Set Anonymous Link Expiration Settings for SharePoint Online and OneDrive for Business
Requirement: Configure Anonymous Link Expiration for SharePoint Online and OneDrive.
How to Set Expiry for Anonymous Links in SharePoint Online and OneDrive?
Anonymous links Expiration is a security best practice in SharePoint Online, and This allows SharePoint Online administrators to set the maximum expiration duration for items shared via anonymously shared links. You can set the SharePoint Online guest link expiration at the tenant level. This ensures that external users can only access the shared content for a limited period and prevents unauthorized access if the link is shared accidentally or maliciously.
To set Anyone links expiry days, follow these steps:
- Login to the SharePoint admin center.
- Click on Policies >> Sharing >> Tick the checkbox next to “These links must expire within this many days” and set the number of days the guest link can be active. E.g., 30
- Click “Save” at the bottom of the page to save your changes.
This enforces a mandatory expiration date for your anonymous links on the tenant level and determines the lifespan of anonymously shared links. If you don’t set these expiry days: it defaults to 730 days (2 years! That’s the maximum days you can set!)
PowerShell to Set Anonymous Link Expiration in SharePoint Online:
Open SharePoint Online Management Shell and run this PowerShell script to configure guest link expiration in SharePoint Online.
#SharePoint Admin Center URL
$AdminCenterURL = "https://Crescent-admin.sharepoint.com"
#Connect to SharePoint Online
Connect-SPOService -URL $AdminCenterURL -Credential (Get-Credential)
#Set Expiration Days for Anonymous links
Set-SPOTenant -RequireAnonymousLinksExpireInDays 30
Now, when you try to share an anonymous link, the link expiry days will be set to 30 by default (or whatever you configured). You can change the expiration date by providing a day lesser than the value configured at the tenant level. Still, you can’t set the expiry date beyond the limit you set in the above PowerShell script in SharePoint Online Admin Center! This makes the link invalid after a certain number of days are configured.
If you try to change the link expiration date beyond the limit set, You’ll receive an error “Your organization’s policy doesn’t allow links to stay active for more than 30 days.” This expiry day setting applies to both SharePoint Online and OneDrive, minimizing the security risk.
Configure Anonymous Link Expiration Days Setting using PowerShell CSOM
#Load SharePoint CSOM Assemblies
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.dll"
Add-Type -Path "C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\ISAPI\Microsoft.SharePoint.Client.Runtime.dll"
Add-Type -Path "C:\Program Files\SharePoint Online Management Shell\Microsoft.Online.SharePoint.PowerShell\Microsoft.Online.SharePoint.Client.Tenant.dll"
#Parameters
$AdminSiteURL="https://crescent-admin.sharepoint.com/"
$DaysToExpire = 7
#Get Credentials to connect
$Cred= Get-Credential
Try {
#Setup the context
$Ctx = New-Object Microsoft.SharePoint.Client.ClientContext($AdminSiteURL)
$Ctx.Credentials = New-Object Microsoft.SharePoint.Client.SharePointOnlineCredentials($Cred.Username, $Cred.Password)
#Get the Tenant
$Tenant= New-Object Microsoft.Online.SharePoint.TenantAdministration.Tenant($Ctx)
$Ctx.Load($Tenant)
$Ctx.ExecuteQuery()
#Set Tenant Anonymous Link Expiration Days Settings
$Tenant.RequireAnonymousLinksExpireInDays= $DaysToExpire
$Ctx.ExecuteQuery()
Write-host "Anonyous Links Expiration Settings Updated Successfully!'" -f Green
}
Catch {
write-host -f Red "Error:" $_.Exception.Message
}
Set the Number of Days to “0”, if you never want your anonymous links to expire!
Set Expiration Days for Anonymous Links at Site Collection Level:
It’s also possible to set link expiration days at the site level. Here is the PowerShell script:
#connect to SharePoint Online tenant Admin
Connect-SPOService -Url https://crescent-admin.sharepoint.com
#Set Link Expiration
Set-SPOSite -Identity https://crescent.sharepoint.com/sites/marketing -OverrideTenantAnonymousLinkExpirationPolicy $true -AnonymousLinkExpirationInDays 15
This PowerShell overwrites the tenant-level setting with the one you specified. If you want to revert to the tenant setting, use the following:
Set-SPOSite -Identity https://crescent.sharepoint.com/sites/marketing -OverrideTenantAnonymousLinkExpirationPolicy $false -AnonymousLinkExpirationInDays 0
PnP PowerShell to Set Link Expiration Policy
Here is the PnP PowerShell to set the link expiration settings at the tenant and site levels using Set-PnPTenant and Set-PnPTenantSite cmdlets:
#Connect to the Tenant
Connect-PnPOnline -Url "https://crescent-admin.sharepoint.com" -Interactive
#Set Tenant Level Link Expiry
Set-PnPTenant -RequireAnonymousLinksExpireInDays 30
#Set Site Level Expiration Policy
Set-PnPTenantSite -Identity "https://crescent.sharepoint.com/sites/retail" -AnonymousLinkExpirationInDays 30
Once the expiration date is set, the Anyone Link will automatically expire at the specified time and the external users will no longer have access to the shared content.
If I set an expiration for anonymous links, does that affect existing links?
Yes! This applies to both existing and newly created guest links.