Ensuring compliance in SharePoint Online is critical for security, governance, and regulatory requirements. Using PnP PowerShell, we can automate compliance checks to:
Identify policy violations
Audit external sharing and permissions
Enforce data protection rules
Monitor sensitive content access
Step 1: Connect to SharePoint Online
$adminSiteUrl = "https://yourtenant-admin.sharepoint.com"
Connect-PnPOnline -Url $adminSiteUrl -Interactive
Write-Host " Connected to SharePoint Online"
✔ Establishes a secure connection to SharePoint Admin Center.
Step 2: Check External Sharing Policies
$sites = Get-PnPTenantSite | Select-Object Url, SharingCapability
foreach ($site in $sites) {
Write-Host " Checking site: $($site.Url)"
if ($site.SharingCapability -ne "ExistingExternalUserSharingOnly") {
Write-Host " External sharing enabled: $($site.Url) - $($site.SharingCapability)"
} else {
Write-Host " Compliant site: $($site.Url)"
}
}
✔ Audits external sharing settings across all sites.
✔ Flags sites with overly permissive sharing settings.
Step 3: Identify Anonymous Sharing Links
$sites = Get-PnPTenantSite
foreach ($site in $sites) {
Connect-PnPOnline -Url $site.Url -Interactive
$links = Get-PnPListItem -List "Documents" -Fields "FileRef", "SharingInformation"
foreach ($link in $links) {
if ($link.SharingInformation -like "*AnonymousGuestLink*") {
Write-Host " Anonymous sharing found: $($link.FileRef) in $($site.Url)"
}
}
}
✔ Scans all documents for anonymous guest links.
✔ Reports potential security risks.
Step 4: Detect Sensitive Data Exposure
Check for sensitive content (e.g., credit card numbers, SSNs) in document libraries:
$sites = Get-PnPTenantSite
foreach ($site in $sites) {
Connect-PnPOnline -Url $site.Url -Interactive
$docs = Get-PnPListItem -List "Documents" -Fields "FileRef"
foreach ($doc in $docs) {
$content = Get-PnPFile -Url $doc["FileRef"] -AsString -ErrorAction SilentlyContinue
if ($content -match "\d{16}") { # Detects 16-digit credit card numbers
Write-Host " Potential sensitive data found: $($doc.FileRef) in $($site.Url)"
}
}
}
✔ Detects files containing credit card numbers or other sensitive data.
Step 5: Monitor Guest Users and Expired Access
$externalUsers = Get-PnPExternalUser | Select-Object Email, DisplayName, AcceptedAs, WhenCreated
foreach ($user in $externalUsers) {
$daysSinceAdded = (New-TimeSpan -Start $user.WhenCreated -End (Get-Date)).Days
if ($daysSinceAdded -gt 90) {
Write-Host " Guest user with expired access: $($user.Email) - Added $daysSinceAdded days ago"
}
}
✔ Identifies guest users who have had access for more than 90 days.
Step 6: Generate a Compliance Report
$report = @()
$sites = Get-PnPTenantSite | Select-Object Url, SharingCapability
foreach ($site in $sites) {
$report += [PSCustomObject]@{
SiteURL = $site.Url
ExternalSharing = $site.SharingCapability
GuestUsers = (Get-PnPExternalUser -Site $site.Url | Measure-Object).Count
}
}
$report | Export-Csv -Path "C:\Reports\ComplianceReport.csv" -NoTypeInformation
Write-Host " Compliance report saved at: C:\Reports\ComplianceReport.csv"
✔ Exports a detailed compliance report for all sites.
Step 7: Automate Compliance Checks on a Schedule
Schedule the compliance script to run weekly:
$taskName = "SharePoint Compliance Check"
$scriptPath = "C:\Scripts\ComplianceCheck.ps1"
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File $scriptPath"
$trigger = New-ScheduledTaskTrigger -Weekly -DaysOfWeek Monday -At 2AM
Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -User "SYSTEM" -RunLevel Highest
Write-Host " Compliance check automation scheduled."
✔ Ensures regular monitoring of SharePoint compliance.