Setting the Sharing Link Default to ‘Only people with existing access’
Sharing content in SharePoint using links is a great capability. Microsoft has worked over the years to make the process simple to use, and we even see the same sharing dialog in SharePoint and on our PCs when we share using Windows Explorer.
As tenant owners, we can set the default type of sharing link to match our organization’s governance. This setting in in the SharePoint Admin Center. You can reach it under Policies / Sharing. (No, not in Settings, where I always look for it!) The default value for the setting is Anyone with the link, which you can see in the screenshot below.
You can also see that there are only three options listed. In fact, there are four options available. The missing one is Only people with existing access. This – to me – is almost always the best default option because it doesn’t change the permissions on the object (item, file, folder, page, etc.). It just creates a link to it.
One of the reasons we often see a real mess of permissions is that the default setting is Specific people (only the people the user specifies). Each time someone uses that option, there’s a special link created which – if used by the recipient – breaks the permission inheritance on the object. In fact, all three of the available options above has the potential to change the permissions on the object – if it is used by a recipient. That’s messy, unless it’s what you intend to do.
Wouldn’t it be great if we could set Only people with existing access as the default at the tenant level? Well, Microsoft – in their infinite wisdom – has not given us that option. It’s not for a lack of us asking, though. Some of us MVPs have been bringing it up for years.
Wanting to use Only people with existing access as the default is especially important in an Intranet setting. In the vast majority of cases, you give Everyone except external users (EEEU) read permissions on the entire Intranet – all the sites. Since everyone already has read access, we actually don’t want people breaking inheritance with a link just to say, “The thing you want is here.”
Unfortunately, as I mentioned you can’t set Only people with existing access as the default in the SharePoint Admin Center; you have to do it site by site.
I’ve got a script I use to change the default on Intranet site called setSharingSettings.ps1. I figured I’d share the script and show you what the results are.
Let’s assume the tenant setting is Specific people (only the people the user specifies, like so.
Here’s how that plays out in individual sites.
BEFORE
Setting in SharePoint Admin for the specific site
In the sharing dialog for objects in that site
If you don’t enter a name, you get an error when you try to copy the link
AFTER
Setting in SharePoint Admin for the specific site
In the sharing dialog for objects in that site
When copying the sharing link
PowerShell Script
Here’s my setSharingSettings.ps1 PowerShell script using PnP.PowerShell which you can use to change the default sharing link setting for all sites associated with a Hub Site. That – in many cases – will work for your entire Intranet. You may want to apply this change to other sets of sites, as well.
# Load PnP.PowerShell, if it isn't already
Import-Module PnP.PowerShell -Force
$tenant = "MyTenantName"
$adminSiteUrl = "https://$($tenant)-admin.sharepoint.com"
$clientId = "" # Enter your ClientId here
$nameOfHubSite = "" # Enter the name of your Hub Site
$adminConnection = Connect-PnPOnline -Url $adminSiteUrl -ClientId $clientId -Interactive -ReturnConnection
$sites = Get-PnPTenantSite -Connection $adminConnection
$hubSite = $sites | Where-Object { $_.Title -eq $nameOfHubSite }
$sitesToSet = $sites | Where-Object { $_.HubSiteId -eq $hubSite.HubSiteId }
$filteredSitesToSet = $sitesToSet #| Select-Object -First 1 # Use filtering here if you'd like to test the script
foreach ($site in $filteredSitesToSet) {
$thisSite = Get-PnPTenantSite -Connection $adminConnection -Identity $site
if (!$thisSite.DefaultLinkToExistingAccess) {
Write-Host -BackgroundColor Cyan "Site: $($site.Url) :: Changing setting for DefaultLinkToExistingAccess: $($thisSite.DefaultLinkToExistingAccess)"
Set-PnPTenantSite -Connection $adminConnection -Identity $site -DefaultLinkToExistingAccess $true
}
}Update on 2025-04-08
Apparently, there’s a way to change the default setting at the tenant level – but only with PowerShell. Thanks to Steven Rice for cluing me in.
Both the SPO and PnP PowerShell modules provide the ability to change this setting. Here are the two variations with a link to the docs:
PnP.PowerShell
See: Set-PnPTenant | PnP PowerShell
Set-PnPTenant -CoreDefaultLinkToExistingAccess $trueSPO PowerShell
See: Set-SPOTenant (Microsoft.Online.SharePoint.PowerShell) | Microsoft Learn
Set-SPOTenant -CoreDefaultLinkToExistingAccess $trueHow does this mesh with your governance? Is this a change you plan to make?
Excellent article, as always. Thank you Marc!
Re. the Apr 8 update: I found we need to supply an argument to the (PnP) -CoreDefaultLinkToExistingAccess parameter:
Set-PnPTenant -CoreDefaultLinkToExistingAccess $true
The PnP doco indicates there is no default value:
https://pnp.github.io/powershell/cmdlets/Set-PnPTenant.html#-coredefaultlinktoexistingaccess
-CoreDefaultLinkToExistingAccess
Gets or sets default share link to existing access on core partition
Type: Boolean
Parameter Sets: (All)
Required: False
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
I used $true based on the Set-SPOTenant parameter notes:
https://learn.microsoft.com/en-us/powershell/module/sharepoint-online/set-spotenant?view=sharepoint-ps#parameters
-CoreDefaultLinkToExistingAccess
When set to True, the default sharing link will be a “People with Existing Access” link (which does not modify permissions) for SharePoint sites. When set to False (the default), the default sharing link type is controlled by the CoreDefaultShareLinkScope parameter.
Good catch, Michael! I’ll update the post.