Information protection in SharePoint Online is critical for securing sensitive data, preventing unauthorized access, and ensuring compliance with organizational policies. Using PnP PowerShell, administrators can automate tasks such as:
✔ Applying Sensitivity Labels to documents and sites
✔ Enforcing Data Loss Prevention (DLP) Policies
✔ Managing Conditional Access for Secure Data
✔ Restricting External Sharing for sensitive content
✔ Monitoring & Auditing file access and security events
This guide provides a step-by-step approach to automating SharePoint Information Protection using PnP PowerShell.
Step 1: Install and Update PnP PowerShell
Ensure PnP PowerShell is installed and updated:
Install-Module -Name PnP.PowerShell -Force -AllowClobber
Update-Module -Name PnP.PowerShell
Step 2: Connect to SharePoint Online
To perform any administrative tasks, first, establish a secure connection to your SharePoint environment:
Using Interactive Login
Connect-PnPOnline -Url "https://yourtenant-admin.sharepoint.com" -Interactive
Using App-Based Authentication
$tenantId = "your-tenant-id"
$clientId = "your-client-id"
$clientSecret = "your-client-secret"
Connect-PnPOnline -Tenant $tenantId -ClientId $clientId -ClientSecret $clientSecret -Url "https://yourtenant-admin.sharepoint.com"
✔ Ensures a secure connection before managing information protection.
Step 3: Applying Sensitivity Labels to SharePoint Sites
Sensitivity labels help classify and protect SharePoint content.
To apply a sensitivity label to a SharePoint site:
$siteUrl = "https://yourtenant.sharepoint.com/sites/SensitiveProject"
$labelId = "your-sensitivity-label-id"
Set-PnPSite -Identity $siteUrl -SensitivityLabel $labelId
Write-Host "Sensitivity label applied to $siteUrl"
✔ Ensures sensitive data is properly classified and secured.
Step 4: Enforcing Data Loss Prevention (DLP) Policies
DLP policies prevent accidental sharing of sensitive data.
To apply a DLP policy for credit card and financial data:
$dlpPolicyName = "Financial Data Protection"
$siteUrl = "https://yourtenant.sharepoint.com/sites/Finance"
Set-PnPCompliancePolicy -Identity $dlpPolicyName -Site $siteUrl -Enabled $true
Write-Host "DLP policy applied to $siteUrl"
✔ Prevents sensitive data leaks in SharePoint.
Step 5: Restrict External Sharing for Sensitive Content
To disable external sharing for a specific site:
$siteUrl = "https://yourtenant.sharepoint.com/sites/Confidential"
Set-PnPSite -Identity $siteUrl -SharingCapability Disabled
Write-Host "External sharing disabled for $siteUrl"
✔ Blocks guest users from accessing confidential files.
Step 6: Enable Conditional Access for Secure SharePoint Data
To enforce Multi-Factor Authentication (MFA) and device-based access controls for SharePoint Online:
Set-PnPTenant -ConditionalAccessPolicy AllowLimitedAccess
Write-Host "Conditional Access Policy applied."
✔ Restricts access to sensitive SharePoint data based on device and location.
Step 7: Encrypting Sensitive Documents Automatically
To enable encryption for documents in a SharePoint library:
$library = "SensitiveDocs"
$siteUrl = "https://yourtenant.sharepoint.com/sites/Security"
Set-PnPList -Identity $library -Site $siteUrl -EnableIRM $true
Write-Host "Encryption enabled for $library in $siteUrl"
✔ Ensures documents are encrypted at rest and in transit.
Step 8: Monitoring Unauthorized Access to SharePoint Content
To track unauthorized access attempts to sensitive files:
$logPath = "C:\Reports\UnauthorizedAccess.csv"
$accessLogs = Search-UnifiedAuditLog -Operations "FileAccessed", "FileModified", "FailedAccessAttempt" -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) | Where-Object { $_.ResultStatus -eq "Failed" }
$accessLogs | Export-Csv -Path $logPath -NoTypeInformation
Write-Host "Unauthorized access report saved to $logPath"
✔ Detects unauthorized access attempts for compliance monitoring.
Step 9: Automating Information Protection Reviews
To send security reports via email for periodic review:
$adminEmail = "admin@yourdomain.com"
$reportPath = "C:\Reports\SecurityReport.csv"
$securityIssues = Get-PnPCompliancePolicy | Export-Csv -Path $reportPath -NoTypeInformation
Send-MailMessage -To $adminEmail -From "noreply@yourdomain.com" -Subject "SharePoint Security Report" -Body "Security report attached." -Attachments $reportPath -SmtpServer "smtp.yourdomain.com"
✔ Automates SharePoint security reviews for administrators.
Step 10: Detecting and Removing Orphaned Sensitive Sites
To identify and remove orphaned sites containing sensitive data:
$orphanedSites = Get-PnPTenantSite | Where-Object { $_.Status -eq "Orphaned" -and $_.SensitivityLabel -ne $null }
foreach ($site in $orphanedSites) {
Remove-PnPTenantSite -Url $site.Url -Force
Write-Host "Removed orphaned site: $($site.Url)"
}
✔ Ensures sensitive information is not left unprotected.