Get SharePoint site sharing Settings
Summary
Reviewing sharing settings is essential to prevent oversharing, which can lead to data breaches and unauthorised access to sensitive information. By regularly auditing and adjusting these settings, organization's sharing policies can be enforced and ensure that only authorized users have access to specific content. This is particularly important during the rollout of Copilot for M365, as it helps maintain a secure and compliant environment.
Prerequisites
- The user account that runs the script must have SharePoint Online site administrator and SharePoint Administrator access .
param (
[Parameter(Mandatory = $true)]
[string] $domain
)
$adminSiteURL = "https://$domain-Admin.SharePoint.com"
$TenantURL = "https://$domain.sharepoint.com"
$dateTime = "_{0:MM_dd_yy}_{0:HH_mm_ss}" -f (Get-Date)
$invocation = (Get-Variable MyInvocation).Value
$directorypath = Split-Path $invocation.MyCommand.Path
$fileName = "site_sharing_settings" + $dateTime + ".csv"
$outputPath = $directorypath + "\"+ $fileName
if (-not (Test-Path $outputPath)) {
New-Item -ItemType File -Path $outputPath
}
Connect-PnPOnline -Url $adminSiteURL -Interactive -WarningAction SilentlyContinue
$adminConnection = Get-PnPConnection
Write-Host "Getting site sharing settings..." -ForegroundColor Yellow
$sharingReport = Get-PnPTenantSite -Filter "Url -like '$TenantURL'" | Where-Object { $_.Template -ne 'RedirectSite#0' } | foreach-object {
try {
$sharingsetting = Get-PnPTenantSite -url $_.Url -DisableSharingForNonOwnersStatus -Connection $adminConnection| select `
Title, `
Url, `
Type, `
Template, `
ShowPeoplePickerSuggestionsForGuestUsers, `
SharingCapability, `
ExternalUserExpirationInDays, `
SharingAllowedDomainList, `
SharingBlockedDomainList, `
SharingDomainRestrictionMode, `
OverrideTenantExternalUserExpirationPolicy, `
OverrideTenantAnonymousLinkExpirationPolicy, `
DefaultSharingLinkType, `
DefaultLinkPermission, `
DefaultShareLinkScope, `
DefaultShareLinkRole, `
DefaultLinkToExistingAccess, `
DisableCompanyWideSharingLinks, `
DisableSharingForNonOwnersStatus, `
AnonymousLinkExpirationInDays, `
ConditionalAccessPolicy, `
ReadOnlyForUnmanagedDevices, `
LoopDefaultSharingLinkScope, `
LoopDefaultSharingLinkRole, `
OverrideSharingCapability, `
RequestFilesLinkEnabled, `
RequestFilesLinkExpirationInDays, `
RestrictedAccessControl, `
RestrictedAccessControlGroups, `
RestrictContentOrgWideSearch, `
SensitivityLabel
# DefaultShareLinkScope and DefaultShareLinkRole will replace DefaultSharingLinkType and DefaultLinkPermission
$restUrl = $_.Url +'/_api/web?$select=MembersCanShare,TenantAdminMembersCanShare,RequestAccessEmail,UseAccessRequestDefault,AccessRequestSiteDescription'
connect-PnPOnline -Url $_.Url -interactive -WarningAction SilentlyContinue
$siteconnection = Get-PnPConnection
$response = invoke-pnpsprestmethod -Url $restUrl -Method Get -Connection $siteconnection
$groupType = ""
$allowToAddGuests = $null;
$m365Group = $null;
#find if the site is linked to a m365 group and retrieve visibility
if($_.groupId -ne [guid]::Empty){
$m365Group = Get-PnPMicrosoft365Group -Identity $_.groupId -Connection $adminConnection | select Visibility
$m365GroupSettings = Get-PnPMicrosoft365GroupSettings -Identity $_.GroupId -Connection $adminConnection
$allowToAddGuests = $m365GroupSettings.Values | Where-Object {$_.Name -eq 'AllowToAddGuests'}
#Get group type (group, team, yammer)
$gEndPoint = Get-PnPMicrosoft365GroupEndpoint -Identity $_.groupId
$groupType = $gEndPoint ? $gEndPoint.Providername : "SharePoint Team Site or Outlook";
#Get guest user count
