Diego

Day 20: Two SharePoint defaults that cause daily pain

Illustration of a man in a modern office standing thoughtfully in front of a desktop monitor, one hand on his chin, evaluating what’s on screen with a serious expression.

There are two SharePoint default settings that have caused more confusion, oversharing, and broken trust than almost anything else.

They look harmless. Helpful, even.

Everyone Except External Users. Anyone with the link.

When these options first appeared, they made sense.

SharePoint was still shaking off its on-premises reputation. Collaboration needed to be easier. Friction was the enemy. Speed mattered more than nuance.

Broad internal access and simpler sharing helped teams move faster. At the time, that tradeoff felt reasonable.

Today, it doesn’t.

I have lost count of how many tickets started as “SharePoint is being weird” and ended here. Files showing up where they were not expected. Content surfacing in search that someone swore was private. Links still working long after people assumed they were done.

The settings themselves are not broken. The assumptions behind them are outdated.

“Everyone Except External Users” does not mean everyone on my team. It does not mean people who should reasonably see this. It means every authenticated user in the tenant, whether they know the content exists or not.

That distinction is rarely obvious to users, and often underestimated by admins.

“Anyone with the link” fails in a similar way. Users choose it for convenience, not scope. It feels temporary. The platform treats it as durable. A link meant for a quick share becomes a long-lived access path.

Both settings bypass intent.

People think they are sharing narrowly. SharePoint applies tenant-wide reach.

Users do not experience this as a permissions issue. They experience it as a trust issue.

“I thought this was private.”
“I didn’t know everyone could see this.”
“Why is this showing up in search?”

Those questions are not about configuration. They are about expectations.

Most tenants inherited these defaults during early Microsoft 365 rollouts or migrations. They were chosen to reduce friction and then quietly forgotten. Over time, teams changed, org charts shifted, and content created years ago remained broadly accessible by default.

This is where Copilot enters the conversation.

Copilot does not invent access. It reflects it. When content is broadly accessible, Copilot will surface it broadly and confidently. That is why governance conversations suddenly feel urgent in the age of AI. I wrote about this directly in Copilot readiness for SharePoint: it’s just governance with lipstick, and Richard and I spoke about it in “Dangerous Defaults“. These settings did not become dangerous overnight. They became visible.

Admins feel this pain differently.

You see vague complaints and reactionary requests. Lock it down. Turn sharing off. Collaboration slows. Exceptions pile up. Shadow IT creeps back in.

None of that fixes the root problem.

The real issue is that these defaults make tenant-wide decisions feel local. Users act based on what they think the audience is. The platform enforces what the setting allows.

Microsoft’s guidance on modern sharing and permissions emphasizes clarity of audience and intentional access. Defaults that remove that moment of intent work against those principles unless they are used deliberately and reviewed regularly.

The uncomfortable truth is that these settings persist because changing them feels risky. What will break. Who will lose access. What complaints will surface. So they stay, quietly shaping behavior in ways no one intended.

SharePoint admin settings are not one-time decisions.

Tenant defaults are not neutral. They encode assumptions. They teach users what is safe without ever explaining why.

If your sharing defaults assume trust without intent, users will violate expectations without realizing it.

This connects directly to what I wrote two days ago: SharePoint governance shouldn’t punish users. When governance is invisible but misaligned, users still get punished. Not by rules, but by surprises.

“Everyone Except External Users” and “Anyone with the link” are not inherently wrong.

But they no longer fit how SharePoint is actually used today.

This post is part of my 25 days of SharePoint series, created to celebrate SharePoint’s 25th anniversary and lead up to the SharePoint at 25 digital event on March 2.

Each post reflects on what actually made SharePoint last 25 years, the wins, the mistakes, and the lessons learned from building, breaking, and rebuilding it in real organizations.

You can find all posts in this series here.

If there’s a topic you think I should cover next, a SharePoint mistake you keep seeing, or a question no one ever answers straight, leave a comment. This series is shaped by real experiences, not marketing slides.

Unknown's avatar

Published by Diego

I am a Microsoft 365 architect and newly minted MVP with a passion for turning technology into something people actually love to use. With more than 20 years in web development, IT administration, and systems integration and 16+ years dedicated to SharePoint, Teams, the Power Platform, and Copilot, I specialize in modernizing legacy solutions, streamlining development processes, and building governance frameworks that are practical, sustainable, and human centered. In recent years I have been deeply focused on Copilot readiness and adoption, helping organizations move beyond "just keeping the lights on" to unlocking creativity, collaboration, and entirely new ways of working. Outside of work, I am a Certified Scrum Master, global speaker, community builder, and blogger at UnsuckM365, where I share no fluff stories from the field. I am also a bedroom DJ who believes music and technology share the same rhythm: both connect people, tell stories, and inspire new ways of thinking.

Leave a comment