Enforcing Compliance Policies using PnP PowerShell

1. Introduction

Enforcing compliance policies in SharePoint Online ensures data protection, governance, and regulatory adherence. Using PnP PowerShell, organizations can:

Restrict external sharing
Apply retention policies to prevent data loss
Assign sensitivity labels for data classification
Audit compliance settings
Automate policy enforcement

---

2. Prerequisites

Before enforcing compliance policies, ensure:

• PnP PowerShell is installed Install-Module -Name PnP.PowerShell -Scope CurrentUser -Force
• You have SharePoint Admin or Global Admin permissions
• You have the SharePoint Admin Center URL of your tenant

---

3. Connecting to SharePoint Online

Before configuring compliance policies, connect to SharePoint Online:

$AdminURL = "https://yourtenant-admin.sharepoint.com"
Connect-PnPOnline -Url $AdminURL -Interactive

• Replace "yourtenant" with your actual SharePoint tenant name.
• This prompts you to log in using Microsoft 365 credentials.

---

4. Setting Up Compliance Policies

A. Enforcing External Sharing Restrictions

To prevent unauthorized external sharing, disable external sharing on all SharePoint sites:

$Sites = Get-PnPTenantSite | Where-Object { $_.SharingCapability -ne "Disabled" }

foreach ($Site in $Sites) {
    Set-PnPTenantSite -Url $Site.Url -SharingCapability Disabled
    Write-Host "External Sharing Disabled for $($Site.Url)"
}

This script disables external sharing for all SharePoint sites.

Allow External Sharing Only for Specific Sites

If external sharing is needed for specific sites, allow it only for existing external users:

$SiteURL = "https://yourtenant.sharepoint.com/sites/ExternalCollaboration"
Set-PnPTenantSite -Url $SiteURL -SharingCapability ExistingExternalUserSharingOnly
Write-Host "External sharing restricted to existing external users for $SiteURL"

Now, only pre-approved external users can access shared files.

---

B. Applying Retention Policies

Retention policies prevent accidental or malicious data deletion. Apply a 7-year retention policy to SharePoint libraries:

$SiteURL = "https://yourtenant.sharepoint.com/sites/Compliance"
Connect-PnPOnline -Url $SiteURL -Interactive

$List = Get-PnPList -Identity "Documents"
Set-PnPList -Identity $List.Id -EnableVersioning $true -EnableModeration $true -RetentionEnabled $true -RetentionPeriod 2555
Write-Host "Retention policy applied for 7 years on $($List.Title)"

Key Configurations:

• Enables versioning and approval workflows.
• Ensures files are retained for 7 years (2555 days) before deletion.

---

C. Configuring Sensitivity Labels

Sensitivity labels classify content based on confidentiality. Assign a sensitivity label to a document library:

$SiteURL = "https://yourtenant.sharepoint.com/sites/Security"
Connect-PnPOnline -Url $SiteURL -Interactive

$LibraryName = "ConfidentialDocs"
Set-PnPList -Identity $LibraryName -Classification "Highly Confidential"
Write-Host "Sensitivity label 'Highly Confidential' applied to $LibraryName"

This helps in restricting file sharing and enforcing encryption.

---

D. Restricting Access Based on Location

Prevent users from accessing SharePoint from untrusted locations:

Set-PnPTenant -IPAllowList @("192.168.1.0/24", "203.0.113.0/24") -BlockAllIPRangesExceptAllowed $true
Write-Host "Access restricted to approved IP addresses"

This ensures only users from trusted networks can access SharePoint.

---

5. Auditing Compliance Policies

A. Check External Sharing Settings for All Sites

To verify external sharing settings:

$SharingSettings = Get-PnPTenantSite | Select-Object Url, SharingCapability
$SharingSettings | Format-Table -AutoSize

This lists all SharePoint sites and their external sharing status.

---

B. Generate Compliance Report

To audit compliance settings and export them to CSV:

$ComplianceReport = @()
$Sites = Get-PnPTenantSite

foreach ($Site in $Sites) {
    $ComplianceReport += [PSCustomObject]@{
        SiteURL        = $Site.Url
        SharingStatus  = $Site.SharingCapability
        Sensitivity    = (Get-PnPList -Identity "Documents").Classification
        Retention      = (Get-PnPList -Identity "Documents").RetentionEnabled
    }
}

$ComplianceReport | Export-Csv -Path "C:\Reports\ComplianceReport.csv" -NoTypeInformation
Write-Host "Compliance Report Exported Successfully!"

The report includes:
External sharing status
Sensitivity label assigned
Retention policy enabled

---

6. Automating Compliance Policy Enforcement

To automate compliance enforcement, create a script (Enforce-Compliance.ps1) and schedule it using Task Scheduler.

Save the Script

$Sites = Get-PnPTenantSite

foreach ($Site in $Sites) {
    # Disable external sharing
    Set-PnPTenantSite -Url $Site.Url -SharingCapability Disabled

    # Apply sensitivity label
    Set-PnPList -Identity "Documents" -Classification "Confidential"

    # Enable retention policy
    Set-PnPList -Identity "Documents" -RetentionEnabled $true -RetentionPeriod 2555
}

Write-Host "Compliance Policies Enforced Successfully!"

Schedule the Task

1. Open Task Scheduler.
2. Click Create Basic Task.
3. Choose a Trigger (e.g., weekly).
4. Select Action > Start a Program.
5. Set Program/Script to powershell.exe.
6. In Add Arguments, enter: -File "C:\Path\To\Enforce-Compliance.ps1"
7. Click Finish to enable automation.

Now, compliance policies are automatically enforced!