#$settings = New-PnPMicrosoft365GroupSettings -Identity $_.groupId -DisplayName "Group.Unified.Guest" -TemplateId "08d542b9-071f-4e16-94b0-74abb372e3d9" -Values @{"AllowToAddGuests"="false"}
}
[PSCustomObject]@{
##add the properties from the $sharingsetting object
Title = $sharingsetting.Title
Url = $sharingsetting.Url
ShowPeoplePickerSuggestionsForGuestUsers = $sharingsetting.ShowPeoplePickerSuggestionsForGuestUsers
SharingCapability = $sharingsetting.SharingCapability
ExternalUserExpirationInDays = $sharingsetting.ExternalUserExpirationInDaysre
SharingAllowedDomainList = $sharingsetting.SharingAllowedDomainList
SharingBlockedDomainList = $sharingsetting.SharingBlockedDomainList
SharingDomainRestrictionMode = $sharingsetting.SharingDomainRestrictionMode
OverrideTenantExternalUserExpirationPolicy = $sharingsetting.OverrideTenantExternalUserExpirationPolicy
DefaultSharingLinkType = $sharingsetting.DefaultSharingLinkType
DefaultLinkPermission = $sharingsetting.DefaultLinkPermission
DefaultShareLinkScope = $sharingsetting.DefaultShareLinkScope
DefaultShareLinkRole = $sharingsetting.DefaultShareLinkRole
DefaultLinkToExistingAccess = $sharingsetting.DefaultLinkToExistingAccess
DisableCompanyWideSharingLinks = $sharingsetting.DisableCompanyWideSharingLinks
AnonymousLinkExpirationInDays = $sharingsetting.AnonymousLinkExpirationInDays
ConditionalAccessPolicy = $sharingsetting.ConditionalAccessPolicy
ReadOnlyForUnmanagedDevices = $sharingsetting.ReadOnlyForUnmanagedDevices
LoopDefaultSharingLinkScope = $sharingsetting.LoopDefaultSharingLinkScope
LoopDefaultSharingLinkRole = $sharingsetting.LoopDefaultSharingLinkRole
OverrideSharingCapability = $sharingsetting.OverrideSharingCapability
OverrideTenantAnonymousLinkExpirationPolicy = $sharingsetting.OverrideTenantAnonymousLinkExpirationPolicy
RequestFilesLinkEnabled = $sharingsetting.RequestFilesLinkEnabled
RequestFilesLinkExpirationInDays = $sharingsetting.RequestFilesLinkExpirationInDays
RestrictContentOrgWideSearch = $sharingsetting.RestrictContentOrgWideSearch
DisableSharingForNonOwners = $sharingsetting.DisableSharingForNonOwnersStatus
SensitivityLabel = $sharingsetting.SensitivityLabel
SiteType = If($sharingsetting.Template -eq "GROUP#0"){"Group"} elseif ($sharingsetting.Template -eq "TEAMCHANNEL#1" -or $sharingsetting.Template -eq "TEAMCHANNEL#0"){"Team Channel"} else {"Site"}
##add the properties from the $response object
MembersCanShare = $response.MembersCanShare
TenantAdminMembersCanShare = $response.TenantAdminMembersCanShare
RequestAccessEmail = $response.RequestAccessEmail
UseAccessRequestDefault = $response.UseAccessRequestDefault
AccessRequestSiteDescription = $response.AccessRequestSiteDescription
##add m365 group settings if site is linked to a m365 group
m365GroupId = if($_.groupId -ne [guid]::Empty){$_.groupId}
m365GroupVisibility = $m365Group.Visibility
m365GroupAllowToAddGuests = $allowToAddGuests.Value ?? "Default"
m365GroupType = $groupType
}
}
catch {
Write-Host "An error occurred: $_" -ForegroundColor Red
}
}
$sharingReport |select * |Export-Csv $outputPath -NoTypeInformation -Append
Write-Host "Exported successfully!..." -ForegroundColor Green
Check out the PnP PowerShell to learn more at: https://aka.ms/pnp/powershell
The way you login into PnP PowerShell has changed please read PnP Management Shell EntraID app is deleted : what should I do ?
Source Credit
Sample first appeared on Get SharePoint site sharing Settings with PowerShell
Contributors
| Author(s) |
|---|
| Reshmee Auckloo |
Disclaimer
THESE SAMPLES ARE PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING ANY IMPLIED WARRANTIES OF FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR NON-INFRINGEMENT.