Run enough Microsoft 365 health-checks and the same oversharing patterns repeat. They are rarely dramatic, and rarely deliberate. They are the quiet result of convenience and time.
Broad links with no expiry
The most common finding is simply links shared too widely and never expired. “Anyone with the link” and “people in your organisation” links are the fast option, so they get used everywhere, and a link created for one person two years ago is often still live and being forwarded. Setting a sensible default link type and an expiry on anonymous links removes most of this in one move.
Sharing out of context
The second is content shared into the wrong place: a sensitive file dropped into a broad Team or chat, or a link sent on to people it was never meant for. There is no single setting that fixes this. It is about labelling what is sensitive, and giving people an easy way to share narrowly.
Whole sites open by default
The one people miss is access at the site level. Org-wide and communication sites are often readable by everyone, Microsoft 365 groups quietly contain the whole company, and provisioning defaults or old migrations leave libraries open. This is rarely a choice anyone made; it is how things were set up and then forgotten. It matters because it exposes entire libraries at once, which is exactly what governance scans and Microsoft’s own access reports flag.
How to clean it up
The safe approach is to prioritise by sensitivity, not to make a blanket change that breaks legitimate sharing overnight:
- Set a default link type and an expiry on anonymous links.
- Find and review the most open, sensitive sites first.
- Tighten broad group membership and site access where it is not intended.
- Re-scan to prove it is fixed.
This is the core of a remediation sprint, and a free health-check is what surfaces these in the first place, rated by severity with the exact sites and links involved. For why this suddenly matters, see Copilot oversharing.