Organizations store confidential and sensitive data in SharePoint Online, making encryption essential for securing documents. Managing encrypted documents ensures that only authorized users can access protected files, preventing data leaks and unauthorized access.
Using PnP PowerShell, administrators can:
✔ Identify encrypted files
✔ Set encryption policies
✔ Manage document access
✔ Automate security compliance
This guide provides step-by-step instructions for managing encrypted documents in SharePoint Online using PnP PowerShell.
Step 1: Install & Update PnP PowerShell
Ensure PnP PowerShell is installed and up to date:
Install-Module -Name PnP.PowerShell -Force -AllowClobber
Update-Module -Name PnP.PowerShell
Step 2: Connect to SharePoint Online
Using Interactive Login
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
Using App-Based Authentication
$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"
Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://yourtenant-admin.sharepoint.com"
✔ Ensures secure authentication before managing encrypted documents.
Step 3: Identify Encrypted Documents in a SharePoint Library
To list all encrypted documents in a SharePoint document library:
$siteUrl = "https://yourtenant.sharepoint.com/sites/YourSite"
$library = "Documents"
Connect-PnPOnline -Url $siteUrl -Interactive
$encryptedFiles = Get-PnPListItem -List $library | Where-Object { $_["ComplianceTag"] -match "Encrypted" }
$encryptedFiles | Select-Object ID, FileLeafRef, ComplianceTag
✔ Retrieves files tagged as encrypted.
Step 4: Apply Encryption to Documents
To apply encryption using sensitivity labels, first retrieve available labels:
Get-PnPSensitivityLabel | Format-Table Id, DisplayName
✔ Displays available sensitivity labels for encryption.
Now, apply a label to a document:
$documentPath = "Shared Documents/ConfidentialReport.pdf"
$labelId = "your-label-id"
Set-PnPSensitivityLabel -List "Documents" -FileRelativePath $documentPath -LabelId $labelId
✔ Encrypts the document using a predefined label.
Step 5: Remove Encryption from Documents
To remove encryption from a document:
Set-PnPSensitivityLabel -List "Documents" -FileRelativePath "Shared Documents/ConfidentialReport.pdf" -LabelId $null
✔ Decrypts the document, removing encryption restrictions.
Step 6: Restrict Access to Encrypted Documents
To limit access to specific users/groups:
$siteUrl = "https://yourtenant.sharepoint.com/sites/YourSite"
$library = "Documents"
$fileName = "ConfidentialReport.pdf"
$userEmail = "user@yourdomain.com"
Connect-PnPOnline -Url $siteUrl -Interactive
$role = Get-PnPRoleDefinition -Identity "Read"
Set-PnPListItemPermission -List $library -Identity $fileName -User $userEmail -AddRole $role
✔ Restricts file access to selected users only.
Step 7: Automate Encryption for New Files
To automatically encrypt new files, schedule this script in Azure Automation or Task Scheduler:
$library = "Documents"
$labelId = "your-label-id"
$files = Get-PnPListItem -List $library | Where-Object { $_["ComplianceTag"] -eq $null }
foreach ($file in $files) {
Set-PnPSensitivityLabel -List $library -FileRelativePath $file.FileLeafRef -LabelId $labelId
Write-Host "Applied encryption to: $($file.FileLeafRef)"
}
✔ Ensures all new files are encrypted by default.
Step 8: Generate a Report of Encrypted Documents
To export a report of encrypted documents:
$library = "Documents"
$reportPath = "C:\Reports\EncryptedDocuments.csv"
$encryptedFiles = Get-PnPListItem -List $library | Where-Object { $_["ComplianceTag"] -match "Encrypted" }
$encryptedFiles | Select-Object ID, FileLeafRef, ComplianceTag | Export-Csv -Path $reportPath -NoTypeInformation
Write-Host "Report saved to: $reportPath"
✔ Saves a CSV report of encrypted documents for auditing.