Safely sharing files externally

Pick your platform

Show steps for one platform at a time

Step-by-Step

OneDrive & SharePoint

The share dialog is identical in OneDrive, SharePoint document libraries, and files inside a Microsoft Teams channel. These steps work in the web app and from File Explorer when the OneDrive sync app is installed.

Share a file with specific people outside your company

Open the file or folder. In the web app, click it once. In File Explorer, right-click the synced item.
Click Share (paper-airplane icon in the web app).
At the top of the dialog, click the line that currently says "Anyone with the link…" or "People in your company…".
Choose Specific people.
Set permission to Can edit or Can view. View is the safer default for external recipients.
Turn on Set expiration date and pick a date 30–60 days out (or whenever the project actually ends).
Optional: turn on Set password. Send that password through a different channel — phone, Teams chat, or text — never the same email as the link.
Click Apply.
Type the recipient email addresses, add a short message, and click Send. Or click Copy link if you want to paste it into your own email.

Revoke a share you already created

Sign in at onedrive.com (use SharePoint if the file lives there).
In the left rail, click Shared → Shared by you.
Click the file or folder you want to manage.
In the details pane on the right, click Manage access.
To kill the entire link, click the × next to it under "Links giving access."
To remove a single person, click the dropdown next to their name and choose Stop sharing.

Find every link you've ever shared (audit)

Sign in at onedrive.com.
Click Shared → Shared by you. This lists everything you've shared, sorted by recency.
For SharePoint sites you own, open the site → gear icon → Site usage → Most popular shared content for a sharing report.
Walk down the list — anything older than the project should be revoked using the steps above.

Step-by-Step

Box

Box separates "shared links" (anyone with the URL) from "invited collaborators" (specific people). For external sharing, prefer invited collaborators when you can; use a shared link only when the recipient can't or won't authenticate.

Share a file by inviting specific people (recommended)

Sign in at app.box.com.
Hover over the file or folder and click Share.
In the Invite People field, type the recipient's email addresses.
Set their access to Viewer, Previewer, or Editor. Viewer is the safest default for external.
Optional: add a message.
Click Send. The recipient gets an email and must sign in (or create a free Box account) to access the file.

Share a file with a link (when the recipient won't sign in)

Hover over the file and click Share.
Toggle Shared Link on.
Click Link Settings.
Under "Link Access," choose People with the link (or People in your company for internal-only). Avoid "Open" unless the content is genuinely public.
Set Allowed Actions to View Only if the recipient should not download.
Toggle Require Password on and create a password. Send the password by a separate channel.
Set Link Expiration to a real date.
Click Save.
Copy the link from the share dialog and send it.

Revoke a share or remove a collaborator

Open the file or folder.
Click Share.
To kill the public link: toggle Shared Link off.
To remove a specific person: find them in the collaborator list and click Remove.

Audit your existing Box shares

Sign in at app.box.com.
Click your profile icon (top right) → Account Settings.
If you have reporting permissions, the Box account setup page has full reports. If not, ask IT to run a sharing report.
Otherwise, walk through your folders. Any folder with a chain-link icon next to its name has an active shared link.

Step-by-Step

Dropbox

Dropbox shares can be either "people-only" invites or general links. Per-link settings for password, expiration, and disabling downloads are on Professional/Business plans.

Share a file with specific people

Sign in at dropbox.com.
Hover over the file and click Share.
In the To: field, type recipient email addresses.
Use the dropdown to choose Can view or Can edit.
Optional: add a message.
Click Share file. Recipients get an email and must sign in to view.

Create and lock down a shared link

Hover over the file and click Share.
Click Settings (gear icon) at the bottom of the share dialog.
Under Who has access, choose People you invite (most restrictive) or Anyone with the link (open).
Set Link expiration to a date.
Set Link password and create one. Send it through a separate channel.
Toggle Disable downloads on if the recipient should preview only.
Click Save.
Click Copy link and paste it into your email.

