Automate the Removal of Expired Sharing Links in SharePoint with PowerShell
Sharing is a great feature for collaboration. However, depending on how items, files, or folders are shared, a sharing link might be created or unique permissions on these items are created.
It is possible to set an expiration date on sharing links in SharePoint and OneDrive. For more details, please refer to How to set an expiration date on sharing links in SharePoint and OneDrive. Microsoft introduced the capability to set an expiry date for all types of sharing links: “Anyone”, company-wide (aka. “People in your organization”), and specific users (“People you choose”).
However, when sharing links expire, they are not automatically removed. Additionally, the default expiry time can only be set for anonymous links from the SharePoint Admin Center.
For governance, it is a good practice to include in training materials to encourage end users to set an expiry time and choose the appropriate role for sharing links.
The script will help remove expired sharing links and links created older than a certain time,i.e. 30 days passed to the the parameter
Sample script to remove expired sharing links and sharing links created older than x days
Prerequisites
- PnP PowerShell module needs to be installed
- At least site owner role to the SharePoint site
| param( | |
| [Parameter(Mandatory)] | |
| [string]$daysToKeepSharingLinkAfterCreationIfNoExpiryDateSpecified, | |
| [Parameter(Mandatory)] | |
| [ValidateSet('Yes','No')] | |
| [string]$DeleteSharingink, | |
| [Parameter(Mandatory)] | |
| [string]$siteUrl | |
| ) | |
| #$daysToKeep = Read-Host -Prompt "Enter the number of days to keep sharinglinks if no expired date is set"; | |
| $dateTime = (Get-Date).toString("dd-MM-yyyy-hh-ss") | |
| $invocation = (Get-Variable MyInvocation).Value | |
| $directorypath = Split-Path $invocation.MyCommand.Path | |
| $fileName = "DeletedExpiredSharedLinks-PnP" + $dateTime + ".csv" | |
| $logDirectory = $directorypath + "\Log1s" | |
| if (-not (Test-Path -Path $logDirectory)) { | |
| New-Item -ItemType Directory -Path $logDirectory | |
| } | |
| $ReportOutput = $directorypath + "\Log1s\"+ $fileName | |
| #Connect to PnP Online | |
| Connect-PnPOnline -Url $siteUrl | |
| write-host $("Start time " + (Get-Date)) | |
| $global:Results = @(); | |
| function Get-ListItems_WithUniquePermissions{ | |
| param( | |
| [Parameter(Mandatory)] | |
| [Microsoft.SharePoint.Client.List]$List | |
| ) | |
| $selectFields = "ID,HasUniqueRoleAssignments,FileRef,FileLeafRef,FileSystemObjectType" | |
| $Url = $siteUrl + '/_api/web/lists/getbytitle(''' + $($list.Title) + ''')/items?$select=' + $($selectFields) | |
| $nextLink = $Url | |
| $listItems = @() | |
| $Stoploop =$true | |
| while($nextLink){ | |
| do{ | |
| try { | |
| $response = invoke-pnpsprestmethod -Url $nextLink -Method Get | |
| $Stoploop =$true | |
| } | |
| catch { | |
| write-host "An error occured: $_ : Retrying" -ForegroundColor Red | |
| $Stoploop =$true | |
| Start-Sleep -Seconds 30 | |
| } | |
| } | |
| While ($Stoploop -eq $false) | |
| $listItems += $response.value | where-object{$_.HasUniqueRoleAssignments -eq $true} | |
| if($response.'odata.nextlink'){ | |
| $nextLink = $response.'odata.nextlink' | |
| } else{ | |
| $nextLink = $null | |
| } | |
| } | |
| return $listItems | |
| } | |
| function getSharingLink($_object,$_type,$_siteUrl,$_listUrl,$_listid) | |
| { | |
| $sharingSettings = Invoke-PnPSPRestMethod -Method Post -Url "$($siteUrl)/_api/web/Lists(@a1)/GetItemById(@a2)/GetSharingInformation?@a1='{$($_listId)}'&@a2='$($_object.Id)'&`$Expand=permissionsInformation,pickerSettings" -ContentType "application/json;odata=verbose" -Content "{}" | |
| ForEach ($ShareLink in $sharingSettings.permissionsInformation.links) | |
| { | |
| $linkDetails = $shareLink.linkDetails | |
| if($linkDetails.ShareTokenString){ | |
| $action = $null | |
| #update expiration date to be created date + 180 days if created date + 180 days is less than today otherwise delete the sharing link | |
| $CurrentDateTime = Get-Date | |
| $createdDate = Get-Date -Date $linkDetails.Created | |
| # delete any sharing links created more than 180 days ago | |
| $expirationDate = $createdDate.AddDays($daysToKeepSharingLinkAfterCreationIfNoExpiryDateSpecified) | |
| if($expirationDate -lt $CurrentDateTime -or ($linkDetails.Expiration -ne "" -and (Get-Date -Date $linkDetails.Expiration) -lt $CurrentDateTime)) | |
| { | |
| if($DeleteSharingink -eq 'Yes'){ | |
| #Instead using the rest api call, use the Remove-PnPFileSharingLink or Remove-PnPFolderSharingLink | |
