Where are my stale externally shared files?

Brass Contributor

Hi all,

 

Apologies in advance for the specifics of the question!

 

We currently set our OneDrive sharing policy to make links for files and folders accessible for 30 days, view-only by default,  and the recipient must re-authenticate every 24 hours. 

 

I have noticed that I have around 120,000 file shares showing in Defender (in one of the helpful cards that I now can't find).

 

The top 10 on this card and the overwhelming majority of file shares listed are from now left users, who shared data prior to us setting up the above policy.

 

I have found Microsoft guidance on how to find and govern stale externally shared files:

 

  1. In the Microsoft 365 Defender portal, under Cloud Apps, go to Policies -> Policy management. Create a new File policy.

  2. Select and apply the policy template Stale externally shared files.

  3. Customize the filter Last modified to match your organization's policy.

  4. Optional: Set Governance actions to be taken on files when a violation is detected. The governance actions available vary between services. For example:

    • Google Workspace: Make the file private and notify the last file editor

    • Box: Notify the last file editor

    • SharePoint online: Make the file private and send a policy-match digest to the file owner

  5. Create the file policy.

Source: Information protection policies - Microsoft Defender for Cloud Apps | Microsoft Learn

 

I ran a search and found a user who left 2 years ago and who had around 1,000 files as shared External, Public, or Public (Internet) for which he was the file owner. 

 

However, when I exported the list of these discovered files for the long-since left user, I found that under Collaborators there were staff who joined well after he left. 

 

I also cannot find those files in OneDrive or our file management system.

My questions are:

1. Does the MCAS file search find actual files that are current in our environment or does this show a historic series of snapshots?

2. Why are recent joiners shown as collaborators on documents and folders for someone who left so long ago?

3. How can I actually find the files the search tells me it found?

4. If I set up a governance action to remove external users from the file share, will this actually work?

5. If I want to test, can I create an admin quarantine site/location on SharePoint and use the option to 'Put in admin quarantine'? If so, what will happen and what are the possible implications/ramifications?

 

Any help, guidance, or advice is greatly appreciated!

1 Reply
The MCAS file search shows you the current files in your system, not old snapshots. It's designed to help you find active files, including those shared externally. New employees appearing as collaborators on files from someone who left could be because they were added to groups or given permissions that were already set up. It shows how permissions can stick around and be passed on.

To find these files, use the details from MCAS in your OneDrive or file system's search tools. Sometimes, files might be in places that aren't straightforward to check, especially if ownership or permissions have changed. Setting up a governance action in MCAS to stop external sharing should work. It's meant to enforce your rules automatically, like removing external users from accessing certain files. Testing with an admin quarantine in SharePoint is a smart move. By moving files to admin quarantine, you secure them until you decide what to do next. This step is about making sure only admins can access these files for now, reducing risks while you review.