External and guest file sharing

what it is

File platforms offer a spectrum of sharing: specific people, the whole company, anyone in a partner domain, or anyone with the link. The last category is the sharp one: an anyone-with-the-link file requires no login at all, so it sits outside every identity control you run. MFA, conditional access, and offboarding all govern accounts; a public link has no account to govern.

Guest access is the adjacent pattern: external collaborators invited into your tenant or workspace, with real accounts and real permissions, added for a project and rarely removed after it.

Together they form an access layer underneath the directory, larger than most teams imagine and reviewed by almost none.

why it accumulates

Sharing is the path of least friction in every collaboration: the link works instantly, the permission dialog is a speed bump, and "anyone with the link" never bounces. Each share is reasonable; the stock of shares only grows, because unsharing has no trigger. The project ends, the client churns, the employee leaves, and the links keep resolving.

The measured picture matches. When Metomic scanned 6.5 million Google Drive files, 40% contained sensitive data, a third of those were shared externally, and roughly 350,000 documents were open to anyone holding the link. Varonis's 2025 research found 66% of companies had cloud data exposed to anonymous users. And most of it serves nobody: Valence found the overwhelming majority of external shares are stale, untouched by any outside user.

what it costs you

A leaked or forwarded link is access you cannot revoke per person, audit per use, or even see being used in most plans. Contracts, financials, and customer data behind public links are one paste away from the wrong inbox, and the exposure has no log.

Guest sprawl carries the familiar identity risks in a population nobody owns: external accounts that outlived their projects, with their own unmonitored credential hygiene, inside your tenant.

The multiplier is enterprise AI. Assistants like Copilot ground answers in whatever permissions allow, so years of over-broad sharing become instantly searchable the day the AI switches on; Copilot oversharing is the same exposure surfaced at conversation speed.

what works

The cleanup has a natural order, and it begins with the public layer. Both the Google and Microsoft admin consoles can report every anyone-with-the-link file in the tenant, and that report, sorted by location, becomes the priority queue: it shows exactly which folders and sites are bleeding.

Staleness does the heavy lifting from there. Shares untouched for a year rarely serve anyone, so revoking them in bulk breaks almost nothing while shrinking the exposed surface dramatically. What survives the purge, the shares with genuine current external use, gets re-scoped to named people or domain-restricted links, with expiry dates wherever the platform supports them.

The guest population needs the same treatment as any external account: a named owner per guest, an end date, and membership in the leaver process of whichever project brought the guest in. A directory with loose sharing defaults and a stale guest population predicts the state of the file layer with surprising reliability, which makes the guest list a cheap early indicator of how much file-by-file work is waiting.

The control that holds long-term is the tenant default. Defaults set to named-people sharing, with link-sharing reserved for spaces explicitly classified for it, mean every future share starts safe. The defaults do tomorrow's cleanup before it's needed.