Automating External Sharing Reviews using PnP PowerShell

External sharing in SharePoint Online and OneDrive allows collaboration with partners, vendors, and clients. However, unmonitored external access can lead to data security risks. To mitigate these risks, regular external sharing reviews are essential.

Using PnP PowerShell, administrators can:
✔ Identify all externally shared files and sites
✔ Generate detailed reports
✔ Notify site owners to review shared content
✔ Revoke unnecessary external access
✔ Automate periodic external sharing audits

This guide provides a step-by-step approach to automating external sharing reviews using PnP PowerShell.

Step 1: Install & Update PnP PowerShell

Ensure PnP PowerShell is installed or updated:

Install-Module -Name PnP.PowerShell -Force -AllowClobber

If already installed, update it:

Update-Module -Name PnP.PowerShell

Step 2: Connect to SharePoint Online

Connect to SharePoint Online Admin Center using PnP PowerShell:

Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive

For app-based authentication, use:

$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"

Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://yourtenant-admin.sharepoint.com"

Step 3: Retrieve Externally Shared Files & Sites

Get all externally shared sites

$externalSites = Get-PnPTenantSite | Where-Object { $_.SharingCapability -match "External" }

$externalSites | Select-Object Url, Title, SharingCapability | Format-Table -AutoSize

✔ Identifies all externally shared sites.
✔ The SharingCapability property can be:

Disabled → No external sharing
ExternalUserSharingOnly → Only authenticated external users
ExternalUserAndGuestSharing → Includes anonymous links

Get all externally shared files in OneDrive & SharePoint

$allSites = Get-PnPTenantSite

$externalFiles = @()

foreach ($site in $allSites) {
    Write-Host "Checking site: $($site.Url)"
    Connect-PnPOnline -Url $site.Url -Interactive

    $sharedFiles = Get-PnPListItem -List "Documents" | Where-Object { $_.FieldValues.SharingInformation -ne $null }

    foreach ($file in $sharedFiles) {
        $externalFiles += [PSCustomObject]@{
            SiteURL = $site.Url
            FileName = $file.FieldValues.FileLeafRef
            SharedWith = $file.FieldValues.SharingInformation
            LastModified = $file.FieldValues.Modified
        }
    }
}

$externalFiles | Format-Table -AutoSize

✔ Retrieves all externally shared files across SharePoint & OneDrive.
✔ Lists file name, last modified date, and external users.

Step 4: Generate External Sharing Review Report

Save the externally shared files into a CSV report:

$reportPath = "C:\Reports\ExternalSharingReview.csv"

$externalFiles | Export-Csv -Path $reportPath -NoTypeInformation

Write-Host "External Sharing Review report saved at: $reportPath"

✔ This report helps track and audit externally shared content.

Step 5: Notify Site Owners for Review

To send email alerts to site owners for review:

foreach ($site in $externalSites) {
    $owner = Get-PnPSiteOwner -Url $site.Url
    $emailBody = "Hello, your SharePoint site '$($site.Title)' ($($site.Url)) contains externally shared content. Please review and revoke unnecessary access."

    Send-MailMessage -To $owner -From "admin@yourcompany.com" -Subject "External Sharing Review Required" -Body $emailBody -SmtpServer "smtp.yourcompany.com"
}

✔ Sends automated email alerts to site owners.
✔ Site owners can then review and manage shared files.

Step 6: Revoke External Sharing Permissions

To revoke external access from all files in a site:

$siteUrl = "https://yourtenant.sharepoint.com/sites/TestSite"

Connect-PnPOnline -Url $siteUrl -Interactive

$sharedFiles = Get-PnPListItem -List "Documents" | Where-Object { $_.FieldValues.SharingInformation -ne $null }

foreach ($file in $sharedFiles) {
    Set-PnPListItemPermission -List "Documents" -Identity $file.Id -RemoveSharing
}

✔ Removes external sharing links from all files in a given site.

Step 7: Automate External Sharing Reviews

To schedule automatic external sharing reviews, save the script as “ExternalSharingReview.ps1” and run it periodically:

$allSites = Get-PnPTenantSite

$externalFiles = @()

foreach ($site in $allSites) {
    Connect-PnPOnline -Url $site.Url -Interactive

    $sharedFiles = Get-PnPListItem -List "Documents" | Where-Object { $_.FieldValues.SharingInformation -ne $null }

    foreach ($file in $sharedFiles) {
        $externalFiles += [PSCustomObject]@{
            SiteURL = $site.Url
            FileName = $file.FieldValues.FileLeafRef
            SharedWith = $file.FieldValues.SharingInformation
            LastModified = $file.FieldValues.Modified
        }
    }
}

$reportPath = "C:\Reports\ExternalSharingReview.csv"
$externalFiles | Export-Csv -Path $reportPath -NoTypeInformation

Write-Host "External Sharing Review report saved at: $reportPath"

✔ Schedule using Task Scheduler or Azure Automation to run periodically.

Step 8: Restrict External Sharing at Tenant Level (Optional)

To disable external sharing tenant-wide:

Set-PnPTenant -SharingCapability Disabled
Write-Host "External sharing is now disabled across SharePoint and OneDrive."

✔ Prevents any future external sharing.

To allow only authenticated external users:

Set-PnPTenant -SharingCapability ExternalUserSharingOnly
Write-Host "Only authenticated external users can access shared content."

✔ Blocks anonymous sharing while allowing trusted external users.