Anonymous access in SharePoint Online allows users to access content without authentication. While this can be useful in some cases, it poses significant security risks. Using PnP PowerShell, administrators can enforce security measures to block anonymous access across SharePoint Online sites, libraries, and lists.
Step 1: Install & Update PnP PowerShell
Ensure that PnP PowerShell is installed and up to date:
Install-Module -Name PnP.PowerShell -Force -AllowClobber
To update an existing module:
Update-Module -Name PnP.PowerShell
Step 2: Connect to SharePoint Online
To manage anonymous access settings, connect to your SharePoint Online environment:
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
For app-based authentication, use:
$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"
Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://yourtenant-admin.sharepoint.com"
Step 3: Check Anonymous Access Settings for a Site
Before blocking anonymous access, verify the current sharing settings:
Get-PnPTenantSite -Url "https://yourtenant.sharepoint.com/sites/YourSite" | Select-Object Url, SharingCapability
This returns the current SharingCapability setting:
Disabled→ No external sharing allowedExistingExternalUserSharingOnly→ Only known external users can accessExternalUserSharingOnly→ Specific external users can be invitedAnyone→ Anonymous links are enabled (⚠ Security risk)
Step 4: Disable Anonymous Sharing for a SharePoint Site
To block anonymous access completely, change the sharing capability:
Set-PnPTenantSite -Url "https://yourtenant.sharepoint.com/sites/YourSite" -SharingCapability Disabled
To allow only known external users (without anonymous links):
Set-PnPTenantSite -Url "https://yourtenant.sharepoint.com/sites/YourSite" -SharingCapability ExistingExternalUserSharingOnly
Step 5: Block Anonymous Access to All SharePoint Sites
To disable anonymous sharing across all sites, run:
$sites = Get-PnPTenantSite | Where-Object { $_.SharingCapability -eq "Anyone" }
foreach ($site in $sites) {
Set-PnPTenantSite -Url $site.Url -SharingCapability ExistingExternalUserSharingOnly
Write-Host "Blocked anonymous access for: $($site.Url)"
}
This script:
✔ Identifies all sites with anonymous sharing enabled
✔ Updates sharing settings to prevent anonymous access
Step 6: Block Anonymous Access to Specific Document Libraries
Even if site-wide sharing is restricted, some document libraries may still allow anonymous access. To disable anonymous sharing at the library level, use:
Set-PnPList -Identity "Documents" -EnableRequestAccess $false -DisableSharingForNonMembers $true
To apply this to all libraries in a site:
$lists = Get-PnPList
foreach ($list in $lists) {
Set-PnPList -Identity $list.Id -EnableRequestAccess $false -DisableSharingForNonMembers $true
Write-Host "Blocked anonymous access for: $($list.Title)"
}
Step 7: Remove Existing Anonymous Links
If anonymous links were previously shared, they should be removed:
$siteUrl = "https://yourtenant.sharepoint.com/sites/YourSite"
$lists = Get-PnPList -Web $siteUrl | Where-Object { $_.Hidden -eq $false }
foreach ($list in $lists) {
$items = Get-PnPListItem -List $list.Title -Web $siteUrl
foreach ($item in $items) {
Remove-PnPSharingLink -List $list.Title -Identity $item.Id
Write-Host "Removed anonymous sharing link from: $($item.Id) in $($list.Title)"
}
}
This removes existing anonymous sharing links from documents and lists.
Step 8: Enforce Tenant-Wide Policy to Block Anonymous Sharing
To ensure anonymous sharing is blocked across the entire tenant, run:
Set-PnPTenant -SharingCapability ExistingExternalUserSharingOnly
To completely disable external sharing, use:
Set-PnPTenant -SharingCapability Disabled
This ensures that no new anonymous links can be created.
Step 9: Monitor Anonymous Access & Generate Reports
To audit all sites and detect anonymous sharing, run:
$reportPath = "C:\Reports\AnonymousAccessReport.csv"
$sites = Get-PnPTenantSite | Select-Object Url, SharingCapability
$sites | Export-Csv -Path $reportPath -NoTypeInformation
Write-Host "Anonymous Access Report generated at: $reportPath"
This helps monitor security risks and identify sites that need anonymous access restrictions.
Step 10: Automate Anonymous Access Cleanup
To automatically check & disable anonymous access every week, schedule this script in Task Scheduler:
$sites = Get-PnPTenantSite | Where-Object { $_.SharingCapability -eq "Anyone" }
foreach ($site in $sites) {
Set-PnPTenantSite -Url $site.Url -SharingCapability ExistingExternalUserSharingOnly
Write-Host "Disabled anonymous access for: $($site.Url)"
}
This ensures continuous enforcement of security policies.