| $url = "$siteUrl/_api/web/Lists('$_listid')/GetItemById($($_object.Id))/UnshareLink" | |
| $varBody = '{"linkKind":'+ $linkDetails.LinkKind +',"shareId":"'+ $linkDetails.ShareId +'"}' | |
| $action = "Deleted" | |
| $sharingInfo = invoke-pnpsprestmethod -Url $url -Method Post -Content $varBody | |
| } | |
| $invitees = ( | |
| $linkDetails.Invitations | | |
| ForEach-Object { $_.Invitee.email } | |
| ) -join '|' | |
| $result = New-Object PSObject -property $([ordered]@{ | |
| ItemID = $item.Id | |
| ShareId = $linkDetails.ShareId | |
| ShareLink = $linkDetails.Url | |
| Invitees = $invitees | |
| Name = $_object.FileLeafRef ?? $_object.Title | |
| Type = $_type -eq 1 ? "Folder" : "File" | |
| RelativeURL = $_object.FileRef ?? "" | |
| LinkAccess = "ViewOnly" | |
| Created = Get-Date -Date $linkDetails.Created | |
| CreatedBy = $linkDetails.CreatedBy.email | |
| LastModifiedBy = $linkDetails.LastModifiedBy.email | |
| LastModified = $LastModified | |
| ShareLinkType = $linkDetails.LinkKind | |
| Expiration = $linkDetails.Expiration | |
| BlocksDownload = $linkDetails.BlocksDownload | |
| RequiresPassword = $linkDetails.RequiresPassword | |
| PasswordLastModified = $linkDetails.PasswordLastModified | |
| PassLastModifiedBy = $linkDetails.PasswordLastModifiedBy.email | |
| HasExternalGuestInvitees = $linkDetails.HasExternalGuestInvitees | |
| HasAnonymousLink = $linkDetails.HasAnonymousLink | |
| AllowsAnonymousAccess = $linkDetails.AllowsAnonymousAccess | |
| ShareTokenString = $linkDetails.ShareTokenString | |
| Action = $action | |
| }) | |
| $global:Results +=$result; | |
| } | |
| } | |
| } | |
| } | |
| #Exclude certain libraries | |
| $ExcludedLists = @("Access Requests", "App Packages", "appdata", "appfiles", "Apps in Testing", "Cache Profiles", "Composed Looks", "Content and Structure Reports", "Content type publishing error log", "Converted Forms", | |
| "Device Channels", "Form Templates", "fpdatasources", "Get started with Apps for Office and SharePoint", "List Template Gallery", "Long Running Operation Status", "Maintenance Log Library", "Images", "site collection images" | |
| , "Master Docs", "Master Page Gallery", "MicroFeed", "NintexFormXml", "Quick Deploy Items", "Relationships List", "Reusable Content", "Reporting Metadata", "Reporting Templates", "Search Config List", "Site Assets", "Preservation Hold Library", | |
| "Site Pages", "Solution Gallery", "Style Library", "Suggested Content Browser Locations", "Theme Gallery", "TaxonomyHiddenList", "User Information List", "Web Part Gallery", "wfpub", "wfsvc", "Workflow History", "Workflow Tasks", "Pages") | |
| Write-Host "Processing site $siteUrl" -Foregroundcolor "Red"; | |
| #getSharingLink $ctx $web "site" $siteUrl ""; | |
| $ll = Get-PnPList -Includes BaseType, Hidden, Title,HasUniqueRoleAssignments,RootFolder | Where-Object {$_.Hidden -eq $False -and $_.Title -notin $ExcludedLists } #$_.BaseType -eq "DocumentLibrary" | |
| Write-Host "Number of lists $($ll.Count)"; | |
| foreach($list in $ll) | |
| { | |
| $listUrl = $list.RootFolder.ServerRelativeUrl; | |
| #Get all list items in batches | |
| $ListItems = Get-ListItems_WithUniquePermissions -List $list | |
| ForEach($item in $ListItems) | |
| { | |
| $type= $item.FileSystemObjectType; | |
| getSharingLink $item $type $siteUrl $listUrl $list.Id; | |
| } | |
| } | |
| $global:Results | Export-CSV $ReportOutput -NoTypeInformation | |
| #Export-CSV $ReportOutput -NoTypeInformation | |
| Write-host -f Green "Deletion of expired Sharing Links Report Generated Successfully! at $ReportOutput" | |
| write-host $("End time " + (Get-Date)) |
The script retrieves items and files with unique permissions. It uses the REST API instead of Microsoft Graph to find the creation date of the sharing links. This is because Microsoft Graph does not provide the creation date of sharing links. Based on the expiration date or the specified number of days, the script determines whether the links need to be deleted. It generates a CSV report detailing the sharing links and whether they have been deleted.
Conclusion
Currently, there is no default expiry time for “people you choose” or “people in your organization” links, and expired links are not automatically deleted. Using this script can help clean up your environment by removing expired or older sharing links, thereby enhancing security and governance.
Adapt the script to the needs , e.g. to crawl through multiple sites.
References
How to set an Expiration Date on sharing links in SharePoint and OneDrive