Article summary: External sharing links in SharePoint, OneDrive, and Google Drive often outlive the project and keep working long after anyone remembers they exist. Setting external links to expire by policy is a fast, practical data governance step that reduces lingering access. This makes sharing safer by default and limits long-term exposure without adding new tools.
A project wrapped up eight months ago. The freelancer who worked on it still has a link to the entire project folder, and it still works.
That’s not unusual. It’s the default.
File sharing links in tools like Microsoft SharePoint, Microsoft OneDrive, and Google Drive are quick to create and genuinely useful while a project is active. They’re rarely cleaned up once the work is done.
Reviewing and removing stale access is something most organizations put off until a data governance review or an audit forces the issue. External sharing link expiration is the control that handles this automatically, without relying on anyone to remember.
When someone sends a sharing link, that link grants access to the file or folder for as long as the link exists.
The sender may no longer be with the company. The recipient could be a former vendor or contractor from a project that ended years ago. And the data itself may be sensitive.
None of that affects the link’s validity unless someone actively deactivates it.
A well-run offboarding process disables the departing employee’s account. Their direct file access stops. But any sharing links they created before leaving are separate from their account. Those links continue to function even after the account is gone.
Cleaning up stale permissions in Microsoft 365 addresses the account side of the problem. Sharing links require a separate step, one most offboarding checklists overlook.
The most permissive sharing link type requires no login at all.
Any person who holds the URL can access the content. There is no record of who has it. The original recipient can forward it to others. It can appear in email threads, messaging apps, or screenshots years after the original share.
Microsoft’s data access governance documentation recommends regularly reviewing sharing activity to monitor how files and links are being accessed. These reports are available in the SharePoint admin center and can be generated without additional software, though more detailed analysis may require audit logs or reporting tools.
In the SharePoint Online admin center, administrators can set a default expiration period for all external sharing links. A 30-day maximum is a common starting point. Users can still set shorter expiry periods when they create a link, but the default prevents any link from running indefinitely when the person who created it forgets to follow up.
Microsoft began rolling out expiration policies for “people in your organization” sharing links in March 2026, extending the same controls to internal sharing that previously only applied to external links.
As Microsoft’s official guidance on SharePoint link expiration notes, the expiration policy applies to new links created after the setting is configured. Links that already exist before the policy takes effect will need to be reviewed and addressed manually.
In Google Workspace, administrators can set a maximum sharing link duration at the organization level. Individual users can choose shorter periods when sharing.
The admin-level setting ensures no external link runs beyond the organization’s defined threshold, regardless of what any individual user configures.
Configuring default expiration addresses the ongoing issue. The existing set of active links requires a separate effort.
Running a sharing report in your admin console identifies active links across your SharePoint and OneDrive environment.
It shows when each link was created, how many times it has been accessed, and whether it has been used recently. For Google Drive, similar reports are available through the Admin console under Reports.
Using this data to identify and deactivate long-running external links is a one-time cleanup that pairs with the new expiration policy going forward.
Connecting this review to your approach to zero-trust access controls reinforces the principle that access should be time-limited by default rather than permanent until someone acts.
The third piece is process. Adding a sharing link deactivation step to project close-out tasks and employee offboarding checklists ensures that high-risk links are caught immediately, rather than discovered months later in a governance audit.
Running a sharing link audit takes under an hour in most platforms.
Both Microsoft 365 and Google Workspace include built-in reports showing active links, creation dates, and recent access. The external sharing link expiry settings are configuration changes, not purchases.
For help setting up link expiration policies or running a data governance review of your file sharing environment, reach out to Vudu consulting. To get started contact us at www.vuduconsulting.com/get-started or email contact@vuduconsulting.com.
Any sharing links the employee created remain active after their account is disabled. Access through a sharing link is separate from account-based access. This means former employees, contractors, or vendors who received links before the person left can still use those links unless someone deactivates them explicitly or a link expiration policy is in place.
In the SharePoint admin center, go to Policies, then Sharing. Under external sharing settings, there is an option to set the number of days after which external sharing links expire. Set a maximum period that fits your business needs. Users can still create shorter-lived links, but no link will run longer than the maximum you configure.
Yes. An “anyone with the link” link requires no authentication, meaning the content is accessible to any person who receives the URL, including people outside your organization who were never the intended recipient.
Yes. SharePoint Online includes built-in data access governance reports in the admin center that show active sharing links, when they were created, and recent access activity. Google Workspace provides similar reports in the Admin console.
Thirty days is a commonly used default for external sharing links. Some organizations use shorter periods for sensitive content categories. The right period depends on how your team collaborates and how long typical external engagements last. What matters most is having a maximum at all, rather than leaving links open indefinitely by default.
