Browse all topics
All guidesGlossary
SharePoint & OneDrive

OneDrive sharing and permissions

How OneDrive sharing actually works — link types, expiration, external sharing, and the admin controls.

OneDrive sharing looks simple — click Share, type an email, send — but several layers of policy decide what the user can actually do. Knowing the layers helps users share confidently and admins set sane defaults.

When a user shares a file or folder, they pick a link type:

  • Anyone with the link — no sign-in needed; the most permissive.
  • People in your organisation — requires a tenant sign-in.
  • People with existing access — generates a link for people already permissioned, doesn't grant new access.
  • Specific people — explicit recipients; the link only works for them.

Each link also has a permission: View, Edit, or (for documents) Review / Block download. Anyone links can additionally have an expiration date and a password.

Tenant defaults

The OneDrive section of the SharePoint admin center sets tenant-wide defaults:

  • Maximum external sharing level (Anyone / New and existing guests / Existing guests only / Only people in your organisation).
  • Default link type (Anyone / Specific people / People in org).
  • Default link permission (View / Edit).
  • Anyone-link expiration (e.g. 30 days).
  • File-type restrictions.

Defaults are the most impactful lever — most users accept whatever the dialog offers.

Per-user OneDrive controls

Beyond the tenant defaults:

  • External sharing can be restricted per user via Entra ID Conditional Access policies and OneDrive-specific external sharing policies.
  • Block download policies (via SharePoint Advanced Management) prevent local copies while still allowing viewing.
  • Sensitivity labels applied to a file can override what link types are allowed and add encryption/usage rights.

Recoverability

If a user is offboarded, their OneDrive moves to a 30-day retention state by default — the manager (or whoever the admin set) becomes the new owner and can recover content. Extending this with Purview retention policies (years rather than days) is common where regulatory or HR needs require it.

Practical guidance

A reasonable baseline for most tenants:

  • Default link: People in your organisation, View.
  • Anyone-link expiration: 30 days.
  • Block external sharing of files labelled Confidential or higher.
  • Quarterly access reviews on high-traffic OneDrives.

Anyone-link sharing isn't inherently bad — it's incredibly useful for "share a deck with a client." But make it a deliberate choice, not the default.