Revoke a Dropbox share

Hover over the file and click Share.
Click Settings.
Click Remove link at the bottom of the dialog to kill the shared link entirely.
To remove a specific person: in the share dialog, click the dropdown next to their name and choose Remove.

Audit your Dropbox shares

Sign in at dropbox.com.
Click Shared in the left rail.
Switch between Files and Links tabs to see every share you've created.
Click any item to open share settings and revoke as needed.

Step-by-Step

Egnyte

Egnyte is common at AEC firms because company policies often require an expiration on every external link. The web app is the easiest place to create and manage shares.

Share a file via Egnyte link

Sign in to your firm's Egnyte web app (typically yourcompany.egnyte.com).
Browse to the file or folder.
Click the share icon (paper plane) next to the item, or right-click → Share.
Under Link Type, choose File (single file) or Folder.
Set Recipients — leave open, restrict to "specified email addresses," or restrict to "Egnyte users only" (sign-in required).
Set Permissions — Preview Only is the safest external default. Choose Download or Upload only when needed.
Set Link expires to a date. Many firms require this for external shares.
Optional: enable Notify me on access so you get an email when the link is opened.
Add the recipient emails or click Get Link to copy it.
Click Send.

Revoke or change an Egnyte link

Sign in to the Egnyte web app.
In the left rail, click Links (or My Links).
Find the link in the list.
Click the three-dot menu → Delete to kill it, or Edit to change permissions/expiration.

Audit your Egnyte shares

The Links page in the left rail shows every active share you've created, sorted by date.
Anything past the project end date should be deleted using the steps above.
If you have reporting access, Reports → Link Usage shows shares across the firm.

Background

Three permission options, very different outcomes

Specific people

The link works only for the email addresses you list, and the recipient must sign in to view. Best default for sensitive content. Works in OneDrive, SharePoint, Box, Dropbox, and Egnyte.

People in your company

Anyone signed in to your firm's account can open the link. Good for internal sharing where you don't need to specify each person. Not appropriate for clients or vendors.

Anyone with the link

The link works for everyone, anywhere, without sign-in. If the link gets forwarded, the new recipient can open it. Use only when content is genuinely public, and always pair with an expiration date.

Background

Old share links are quietly the biggest leak source

Set a real date when sharing externally

OneDrive, SharePoint, Box, Dropbox, and Egnyte all support expiration dates. Pick one that matches the actual project timeline — 30 or 60 days is reasonable for most external shares.

Audit your old shares once a year

Use the audit steps in each platform section above. Any share older than its project should be revoked.

If a recipient leaves their company, revoke the link

Specific-people sharing is tied to email addresses. If you shared with someone at Vendor Co. and they left, the new owner of that email can read your file unless you remove the share.

Sensitive Content

Extra steps when content is confidential

Set view-only when the recipient does not need to edit

"View only" prevents download in some apps but not all. Treat it as friction, not a hard guarantee.

Use a password on the link if available

OneDrive, Box, and Dropbox all support a password on the share link. Send the password through a different channel — phone call or Teams chat — not the same email.

Consider a request file or upload-only link

If a vendor needs to send you a file, give them an upload-only link instead of a shared editable folder. OneDrive Request Files, Box Request, and Egnyte upload-only links all work this way.

For client work, use the channel your client expects

Many clients have their own SharePoint, Box, or Egnyte they prefer. Sending into their system is often safer than sharing out from yours.

What Not To Do

Common mistakes

Don't email the file as an attachment to "make it simple"

Attachments cannot be revoked, get forwarded freely, and create version chaos. A share link can be revoked and updated.

Don't paste a "people in your company" link in an external email

The recipient sees a sign-in error and assumes the link is broken. Generate a new share targeted to their email.

Don't rely on "I sent it to a personal Gmail by mistake, can IT pull it back?"

Once a file is in someone else's mailbox or downloaded, IT cannot get it back. Slow down before sending.