive folder via guest links, everyone discovers the same painful truth—key sharing events were never logged, anonymous link usage is barely visible, and the retention window quietly ate the evidence. You will hear how default settings, incomplete audit policies, and short retention quietly turn your environment into a place where you only see clean stories, never the near misses.
From there, we dig into how to fix the foundations before you even think about fancy dashboards. You will learn which advanced auditing switches to flip for SharePoint and OneDrive, how to make sure external and anonymous link usage is actually recorded, and why extending retention is not a nice-to-have but a survival requirement for real investigations. We show how, with the right configuration, your logs move from Swiss-cheese gaps to a complete trail of who shared what, when, and with which external identities.
Then we turn to the second half of the problem: noise. Once logging works, the firehose starts—thousands of events, most of them benign internal collaboration. You will hear why generic export scripts are not enough and what a good PowerShell-based reporting and alerting layer needs to do differently: enrich events with sensitivity, flag non-corporate domains, separate partner traffic from true risk, and surface only the handful of shares and domains that warrant human attention.
By the end of this episode, you will have a clear path from “we hope nothing bad is being shared” to “we know exactly which external shares matter today, and we can prove it.” If you are tired of waking up to surprise sharing incidents or realizing too late that your audit trail is useless, this conversation gives you the framework to see and stop risky external sharing before it turns into your next breach headline.
WHAT YOU LEARN
You can spend years hardening identities, tweaking conditional access, and locking down SharePoint—and still lose critical data because of one blind external share that nobody saw coming. A single folder link from a busy project owner, a guest invited “just for a week,” or a forwarded OneDrive link to a personal mailbox can quietly punch a hole through all your carefully designed controls. In this episode, you learn how to stop blind external sharing in Microsoft 365 by combining the right audit settings, scripts, and alerts so you finally see what is leaving your tenant before it becomes a disaster.
We start with the most dangerous feeling in security: false confidence. Many admins check the audit box in the compliance portal, skim a few logs, and assume “we’re covered” for SharePoint and OneDrive. Months later, when finance, HR, or legal ask for a full story of who accessed a sensitive folder via guest links, everyone discovers the same painful truth—key sharing events were never logged, anonymous link usage is barely visible, and the retention window quietly ate the evidence. You will hear how default settings, incomplete audit policies, and short retention quietly turn your environment into a place where you only see clean stories, never the near misses.
From there, we dig into how to fix the foundations before you even think about fancy dashboards. You will learn which advanced auditing switches to flip for SharePoint and OneDrive, how to make sure external and anonymous link usage is actually recorded, and why extending retention is not a nice-to-have but a survival requirement for real investigations. We show how, with the right configuration, your logs move from Swiss-cheese gaps to a complete trail of who shared what, when, and with which external identities.
Then we turn to the second half of the problem: noise. Once logging works, the firehose starts—thousands of events, most of them benign internal collaboration. You will hear why generic export scripts are not enough and what a good PowerShell-based reporting and alerting layer needs to do differently: enrich events with sensitivity, flag non-corporate domains, separate partner traffic from true risk, and surface only the handful of shares and domains that warrant human attention.
By the end of this episode, you will have a clear path from “we hope nothing bad is being shared” to “we know exactly which external shares matter today, and we can prove it.” If you are tired of waking up to surprise sharing incidents or realizing too late that your audit trail is useless, this conversation gives you the framework to see and stop risky external sharing before it turns into your next breach headline.
WHAT YOU LEARN
- Why default SharePoint and OneDrive audit settings miss critical external sharing events.
- How to enable advanced auditing and longer retention so key sharing and link usage is actually recorded.
- How to use PowerShell to pull, filter, and enrich audit data instead of drowning in raw logs.
- How to distinguish normal collaboration from truly risky external and anonymous sharing.
- How to build alerts and rev